Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0438.pdf.exe

Overview

General Information

Sample name:0438.pdf.exe
renamed because original name is a hash value
Original sample name: .pdf.exe
Analysis ID:1543779
MD5:2d11dba46735af1cb1c0a42e9564e20d
SHA1:b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension File Execution
Enables network access during safeboot for specific services
Enables remote desktop connection
Initial sample is a PE file and has a suspicious name
Uses an obfuscated file name to hide its real file extension (double extension)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0438.pdf.exe (PID: 7348 cmdline: "C:\Users\user\Desktop\0438.pdf.exe" MD5: 2D11DBA46735AF1CB1C0A42E9564E20D)
    • msiexec.exe (PID: 7440 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • Acrobat.exe (PID: 7452 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7764 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 8016 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1592,i,1356508992648061810,7446310958173615635,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • msiexec.exe (PID: 7504 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • ROMFUSClient.exe (PID: 2516 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8320 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8412 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8460 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8512 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8556 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)
  • svchost.exe (PID: 7828 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ROMServer.exe (PID: 8580 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8712 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8720 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8748 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8856 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8956 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 9068 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 9096 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 4408 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              7.0.ROMFUSClient.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                9.0.ROMServer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0438.pdf.exe, NewProcessName: C:\Users\user\Desktop\0438.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0438.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0438.pdf.exe", ProcessId: 7348, ProcessName: 0438.pdf.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7828, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: 0438.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DBB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DBB190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DA40BC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DCFCA0 FindFirstFileExA,0_2_00007FF6C2DCFCA0
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winmm.dll

                  Networking

                  barindex
                  Enables network access during safeboot for specific services
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry value created: NULL Service
                  Source: Joe Sandbox ViewIP Address: 96.7.168.138 96.7.168.138
                  Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: svchost.exe, 00000005.00000002.2938882637.000002A2E9E00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9C78000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9C78000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9C78000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9CAD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: ROMFUSClient.exe, 00000007.00000000.1804660098.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1813980374.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000F.00000002.2936854724.000000000179C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.000000000268C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.000000000278C000.00000004.00001000.00020000.00000000.sdmp, MSIDA03.tmp.3.dr, English.lg.3.dr, Turkish.lg.3.drString found in binary or memory: http://litemanager.com/
                  Source: ROMFUSClient.exe, 00000012.00000002.2937455075.0000000002793000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03y
                  Source: ROMServer.exe, 0000000F.00000002.2936854724.000000000179C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03z
                  Source: ROMFUSClient.exe, 00000012.00000002.2937455075.000000000278C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/1
                  Source: ROMFUSClient.exe, 00000007.00000000.1804660098.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1813980374.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.drString found in binary or memory: http://litemanager.ru/
                  Source: Ukrainian.lg.3.drString found in binary or memory: http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.
                  Source: ROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://litemanager.ru/noip.txtU
                  Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://s2.symcb.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://sv.symcd.com0&
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: MSIDA03.tmp.3.drString found in binary or memory: http://www.LiteManagerTeam.com
                  Source: ROMFUSClient.exe, 00000007.00000003.1818191092.00000000029B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1816021044.00000000029A7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1840595903.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000003.1838364653.0000000001147000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.1881269930.0000000002807000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.1874831239.0000000002937000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000002.2936854724.0000000001700000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.2936419272.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000003.1877801379.0000000002917000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.00000000026F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000003.1899204478.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.1913091884.00000000027C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000003.1919643905.0000000002897000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: http://www.symauth.com/rpa00
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9D22000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9D22000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: ROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/romversion.txt
                  Source: ROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
                  Source: svchost.exe, 00000005.00000003.1716927061.000002A2E9D22000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:

                  System Summary

                  barindex
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: 0438.pdf.exe
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D9C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2D9C2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42d2ef.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIDA03.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42d2f2.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\42d2f2.msiJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\42d2f2.msiJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DAA4AC0_2_00007FF6C2DAA4AC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB34840_2_00007FF6C2DB3484
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DBB1900_2_00007FF6C2DBB190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC07540_2_00007FF6C2DC0754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D9F9300_2_00007FF6C2D9F930
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA49280_2_00007FF6C2DA4928
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D95E240_2_00007FF6C2D95E24
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB1F200_2_00007FF6C2DB1F20
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DBCE880_2_00007FF6C2DBCE88
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB53F00_2_00007FF6C2DB53F0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DAB5340_2_00007FF6C2DAB534
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB21D00_2_00007FF6C2DB21D0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DAF1800_2_00007FF6C2DAF180
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D9A3100_2_00007FF6C2D9A310
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D9C2F00_2_00007FF6C2D9C2F0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D972880_2_00007FF6C2D97288
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA126C0_2_00007FF6C2DA126C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D948400_2_00007FF6C2D94840
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DCC8380_2_00007FF6C2DCC838
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD25500_2_00007FF6C2DD2550
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D976C00_2_00007FF6C2D976C0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC8C1C0_2_00007FF6C2DC8C1C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB4B980_2_00007FF6C2DB4B98
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DABB900_2_00007FF6C2DABB90
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA5B600_2_00007FF6C2DA5B60
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC89A00_2_00007FF6C2DC89A0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB39640_2_00007FF6C2DB3964
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DAC96C0_2_00007FF6C2DAC96C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD5AF80_2_00007FF6C2DD5AF8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D91AA40_2_00007FF6C2D91AA4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB2AB00_2_00007FF6C2DB2AB0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DCFA940_2_00007FF6C2DCFA94
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA1A480_2_00007FF6C2DA1A48
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD20800_2_00007FF6C2DD2080
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC07540_2_00007FF6C2DC0754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB8DF40_2_00007FF6C2DB8DF4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB2D580_2_00007FF6C2DB2D58
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DAAF180_2_00007FF6C2DAAF18
                  Source: ROMViewer.exe.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMServer.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMFUSClient.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.3.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.0000015038912000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.000001503891E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694300045.0000015034914000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcrobat.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.0000015038904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.000001503887E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1689218135.000001503887E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 0438.pdf.exe
                  Source: classification engineClassification label: mal64.troj.evad.winEXE@48/97@0/4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2D9B6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6C2D9B6D8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DB8624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF6C2DB8624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - ServerJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7588Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4378203Jump to behavior
                  Source: Yara matchFile source: 7.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED
                  Source: 0438.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile read: C:\Users\user\Desktop\0438.pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\0438.pdf.exe "C:\Users\user\Desktop\0438.pdf.exe"
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1592,i,1356508992648061810,7446310958173615635,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1592,i,1356508992648061810,7446310958173615635,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\Desktop\0438.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Start LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Uninstall LiteManager - Server.lnk.3.drLNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
                  Source: Stop LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Settings for LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 0438.pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 0438.pdf.exeStatic file information: File size 11654747 > 1048576
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 0438.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4378203Jump to behavior
                  Source: 0438.pdf.exeStatic PE information: section name: .didat
                  Source: 0438.pdf.exeStatic PE information: section name: _RDATA
                  Source: ROMViewer.exe.3.drStatic PE information: section name: .didata
                  Source: ROMFUSClient.exe.3.drStatic PE information: section name: .didata
                  Source: ROMwln.dll.3.drStatic PE information: section name: .didata
                  Source: ROMServer.exe.3.drStatic PE information: section name: .didata
                  Source: HookDrv.dll.3.drStatic PE information: section name: .didata
                  Source: ROMServer.exe0.3.drStatic PE information: section name: .didata
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD5156 push rsi; retf 0_2_00007FF6C2DD5157
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD5166 push rsi; retf 0_2_00007FF6C2DD5167
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - ServerJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.exeStatic PE information: 0438.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettingsJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 574
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 9214
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\svchost.exe TID: 7892Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8664Thread sleep time: -40000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 8584Thread sleep count: 247 > 30
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8892Thread sleep time: -287000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8892Thread sleep time: -4607000s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeLast function: Thread delayed
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DBB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DBB190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DA40BC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DCFCA0 FindFirstFileExA,0_2_00007FF6C2DCFCA0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC16A4 VirtualQuery,GetSystemInfo,0_2_00007FF6C2DC16A4
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: 0438.pdf.exe, 00000000.00000003.1692905905.0000015034936000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: svchost.exe, 00000005.00000002.2936451034.000002A2E482B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp*
                  Source: ROMFUSClient.exe, 0000000A.00000003.1841308496.0000000000B38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}L@
                  Source: ROMFUSClient.exe, 00000013.00000002.1891026301.0000000000B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                  Source: ROMFUSClient.exe, 00000014.00000002.1901437174.0000000000B98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
                  Source: svchost.exe, 00000005.00000002.2939112419.000002A2E9E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ROMFUSClient.exe, 00000007.00000002.1820432073.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
                  Source: ROMFUSClient.exe, 00000007.00000002.1820432073.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000002.2935454873.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.2935526756.0000000000B98000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.1881451418.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2936033854.0000000000D68000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000002.1914654009.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000002.1921313988.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 0000001A.00000002.2533126236.0000000000B38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C2DC3170
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD0D20 GetProcessHeap,0_2_00007FF6C2DD0D20
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC3354 SetUnhandledExceptionFilter,0_2_00007FF6C2DC3354
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6C2DC2510
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C2DC3170
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C2DC76D8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DBB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DBB190
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DD58E0 cpuid 0_2_00007FF6C2DD58E0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF6C2DBA2CC
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DC0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C2DC0754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C2DA51A4 GetVersionExW,0_2_00007FF6C2DA51A4

                  Remote Access Functionality

                  barindex
                  Enables remote desktop connection
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		Windows Management Instrumentation1
                  Windows Service                  		1
                  Exploitation for Privilege Escalation                  		122
                  Masquerading                  		OS Credential Dumping1
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		1
                  Modify Registry                  		LSASS Memory31
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		11
                  Process Injection                  		2
                  Virtualization/Sandbox Evasion                  		Security Account Manager2
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  Registry Run Keys / Startup Folder                  		1
                  Disable or Modify Tools                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  DLL Side-Loading                  		11
                  Process Injection                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Obfuscated Files or Information                  		Cached Domain Credentials11
                  Peripheral Device Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Software Packing                  		DCSync3
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc Filesystem65
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                  File Deletion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543779 Sample: 0438.pdf.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 64 64 Sigma detected: Suspicious Double Extension File Execution 2->64 66 Uses an obfuscated file name to hide its real file extension (double extension) 2->66 68 Initial sample is a PE file and has a suspicious name 2->68 8 ROMServer.exe 2->8         started        12 msiexec.exe 97 61 2->12         started        15 0438.pdf.exe 6 9 2->15         started        17 svchost.exe 1 1 2->17         started        process3 dnsIp4 56 111.90.140.76 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 8->56 58 65.21.245.7 CP-ASDE United States 8->58 70 Enables remote desktop connection 8->70 72 Enables network access during safeboot for specific services 8->72 19 ROMFUSClient.exe 8->19         started        21 ROMFUSClient.exe 8->21         started        23 ROMFUSClient.exe 8->23         started        35 5 other processes 8->35 48 C:\Program Files (x86)\...\ROMServer.exe, PE32 12->48 dropped 50 stop_server_51B516...3C56354EA2277C2.exe, PE32 12->50 dropped 52 config_server_B6BD...764F06ADFFD6458.exe, PE32 12->52 dropped 54 9 other files (none is malicious) 12->54 dropped 25 ROMFUSClient.exe 12->25         started        27 ROMFUSClient.exe 12->27         started        29 ROMFUSClient.exe 12->29         started        31 Acrobat.exe 72 15->31         started        33 msiexec.exe 15->33         started        60 127.0.0.1 unknown unknown 17->60 file5 signatures6 process7 process8 37 ROMServer.exe 25->37         started        39 ROMServer.exe 27->39         started        41 ROMServer.exe 29->41         started        43 AcroCEF.exe 107 31->43         started        process9 45 AcroCEF.exe 43->45         started        dnsIp10 62 96.7.168.138 INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR United States 45->62

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe3%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe5%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe5%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe5%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV20%URL Reputationsafe
                  http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%URL Reputationsafe
                  http://www.symauth.com/rpa000%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                  http://www.indyproject.org/0%URL Reputationsafe
                  http://www.symauth.com/cps0(0%URL Reputationsafe
                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://litemanager.com/1ROMFUSClient.exe, 00000012.00000002.2937455075.000000000278C000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    http://litemanager.ru/ROMFUSClient.exe, 00000007.00000000.1804660098.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1813980374.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.drfalse
                      		unknown
                      https://g.live.com/odclientsettings/Prod.C:edb.log.5.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://litemanager.com/soft/pro/ROMServer.zipROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                        		unknown
                        https://g.live.com/odclientsettings/ProdV2edb.log.5.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://litemanager.com/romversion.txtROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                          		unknown
                          http://crl.thawte.com/ThawteTimestampingCA.crl00438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1716927061.000002A2E9D22000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.symauth.com/rpa000438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.Ukrainian.lg.3.drfalse
                            		unknown
                            http://ocsp.thawte.com00438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://litemanager.ru/noip.txtUROMServer.exe, 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                              		unknown
                              http://crl.ver)svchost.exe, 00000005.00000002.2938882637.000002A2E9E00000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://g.live.com/odclientsettings/ProdV2.C:edb.log.5.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://litemanager.com/ROMFUSClient.exe, 00000007.00000000.1804660098.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1813980374.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, ROMServer.exe, 0000000F.00000002.2936854724.000000000179C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.000000000268C000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.000000000278C000.00000004.00001000.00020000.00000000.sdmp, MSIDA03.tmp.3.dr, English.lg.3.dr, Turkish.lg.3.drfalse
                                  		unknown
                                  http://www.LiteManagerTeam.comMSIDA03.tmp.3.drfalse
                                    		unknown
                                    http://www.indyproject.org/ROMFUSClient.exe, 00000007.00000003.1818191092.00000000029B7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1810551436.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1816021044.00000000029A7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1840595903.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000C.00000003.1838364653.0000000001147000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000D.00000003.1881269930.0000000002807000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000003.1874831239.0000000002937000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000F.00000002.2936854724.0000000001700000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.2936419272.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000003.1877801379.0000000002917000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000012.00000002.2937455075.00000000026F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000014.00000003.1899204478.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000017.00000003.1913091884.00000000027C7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000018.00000003.1919643905.0000000002897000.00000004.00001000.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://litemanager.com/03yROMFUSClient.exe, 00000012.00000002.2937455075.0000000002793000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://litemanager.com/03zROMServer.exe, 0000000F.00000002.2936854724.000000000179C000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.symauth.com/cps0(0438.pdf.exe, 00000000.00000003.1689218135.00000150388F8000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1689218135.00000150388BA000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.dr, 42d2ef.msi.3.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1716927061.000002A2E9D22000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        96.7.168.138
                                        		unknownUnited States
                                        		262589INTERNEXABRASILOPERADORADETELECOMUNICACOESSABRfalse
                                        111.90.140.76
                                        		unknownMalaysia
                                        		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYfalse
                                        65.21.245.7
                                        		unknownUnited States
                                        		199592CP-ASDEfalse

                                        Private

                                        IP
                                        127.0.0.1

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1543779
                                        Start date and time:2024-10-28 12:53:22 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 43s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:27
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:0438.pdf.exe
                                        renamed because original name is a hash value
                                        Original Sample Name: .pdf.exe
                                        Detection:MAL
                                        Classification:mal64.troj.evad.winEXE@48/97@0/4
                                        EGA Information:
                                        • Successful, ratio: 50%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 70
                                        • Number of non-executed functions: 93
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 2.19.126.143, 2.19.126.149, 184.28.88.176, 162.159.61.3, 172.64.41.3, 184.28.90.27, 2.23.197.184, 52.202.204.11, 23.22.254.206, 54.227.187.23, 52.5.13.197, 199.232.210.172, 2.22.242.123, 2.22.242.11, 192.168.2.4, 23.218.232.159
                                        • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, geo2.adobe.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                        • Execution Graph export aborted for target ROMServer.exe, PID 8580 because there are no executed function
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: 0438.pdf.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        07:54:17API Interceptor2x Sleep call for process: svchost.exe modified
                                        07:54:25API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                        07:54:31API Interceptor20x Sleep call for process: ROMServer.exe modified
                                        07:54:33API Interceptor44762x Sleep call for process: ROMFUSClient.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        96.7.168.138Sars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                          tue.batGet hashmaliciousUnknownBrowse
                                            https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                              bc3c228ad2c13f96cb14375c3860e802.pdfGet hashmaliciousHTMLPhisherBrowse
                                                Demande de proposition du CPE Les Coquins.pdfGet hashmaliciousUnknownBrowse
                                                  Airbornemx Benefits Enrollment.pdfGet hashmaliciousHTMLPhisherBrowse
                                                    Scan_8346203.pdfGet hashmaliciousUnknownBrowse
                                                      Jwhite Pay Increase EFile997843.pdfGet hashmaliciousUnknownBrowse
                                                        roba.txtGet hashmaliciousMeterpreter, ReflectiveLoaderBrowse
                                                          Inv No.248730.xlsGet hashmaliciousUnknownBrowse
                                                            65.21.245.7044f.pdf.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                              3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse
                                                                3e#U043c.scrGet hashmaliciousRMSRemoteAdminBrowse

                                                                  Domains

                                                                  No context

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYb.cmdGet hashmaliciousUnknownBrowse
                                                                  • 101.99.92.203
                                                                  rrwzOU7A9F.exeGet hashmaliciousXWormBrowse
                                                                  • 101.99.92.203
                                                                  3xlcP3DFLm.exeGet hashmaliciousXWormBrowse
                                                                  • 101.99.92.203
                                                                  JruZmEO5Dm.exeGet hashmaliciousXWormBrowse
                                                                  • 101.99.92.203
                                                                  zVlbADkNqu.exeGet hashmaliciousXWormBrowse
                                                                  • 101.99.92.203
                                                                  vqUuq8t2Uc.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                  • 101.99.92.203
                                                                  pXJ9iQvcQa.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                  • 101.99.92.203
                                                                  https://app.adjust.com/mr11ui?fallback=https://abcshopbd.com/#amVmZi5kaXhvbiRhdXN0YWx1c2EuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                  • 111.90.141.53
                                                                  Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 101.99.94.195
                                                                  Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                  • 101.99.94.195
                                                                  INTERNEXABRASILOPERADORADETELECOMUNICACOESSABRSars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                  • 200.220.206.173
                                                                  tue.batGet hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  bc3c228ad2c13f96cb14375c3860e802.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                  • 96.7.168.138
                                                                  Demande de proposition du CPE Les Coquins.pdfGet hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  Airbornemx Benefits Enrollment.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                  • 96.7.168.138
                                                                  Scan_8346203.pdfGet hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  Jwhite Pay Increase EFile997843.pdfGet hashmaliciousUnknownBrowse
                                                                  • 96.7.168.138
                                                                  roba.txtGet hashmaliciousMeterpreter, ReflectiveLoaderBrowse
                                                                  • 96.7.168.138
                                                                  CP-ASDEiQPxJrxxaj.exeGet hashmaliciousPikaBotBrowse
                                                                  • 65.20.66.218
                                                                  iQPxJrxxaj.exeGet hashmaliciousPikaBotBrowse
                                                                  • 65.20.66.218
                                                                  http://www.thegioimoicau.com/Get hashmaliciousUnknownBrowse
                                                                  • 65.21.45.74
                                                                  Bill Of Lading_MEDUVB935991.pdf.exeGet hashmaliciousFormBookBrowse
                                                                  • 65.21.196.90
                                                                  arm.elfGet hashmaliciousUnknownBrowse
                                                                  • 65.21.50.224
                                                                  P1 BOL.exeGet hashmaliciousUnknownBrowse
                                                                  • 65.21.196.90
                                                                  Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                  • 65.21.196.90
                                                                  TT Swift copy1.exeGet hashmaliciousFormBookBrowse
                                                                  • 65.21.196.90
                                                                  BL.exeGet hashmaliciousFormBookBrowse
                                                                  • 65.21.196.90
                                                                  rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                  • 65.21.196.90

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Config.Msi\42d2f1.rbs

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):25210
                                                                  Entropy (8bit):5.139223890307229
                                                                  Encrypted:false
                                                                  SSDEEP:384:YS75t8t+CqZ+oNbynfBytjj3IhdgdVOVv:YS1t8t+CqZ+oNbynfEtIh+jMv
                                                                  MD5:1D990DF3CE9F0C996FDF1E2331938931
                                                                  SHA1:BBF4B844D333E545265005AFA7DA57B287A7AA76
                                                                  SHA-256:FF97257B367243372028FA48375F7BE50AE1F3309E3975CA56BBBA6959BB3557
                                                                  SHA-512:14DFDB9BA445D1EE7034366607F88EC6ED780C52FE8D48FE1FE2966088F211127574685DAB3450EF6C2A67F5DDEAD346D073B7396751599BE3F80EA516B3B128
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:...@IXOS.@.....@.>\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-B

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):132032
                                                                  Entropy (8bit):6.10195829980833
                                                                  Encrypted:false
                                                                  SSDEEP:3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
                                                                  MD5:C40455A478E0B76521130D9DAAAADC4B
                                                                  SHA1:42DE923D5E36A9F56B002DD66DB245BC44480089
                                                                  SHA-256:308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
                                                                  SHA-512:76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Reputation:low
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
                                                                  Category:dropped
                                                                  Size (bytes):58679
                                                                  Entropy (8bit):4.738446173390891
                                                                  Encrypted:false
                                                                  SSDEEP:768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
                                                                  MD5:BAED4E7AF33F77350D454B69317EE63B
                                                                  SHA1:2B598774F0C73850A36117F29EA8DAC57BE1C138
                                                                  SHA-256:671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
                                                                  SHA-512:E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
                                                                  Malicious:false
                                                                  Preview:{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\*\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\*\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\*\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\*\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\*\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\English.lg

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):89220
                                                                  Entropy (8bit):3.469297258214741
                                                                  Encrypted:false
                                                                  SSDEEP:768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
                                                                  MD5:B1C96EF24061BF294CAC6C4C9CBF7757
                                                                  SHA1:5D1B1934091E257B5F1C69B13F5FC1E424348584
                                                                  SHA-256:20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
                                                                  SHA-512:6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
                                                                  Malicious:false
                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):201728
                                                                  Entropy (8bit):6.3607488106285075
                                                                  Encrypted:false
                                                                  SSDEEP:3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
                                                                  MD5:1D4F8CFC7BBF374CCC3AAE6045B2133D
                                                                  SHA1:802EDF0B0ED1D0305BCD6688EE3301366FEC1337
                                                                  SHA-256:C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
                                                                  SHA-512:68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):61034
                                                                  Entropy (8bit):4.429529654892776
                                                                  Encrypted:false
                                                                  SSDEEP:768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
                                                                  MD5:7303B5AE0B8911CEB238DC01419695BE
                                                                  SHA1:22B89BDB8FAEC62BA3E66639E38E6271B593944A
                                                                  SHA-256:88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
                                                                  SHA-512:8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
                                                                  Malicious:false
                                                                  Preview:[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):58794
                                                                  Entropy (8bit):3.642324420313977
                                                                  Encrypted:false
                                                                  SSDEEP:768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
                                                                  MD5:606DC375E898D7221CCB7CEB8F7C686B
                                                                  SHA1:26DCF93876C89283623B8150C1B79EDB24B6A7EC
                                                                  SHA-256:F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
                                                                  SHA-512:9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
                                                                  Malicious:false
                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):87912
                                                                  Entropy (8bit):4.303374267443204
                                                                  Encrypted:false
                                                                  SSDEEP:768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
                                                                  MD5:3FC082E8F516EAD9FC26AC01E737F9EF
                                                                  SHA1:3B67EBCE4400DDCF6B228E5668F3008561FB8F21
                                                                  SHA-256:3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
                                                                  SHA-512:9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
                                                                  Malicious:false
                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):6307408
                                                                  Entropy (8bit):6.5944937257467116
                                                                  Encrypted:false
                                                                  SSDEEP:98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
                                                                  MD5:63D0964168B927D00064AA684E79A300
                                                                  SHA1:B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
                                                                  SHA-256:33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
                                                                  SHA-512:894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
                                                                  Malicious:false
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):7753808
                                                                  Entropy (8bit):6.615075046955521
                                                                  Encrypted:false
                                                                  SSDEEP:98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
                                                                  MD5:F3D74B072B9697CF64B0B8445FDC8128
                                                                  SHA1:8408DA5AF9F257D12A8B8C93914614E9E725F54C
                                                                  SHA-256:70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
                                                                  SHA-512:004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):999944
                                                                  Entropy (8bit):6.626732213066839
                                                                  Encrypted:false
                                                                  SSDEEP:12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
                                                                  MD5:ED32E23322D816C3FE2FC3D05972689E
                                                                  SHA1:5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
                                                                  SHA-256:7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
                                                                  SHA-512:E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):94772
                                                                  Entropy (8bit):4.284840986247552
                                                                  Encrypted:false
                                                                  SSDEEP:768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
                                                                  MD5:0E204FABE68B4B65ED5E0834651FB732
                                                                  SHA1:B338A6E54AA18F3F8A573580520F16C74A51F3D2
                                                                  SHA-256:302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
                                                                  SHA-512:AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
                                                                  Malicious:false
                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):7752272
                                                                  Entropy (8bit):6.615186281886958
                                                                  Encrypted:false
                                                                  SSDEEP:98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
                                                                  MD5:84FB34E529BEDE393A3F604EAA8137B2
                                                                  SHA1:195EA03B7BD086454A13C0D8357E0A9E447D9EC9
                                                                  SHA-256:1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
                                                                  SHA-512:A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

                                                                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11361360
                                                                  Entropy (8bit):6.496049600782297
                                                                  Encrypted:false
                                                                  SSDEEP:98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
                                                                  MD5:B0E355EC3453C8FFAEE08CD4257E96F2
                                                                  SHA1:0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
                                                                  SHA-256:60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
                                                                  SHA-512:B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
                                                                  Malicious:false
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1310720
                                                                  Entropy (8bit):1.3073716467219574
                                                                  Encrypted:false
                                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrg:KooCEYhgYEL0In
                                                                  MD5:F04BDC05076C25347B6D7DA1C6B9F6E1
                                                                  SHA1:CA80D4414FED1A5292078577FDD12D82918D4049
                                                                  SHA-256:BF02F34995022E74485467CF8FAAD88E41130263B8A86B1F7732E65C7C3879EA
                                                                  SHA-512:E2652BB2014751D1A179B609A3A66D0392431C21B77AFBA9D8344D538BEFC49D954C54361884D6ACA7F4C7201D3D35309BFED2013317215FF7C492765001A23E
                                                                  Malicious:false
                                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa2ac2cb8, page size 16384, DirtyShutdown, Windows version 10.0
                                                                  Category:dropped
                                                                  Size (bytes):1310720
                                                                  Entropy (8bit):0.42215784695225667
                                                                  Encrypted:false
                                                                  SSDEEP:1536:BSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Baza/vMUM2Uvz7DO
                                                                  MD5:7C6DF2BF0092B0917B4E31351BC70BA3
                                                                  SHA1:7C029449C9B26CFA04A88136EDEF902EBE9039B2
                                                                  SHA-256:5049A14BED85461A4D7BE45C7DCB45EE29FEB0077E5D23B90C461033EAFC688F
                                                                  SHA-512:699B118E018395CFCD36B18C775155D4AF6AE81AF428E00B07F10C9DFECCA10AA953DBB490CBE87307AA58A8AA10389705D04BEB119DEA8A45ED74A839FC0239
                                                                  Malicious:false
                                                                  Preview:..,.... .......A.......X\...;...{......................0.!..........{A..6...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{..................................w.]..6...|.......................6...|...........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):16384
                                                                  Entropy (8bit):0.07740235398825662
                                                                  Encrypted:false
                                                                  SSDEEP:3:9LGlKYeAi5g+xjn13a/05glXallcVO/lnlZMxZNQl:92Kzrx53qMOewk
                                                                  MD5:F55FAFF42DAD7283F110B7BA7EB46139
                                                                  SHA1:F6F9FF2FF6528B820947EFDD06FC71B873773603
                                                                  SHA-256:B1B7F601334D9622AE22D4FAB29D84A7AA03CF45ED674CA79F471933FD350992
                                                                  SHA-512:C2C12256D0D499A05ED3C627D8570CD08C029A797A9B13B3AA85D14EFD133A96EBCE1586ECC70E4E2022839B478D1CA5783DC6F2D72CC153971BC35C265BE63F
                                                                  Malicious:false
                                                                  Preview:........................................;...{...6...|.......{A..............{A......{A..........{A].....................6...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 10:54:23 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):2167
                                                                  Entropy (8bit):3.914858865568582
                                                                  Encrypted:false
                                                                  SSDEEP:48:832nJrwdOC9k2EZd5Y+d5YsP5qoZkmrSUp8JWqoZkmtw:835GI9O5qoZbcJWqoZbt
                                                                  MD5:2DF76339970144574783C3BF969FABE5
                                                                  SHA1:286C8B45FAEDBDE59CF8D666F510420DE1F6BD50
                                                                  SHA-256:B491CAF532B64FC262D0315A27B19ECF7FAC3F9FA7103E555A54D91B3FD49489
                                                                  SHA-512:3072CAC35D2B68BBEAEF837725FA507FCFC5F896C91539988305A3A6EBB4F2C3F3E415D28574039420C19A42FB0920AC3F2DE6C1382251A4DC89334855E24437
                                                                  Malicious:false
                                                                  Preview:L..................F.@.. .....>........!0)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Y.^..PROGRA~2.........O.I\Y.^....................V.....y. .P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Y.^..LITEMA~1..b......\Y.^\Y.^............................6.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Y.^.....+........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............F.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1890
                                                                  Entropy (8bit):3.1573107695942624
                                                                  Encrypted:false
                                                                  SSDEEP:48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
                                                                  MD5:5FC67E19699B3F0B2AB7B4B89B0B3F1A
                                                                  SHA1:6F6380DF2EB8C5D30452A846864F001A8B0E473A
                                                                  SHA-256:45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
                                                                  SHA-512:81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
                                                                  Malicious:false
                                                                  Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Mon Oct 28 10:54:23 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):2159
                                                                  Entropy (8bit):3.9020143117284696
                                                                  Encrypted:false
                                                                  SSDEEP:48:8l2nJrwdOC9x6+EZd5Y+d5Ys5qcxFWT84SslWqcxFWT8cw:8l5Xr9s5qcxYT8SWqcxYT8c
                                                                  MD5:BA451B9555E22F5CE09BD50C3DFE1295
                                                                  SHA1:47E1AC00BF63BB60520F2029A02B0BB19A6BD646
                                                                  SHA-256:C0D09B3094FC66DF85A1E87EFB73C5AF2120BDACD194D73805E494C9222F594A
                                                                  SHA-512:7DF34E2FA424F683EE47A0081601E3C13C202150E35AB86BBC789A26FC10DD7232AE7E2AD0837282086AF8E63AB57FB482FB736A1BE5D2C5E4CEDFA24DD9E55F
                                                                  Malicious:false
                                                                  Preview:L..................F.@.. .....>.......!0)....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....\Y.^..PROGRA~2.........O.I\Y.^....................V.....y. .P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....\Y.^..LITEMA~1..b......\Y.^\Y.^.............................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.\Y.^.....+........................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k.............F.....C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):1953
                                                                  Entropy (8bit):3.880787858849558
                                                                  Encrypted:false
                                                                  SSDEEP:48:8WnunyC+Ob0JHOn5qmjlt6ScWqmjltZF:8wu9lDn5qmjlmWqmjl
                                                                  MD5:F42A7C745548FFD05F954D8117248556
                                                                  SHA1:8544A4214085CAEBEB250408BCD6A3CF14485208
                                                                  SHA-256:692768B3B529AC1FDE55BBE3D728EB2AB81C49D1F8C325650F0881F9ED231B1D
                                                                  SHA-512:2EE7084EBCE4EBF227208C9B629D6BB1ED7634A7F46DC5020A939A2AAD1405FE32C2FAFEB8372E0122F87BAA0235CABB17B1CB2E3967034C4A3FA58C44AE43B4
                                                                  Malicious:false
                                                                  Preview:L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwH\Y.^....3.......................*.W.i.n.d.o.w.s.....Z.1.....\Y.^..SysWOW64..B......O.I\Y.^....Y.....................El..S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M.............F.....C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.211728076750284
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzfe+q2Pwkn2nKuAl9OmbnIFUt8hz0UtZmw+hz0UxVkwOwkn2nKuAl9OmbjLJ:QPvYfHAahFUt8uUt/+uUf5JfHAaSJ
                                                                  MD5:46B9900D8219D56CA643ED946270F925
                                                                  SHA1:10E13D4616BE423D55E66BE8763D0D153CF028A6
                                                                  SHA-256:059687541F99D627373F8DF36923EFB7944BA9E113D7BD79D8ABD506AE02F511
                                                                  SHA-512:EC04B104F257D28DCBEC503DECD43322193A6B461083010E32A74B7EC81F382B0710FE2E32DCC9482001C38F770878786A672533E304F2BE1081F56762E7B470
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:17.780 1ec8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-07:54:17.783 1ec8 Recovering log #3.2024/10/28-07:54:17.783 1ec8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.211728076750284
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzfe+q2Pwkn2nKuAl9OmbnIFUt8hz0UtZmw+hz0UxVkwOwkn2nKuAl9OmbjLJ:QPvYfHAahFUt8uUt/+uUf5JfHAaSJ
                                                                  MD5:46B9900D8219D56CA643ED946270F925
                                                                  SHA1:10E13D4616BE423D55E66BE8763D0D153CF028A6
                                                                  SHA-256:059687541F99D627373F8DF36923EFB7944BA9E113D7BD79D8ABD506AE02F511
                                                                  SHA-512:EC04B104F257D28DCBEC503DECD43322193A6B461083010E32A74B7EC81F382B0710FE2E32DCC9482001C38F770878786A672533E304F2BE1081F56762E7B470
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:17.780 1ec8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/28-07:54:17.783 1ec8 Recovering log #3.2024/10/28-07:54:17.783 1ec8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):336
                                                                  Entropy (8bit):5.209817333881388
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzEdTAq2Pwkn2nKuAl9Ombzo2jMGIFUt8hzSZmw+hzqkwOwkn2nKuAl9Ombzo2jz:3AvYfHAa8uFUt8Q/+05JfHAa8RJ
                                                                  MD5:C0F8F59B612D7E898E4C05DED8989ADA
                                                                  SHA1:410DAD0EB2477ECBEC036370C8F50C21C19477D6
                                                                  SHA-256:BCCB9B1528F5C0FA3FD8DBCD941DCC13F17F2264F7407CEABC78611B34660319
                                                                  SHA-512:DE236586CEACCDFFD5463DC02FAB4D182BBC5C86332814D483828B83CD25AA18FE030430A24EA3CB3068C845F34246A49A48EC27BB635E6AB8ADADB9AC6D09B9
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:17.848 1f70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-07:54:17.851 1f70 Recovering log #3.2024/10/28-07:54:17.855 1f70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):336
                                                                  Entropy (8bit):5.209817333881388
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzEdTAq2Pwkn2nKuAl9Ombzo2jMGIFUt8hzSZmw+hzqkwOwkn2nKuAl9Ombzo2jz:3AvYfHAa8uFUt8Q/+05JfHAa8RJ
                                                                  MD5:C0F8F59B612D7E898E4C05DED8989ADA
                                                                  SHA1:410DAD0EB2477ECBEC036370C8F50C21C19477D6
                                                                  SHA-256:BCCB9B1528F5C0FA3FD8DBCD941DCC13F17F2264F7407CEABC78611B34660319
                                                                  SHA-512:DE236586CEACCDFFD5463DC02FAB4D182BBC5C86332814D483828B83CD25AA18FE030430A24EA3CB3068C845F34246A49A48EC27BB635E6AB8ADADB9AC6D09B9
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:17.848 1f70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/28-07:54:17.851 1f70 Recovering log #3.2024/10/28-07:54:17.855 1f70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\342bea13-fd2a-4afc-816f-f5134d3b658c.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.967403857886107
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                  MD5:B7761633048D74E3C02F61AD04E00147
                                                                  SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                  SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                  SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\831a7222-e372-4bf9-a79d-29b17490943e.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:modified
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.968015424318641
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqsRdsBdOg2HRcaq3QYiubInP7E4TX:Y2sRdsUdMHo3QYhbG7n7
                                                                  MD5:55414145C32167930110D36781E70A7B
                                                                  SHA1:9740FE689529BCA484C70828CE695475A2885DBC
                                                                  SHA-256:FDB1E13534135BF5A08767F86174BEEEB29BD30AAE9E4C0E37411842D78974A5
                                                                  SHA-512:4D7203021F3B15687B1B403ED712C87CD75568C2A572819A1B55D521D14F68E5A2B063A433FD9450E00FAE164B23488F61CB25E57AB0D663D2F202A82D2C1CA2
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374676469409797","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":227729},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.967403857886107
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                  MD5:B7761633048D74E3C02F61AD04E00147
                                                                  SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                  SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                  SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF44041c.TMP (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.967403857886107
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sqLsBdOg2HHfcaq3QYiubInP7E4TX:Y2sRdsVdMHO3QYhbG7n7
                                                                  MD5:B7761633048D74E3C02F61AD04E00147
                                                                  SHA1:72A2D446DF757BAEA2C7A58C050925976E4C9372
                                                                  SHA-256:1A468796D744FCA806D1F828C07E0064AB6A1FA0E31DA3A403F12B9B89868B67
                                                                  SHA-512:397A10C510FAA048E4AAB08A11B2AE14A09EE47EC4F5A2B47CE1A9580C2874ADE0F9F8FC287B9358C0FFEA4C89F8AB9270B9CA00064EA90CD2EF0EAD0A59369F
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340980889952523","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":146406},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4320
                                                                  Entropy (8bit):5.256117515712557
                                                                  Encrypted:false
                                                                  SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7yq6LK8Z:etJCV4FiN/jTN/2r8Mta02fEhgO73goi
                                                                  MD5:2D05006374406BAB90856F20B939DAE0
                                                                  SHA1:BE2B50D882916D64D92B7B831F41BD07B88B90B9
                                                                  SHA-256:D8F0D56B8DC94D72E057D444E4A378BE08261FB1E167DAC1B610F2379A98AA3C
                                                                  SHA-512:1234015927B34E4C4B4AB32D221984BAE8FCB97A6721BF8B3A11EA481411902E9189BF4E72BCEE3A47D49CBA8F710BC279783D7066B675BC5C0F9B0C04E1CA92
                                                                  Malicious:false
                                                                  Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):324
                                                                  Entropy (8bit):5.20076717095211
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzd7yq2Pwkn2nKuAl9OmbzNMxIFUt8hzd2OhZmw+hzdfkwOwkn2nKuAl9OmbzNMT:mmvYfHAa8jFUt8jd/+jf5JfHAa84J
                                                                  MD5:F922EF205801A068F9DC1700E3699273
                                                                  SHA1:1E8D2939B3AA9BED3E5F9719743D06CC132DFF10
                                                                  SHA-256:3DB841DCA9270B26B3F3EEC7AB2959F54226D5883556456B69C6A53D5F9602BC
                                                                  SHA-512:BAD60095C809BB52E2EA2E04AA15C1DCC06E6FF9713910A4714AD41D670F1282DA8EB6B7268CC88EB5BDF1D9E6F8BAB98159346E4DED2A859E426C00721EE13B
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:18.130 1f70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-07:54:18.143 1f70 Recovering log #3.2024/10/28-07:54:18.150 1f70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):324
                                                                  Entropy (8bit):5.20076717095211
                                                                  Encrypted:false
                                                                  SSDEEP:6:yzd7yq2Pwkn2nKuAl9OmbzNMxIFUt8hzd2OhZmw+hzdfkwOwkn2nKuAl9OmbzNMT:mmvYfHAa8jFUt8jd/+jf5JfHAa84J
                                                                  MD5:F922EF205801A068F9DC1700E3699273
                                                                  SHA1:1E8D2939B3AA9BED3E5F9719743D06CC132DFF10
                                                                  SHA-256:3DB841DCA9270B26B3F3EEC7AB2959F54226D5883556456B69C6A53D5F9602BC
                                                                  SHA-512:BAD60095C809BB52E2EA2E04AA15C1DCC06E6FF9713910A4714AD41D670F1282DA8EB6B7268CC88EB5BDF1D9E6F8BAB98159346E4DED2A859E426C00721EE13B
                                                                  Malicious:false
                                                                  Preview:2024/10/28-07:54:18.130 1f70 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/28-07:54:18.143 1f70 Recovering log #3.2024/10/28-07:54:18.150 1f70 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
                                                                  Category:dropped
                                                                  Size (bytes):86016
                                                                  Entropy (8bit):4.445333260507269
                                                                  Encrypted:false
                                                                  SSDEEP:384:Senci5tEiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:vzs3OazzU89UTTgUL
                                                                  MD5:E54C487EA7F191603210EB97162AE983
                                                                  SHA1:31F7E4F599289A8F79042D8EB702ADE037BE16EC
                                                                  SHA-256:67EF1B79DBF0F3E72E7DE3B2DCAA08BCC3595594C10174F1EFE654ACCA363A8A
                                                                  SHA-512:AD7095E3173613A23D24D2044D06A0D34E3881045777C7A68E5C241E97A0718DC1989B883487D5EB854478D7A15DE8FDECFF6199ED61B1615DDF24CB8E88B639
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite Rollback Journal
                                                                  Category:dropped
                                                                  Size (bytes):8720
                                                                  Entropy (8bit):2.213105330070725
                                                                  Encrypted:false
                                                                  SSDEEP:24:7+tArWEAnuwK/qLrzkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmt:7MAEnC/qvmFTIF3XmHjBoGGR+jMz+Lh9
                                                                  MD5:B534E2619EC54E8604FFE59344EA9318
                                                                  SHA1:48FCABB7C7A7BB6E83A03D1DB16354CB30A5E872
                                                                  SHA-256:720ED881DA1A6048EAF31DA6A4A510AD758A39AA4E5B9766A0D24F677E670997
                                                                  SHA-512:E6D968C18F297144308B7F2E791A9DFC4ED677362FDF4F20816F4688DE7F902A185E7A97FECE47FD549DE66F1F275E0BE83C0F16F701DE5179396405E40BC3FF
                                                                  Malicious:false
                                                                  Preview:.... .c.....b.r.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Certificate, Version=3
                                                                  Category:dropped
                                                                  Size (bytes):1391
                                                                  Entropy (8bit):7.705940075877404
                                                                  Encrypted:false
                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                  Malicious:false
                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):71954
                                                                  Entropy (8bit):7.996617769952133
                                                                  Encrypted:true
                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                  Malicious:false
                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):192
                                                                  Entropy (8bit):2.7529698674325394
                                                                  Encrypted:false
                                                                  SSDEEP:3:kkFkl5uRltfllXlE/HT8krG/hlltNNX8RolJuRdxLlGB9lQRYwpDdt:kKreT8i2zdNMa8RdWBwRd
                                                                  MD5:B4EB985B486E34D380290159E94B9D86
                                                                  SHA1:D012525E13EFA32EBFF050418FD27DE033248681
                                                                  SHA-256:15A32E1674F8029BEAC2DE4D6655453EB88E04F8F224340141C79F77E474BD48
                                                                  SHA-512:18BEFE483407C7E3F3C9B915BA0FDFD8B3937167161B271D4D2F77458A090CAF7271EDA8AAB63897BE480F0683D2F96637391D0BA2CF924E56062F2F3AE45EDC
                                                                  Malicious:false
                                                                  Preview:p...... ..........."0)..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.245596380966818
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKAsL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:xiDImsLNkPlE99SNxAhUe/3
                                                                  MD5:39C498F4BB2E3478A08EB29809251BD3
                                                                  SHA1:F36FBFEF90C12862B32F13FA7917A90B546F31C7
                                                                  SHA-256:3204C6508593B1543165543062E3C5A881BEA8A6346AE63004B1CAA4FD63DF62
                                                                  SHA-512:08ECD95BCC24B2DF154821CF5CE8570380896F44F875A66B934DD2E6574817907FE54543E26655BABAC32BEA41346CACC4C6D1816BD01E0497BB9C6A04C7AF16
                                                                  Malicious:false
                                                                  Preview:p...... ..........~50)..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7588

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):185099
                                                                  Entropy (8bit):5.182478651346149
                                                                  Encrypted:false
                                                                  SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):185099
                                                                  Entropy (8bit):5.182478651346149
                                                                  Encrypted:false
                                                                  SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):295
                                                                  Entropy (8bit):5.367551715632492
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJM3g98kUwPeUkwRe9:YvXKXXOEZc0vhZGMbLUkee9
                                                                  MD5:18C206EBE8D0D1D87E2B6C28CACF9A69
                                                                  SHA1:516E6E2DDBCAA531B27400662C949B51D4A3E980
                                                                  SHA-256:2DC58E3C73B784167A03FC78E754B06B59A415F81EE2932DECD24D7E954A888A
                                                                  SHA-512:20F6FCFB7DA11E2CC871611AF5510D8F3C54EC261EFD475D90DC465E875F1ED2B40A6713F583781282BC40142CF12DF0167FA1CA222ABC901D9408E7AABF42A5
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.31554169404239
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfBoTfXpnrPeUkwRe9:YvXKXXOEZc0vhZGWTfXcUkee9
                                                                  MD5:B8F2022157997DB88BA0AC517880ED61
                                                                  SHA1:0C79C9E316980966AC4A09566380DE4DBA88E341
                                                                  SHA-256:893821BD544EADFD6613955659288C5FCEAF4C3C4D2121314332AB3197A9787F
                                                                  SHA-512:4E9214627A59E821F903AD4877AE7C32C07014A8D2C55727A2E49EDCEA8E21A8D2E832B3D47E745A61C3568CE0791012D5F1EEB70900095A6EF3032117C9E419
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.2948094879570595
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfBD2G6UpnrPeUkwRe9:YvXKXXOEZc0vhZGR22cUkee9
                                                                  MD5:A09C29CAA9570EFE8047EC0011D340F6
                                                                  SHA1:6F78D1CD1418C5F035B87E8A2A207DB0EB5BC5E8
                                                                  SHA-256:BCCB0F9EBC777592C429CA08C27BA085695A173B83E480243890FD5FFC133F91
                                                                  SHA-512:1AADA19EE71EC8A17D6B7C01DD947831F2AC9865FD3BA2AFF4EFCD917F55894E6611A53C3A6B4A545F0E48A60D75137100835548602384CE39E856951D2D69C2
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):285
                                                                  Entropy (8bit):5.354709180750995
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfPmwrPeUkwRe9:YvXKXXOEZc0vhZGH56Ukee9
                                                                  MD5:8FC134B37077B4286DC681B2BA37F173
                                                                  SHA1:75763A7D13EBC76DEBBB18C22641FD3E56F17A13
                                                                  SHA-256:7843064B7975BC9E8F0F11668272DA3713D5F00BFE83E4D12311A6EB66D5A8E0
                                                                  SHA-512:32FF1770CF894E97DD9EB73C88AFB9B7338523D30901D1C69803867CB8F8BA4E4FAC29162588C9DC3A8E32BB7898A9CA42C18B2922E9C01E8DFDEBFE2AC3DC12
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1055
                                                                  Entropy (8bit):5.663535691870376
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvh+pLgEscLf7nnl0RCmK8czOCCSn6n:Yv2Z+hgGzaAh8cv/n6
                                                                  MD5:1C2ECA5C5D5B0379F1CB90F49CDF1EFB
                                                                  SHA1:6E4B96235CC1AF18B5F677E055792466384C425E
                                                                  SHA-256:5FC7413E177119B35AAADDBB62770CF4BB29C6925BA2ABFA482AA7F5A1801196
                                                                  SHA-512:D26ECB49787D3A00ECFEF338AC6B48533E6BECA639166EE9DEDCBC1EB49CB40E57597D9BF78798BD3B749A49408141D8EDEC51CBA07CCCF15BECF77E758F2913
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"92038_285529ActionBlock_1","campaignId":92038,"containerId":"1","controlGroupId":"","treatmentId":"eb1a4bce-8215-46f1-b44c-154b21a85d60","variationId":"285529"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNhdElkIjpudWxsfQ==","dataType":"application\/json","encodingScheme":tr

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1050
                                                                  Entropy (8bit):5.65512391420254
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvhoVLgEF0c7sbnl0RCmK8czOCYHflEpwiVk6n:Yv2ZoFg6sGAh8cvYHWpwn6
                                                                  MD5:A9E8BBE73010ED57093E72C9883A95AD
                                                                  SHA1:69B5CE387044DF0DE45DA9FF69F88465FFFA6783
                                                                  SHA-256:02EDE2D556E8FEA7F69034157C325B8C85975160F633F46FAFFD4E278E4E1E4D
                                                                  SHA-512:A4245B39981B086AB9FAE38CF20A834D7E55CDCCDD668CDF57E8091302D39D365636800BD40487D687189C6BE4C350422F52EDB9986B03B2731DF8FEB5946015
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85534_264855ActionBlock_0","campaignId":85534,"containerId":"1","controlGroupId":"","treatmentId":"0924134e-3c59-4f53-b731-add558c56fec","variationId":"264855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkNvbnZlcnQsIGVkaXQgYW5kIGUtc2lnblxuZm9ybXMgJiBhZ3JlZW1lbnRzLiJ9LCJ0Y2F0SWQiOm51bGx9","dataType":"application\/json","encodingScheme":true},"

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.304832345684897
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfQ1rPeUkwRe9:YvXKXXOEZc0vhZGY16Ukee9
                                                                  MD5:EAD679193112DF1D4F17D69D41782911
                                                                  SHA1:319358488910CC39D2F7C79A50B2B7D16735D2B2
                                                                  SHA-256:70B725DC9D0EBCFA5902E5CA991E2BBB30B31035420A24F7838FEE2C035164BC
                                                                  SHA-512:C54AB80C6825A4B5D3236242494C55D4CE879BC50DF9BB10DE56F29EBFCEE5C7E085448968F1F3CCF6713300FA10AEFEE25F702723954E28C2811447A17EE269
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1038
                                                                  Entropy (8bit):5.64839774540212
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvht2LgEF7cciAXs0nl0RCmK8czOCAPtciBk6n:Yv2Ztogc8hAh8cvA66
                                                                  MD5:5A90F2DD25F5D984F99E13A8A22B6B34
                                                                  SHA1:A9DC48B2CD5E9CFDFE55FABC8B27B7D38FAD23B2
                                                                  SHA-256:AC16ECCD9B9E78DDADA6286C96738F2473280446D91C314A87397081D2DFD08F
                                                                  SHA-512:E19235A80F52605D241B558672033F5F10AE580F8FDAA1E28DB8AD66C8999BFC7CB73FA7CF8AD955474C2BD895E89D4626E1CA958D33F7A53A599826854CC32B
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85534_264855ActionBlock_1","campaignId":85534,"containerId":"1","controlGroupId":"","treatmentId":"49d2f713-7aa9-44db-aa50-0a7a22add459","variationId":"264855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVkaXQgdGV4dCwgaW1hZ2VzLCBwYWdlcywgYW5kIG1vcmUuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"application\/json","encodingScheme":true},"endDTS":1744

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1164
                                                                  Entropy (8bit):5.701225403848812
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvhFKLgEfIcZVSkpsn264rS514ZjBrwloJTmcVIsrSK5k6n:Yv2ZFEgqprtrS5OZjSlwTmAfSKW6
                                                                  MD5:966AEA0B2B40D65543B8F81DDB22336F
                                                                  SHA1:941A2A36C87FC772711FEA8454F07AF1D91EA35C
                                                                  SHA-256:26B262A12A1D3393992FB8DEB1AB3BD3660D095B6D5F88F29865ED7A96C070FC
                                                                  SHA-512:D464CEA0941F4455A566874A2C44287146A010200F209135EC8389FE1203B118D6D3C6CFD79B58C77161941B0FF6BC6A34474CD645718BDBD03B2FAD546728E4
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85531_264848ActionBlock_0","campaignId":85531,"containerId":"1","controlGroupId":"","treatmentId":"ee1a7497-76e7-43c2-bb63-9a0551e11d73","variationId":"264848"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE1cHgiLCJmb250X3N0eWxlIjoiMCJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEzcHgiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0b1xucHJlbWl1bSBQREYgYW5kIGUtc2lnbmluZ1xudG9vbHMuIn0sImJhbm5lcl9zdHlsaW5nIjo

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.306732024878854
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfYdPeUkwRe9:YvXKXXOEZc0vhZGg8Ukee9
                                                                  MD5:A6381CBBF77EC71B127DD4E26D8340A5
                                                                  SHA1:208137AC7BEDB915863D69E5BB15BCA62BBFBC80
                                                                  SHA-256:AE32264035B6B2FF79E0CF677D3DF707DAEE79F67E58F345FADBEA05E5FBDBA6
                                                                  SHA-512:A675B7887648E33D6DBD3D15679D48C1002CDDA30D697B6BAAC1B5735077F05A446F6564DB0F547B9A6FAE2F989B5F6C03BF5E4A777DF220B0C945A4CB3268F2
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1395
                                                                  Entropy (8bit):5.782392662306791
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvh4rLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJNM6n:Yv2Z4HgDv3W2aYQfgB5OUupHrQ9FJW6
                                                                  MD5:B31700E79EBCAF2E9345FAC146D12075
                                                                  SHA1:48166ADC1EB522C812596D33CF7166F2E801FB11
                                                                  SHA-256:CCED98C034F1E06768FD14658325938D1549029B4C21061308B0E40BA2C7A864
                                                                  SHA-512:367A04FF93E2D4CE142869E1DAD4C1ABAECE4035813AFD08E67F51815D5E2E0DF8B0C97D39A723CD2FDB9B59A45E36308AEBBB09744B633B29A9789CBF2EE892
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):291
                                                                  Entropy (8bit):5.290232854340492
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfbPtdPeUkwRe9:YvXKXXOEZc0vhZGDV8Ukee9
                                                                  MD5:BF5B84F830EA2592C0F476F0E82244AA
                                                                  SHA1:D85508070084919069990639A65458D4F6511941
                                                                  SHA-256:7FDE50B0FB01A1E5B07C2FEAC832CD11B34474D0983EBBF20071C487536BA79A
                                                                  SHA-512:FB6E5FAB6078B99AF33387B9A1762A7FB2339220301E5E4092F468EF499442D398D04DF90F14DD856186A130C4A8E4EB747ACE58956F990C557952062C80B35D
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):287
                                                                  Entropy (8bit):5.2949774882542995
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJf21rPeUkwRe9:YvXKXXOEZc0vhZG+16Ukee9
                                                                  MD5:48D6F227E1A5A0F3B4FEA0BD5238A362
                                                                  SHA1:DEE990AD95AB6C6E899E26C46BA6DC1C560A0C01
                                                                  SHA-256:25BAD36C3D00C7A8C93B50A936A8E97E2B24EA13D6C9A28D3400BF90996CE394
                                                                  SHA-512:8518260DEA076A20FEEFEE397D2F2EA68611520175F79B29FAF70776BF6EE7A624E655CD4F417AF1F85C2E04AF48272FF6C1EA2D19962A621161083A49A8FB82
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1026
                                                                  Entropy (8bit):5.635530547324762
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6XeEzvhiamXayLgE7cMCBNaqnl0RCmK8czOC/BSn6n:Yv2Z8BgACBOAh8cvMn6
                                                                  MD5:AAD70A9434278302ECE7F58DA56B8A31
                                                                  SHA1:104A6EF20F910D601495219E7AD85FBB7ACD1BFA
                                                                  SHA-256:DA502010D9F6593D33B8B850F71B65BC321A8F845540E4D0B275BA6EF41DB1C5
                                                                  SHA-512:4727632E0B00FBEC23BC42AAEE5E640C6774FE0687B1FDD8C5185B2C1353F0E0393C8F5AB55DFE444E3CD3BD26BC289F341BA314EB50E1AA3D69BCC6A56FC951
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"92038_285529ActionBlock_0","campaignId":92038,"containerId":"1","controlGroupId":"","treatmentId":"6291f52b-6cb0-4d31-bc46-37ce85e9eb25","variationId":"285529"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"application\/json","encodingScheme":true},"endDTS":1751323379000,"s

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):286
                                                                  Entropy (8bit):5.2719386384241895
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXdlO9VoZcg1vRcR0Y0qoAvJfshHHrPeUkwRe9:YvXKXXOEZc0vhZGUUUkee9
                                                                  MD5:B891E79AD249C50D026E863C9E7BACF7
                                                                  SHA1:AAF9AC458BB081CF1072A2397243A208F9C50169
                                                                  SHA-256:1BB839CB7C29A489F78576C67856522442BA6B18E8E72BEB6C9C63854A93E3EB
                                                                  SHA-512:CB682AA4DCE40AB12BCC0B1746CAB134863099435DF1DEE21F1E9C24D8F6F2E637C4CADAEB2DF80371D7152FB22E825E69B932C05E3D1A4F25D3784D92A4C492
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):782
                                                                  Entropy (8bit):5.3749439577949225
                                                                  Encrypted:false
                                                                  SSDEEP:12:YvXKXXOEZc0vhZGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWQ6n:Yv6XeEzvh1168CgEXX5kcIfANhn6n
                                                                  MD5:436370A2F8EFACD2C58239045A9F6522
                                                                  SHA1:74A0EAB6DC00833EAB2FFC31C64BAFDEDCF7A73E
                                                                  SHA-256:B6D43DBE5FA38A2728BDE6D805CC9D887FE4483C8DCA173B48D73DB1EEE3FED2
                                                                  SHA-512:6D8A3EBDF7D202059A0A4579C466258BAEA4C01A30AD619FF16F9D347233046367F96F7DA2B719DD06EFDB43CCC26A0152FB730C53436039B3101FE358B18582
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"74f0e4d8-b607-4ba4-8c81-56e52eb6af46","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730295388891,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1730116468924}}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4
                                                                  Entropy (8bit):0.8112781244591328
                                                                  Encrypted:false
                                                                  SSDEEP:3:e:e
                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                  Malicious:false
                                                                  Preview:....

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):2818
                                                                  Entropy (8bit):5.132669850590955
                                                                  Encrypted:false
                                                                  SSDEEP:48:YemnefcJXIUdgDgASL9hsKpP+A1H2oH/+vQNcugh9Ut3sY:47ugA2TsQP+OBaQNW/k5
                                                                  MD5:DE2689573298EED180442BE5F43B75A6
                                                                  SHA1:8585189A1A585E4C6AB37579A897166CBF7385AB
                                                                  SHA-256:D3E8439CDA622F3B39112B740E956145E29B103D4045B7227922FA5DA19B3526
                                                                  SHA-512:C4C17FF4F14DFC5FFF935B60B478EC02D33E8387E9167C4634C0824847236AABDFAD259DF6D134A511596B40573F8209E19391D392768412091A3DC1ABE12A84
                                                                  Malicious:false
                                                                  Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"d30906b581ea63ab8bddd0f704958370","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1050,"ts":1730116468000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"f6387469aec7aae3dda763437f1a6988","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1026,"ts":1730116468000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"6c1b833efaca28c2343afcda47da4422","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1164,"ts":1730116468000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"a9d39f684178ad104d34675be56d26fa","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1055,"ts":1730116468000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"75d1c0dd59ab31ce8e3f3ee3cf65e48b","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1038,"ts":1730116468000},{"id":"Edit_InApp_Aug2020","info":{"dg":"72d721c721fec5cd478882993bcb25f4","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":17

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):1.1883157046146655
                                                                  Encrypted:false
                                                                  SSDEEP:48:TGufl2GL7msEHUUUUUUUUDSvR9H9vxFGiDIAEkGVvp3:lNVmswUUUUUUUUD+FGSItb
                                                                  MD5:23D78AB9EA8176A5EBB7CE7C767F9FCD
                                                                  SHA1:A4DA884A68CB4812DB5FC19BEE67AEA764D20827
                                                                  SHA-256:2CEB8DCCB7D0A55CD82B081B97170813F1600105279C2315078804D71305130D
                                                                  SHA-512:33CB4FE8F1B39D1F4A473322F47A267F8E14AC2EB6765411A6CBFC4721167D236ADAA10E052F598DC5D829D36B01A75369ECEDF4D80E080BB0F5416D36E5F100
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite Rollback Journal
                                                                  Category:dropped
                                                                  Size (bytes):8720
                                                                  Entropy (8bit):1.605831811932515
                                                                  Encrypted:false
                                                                  SSDEEP:48:7MPKUUUUUUUUUUnvR9H9vxFGiDIAEkGVvopqFl2GL7msV:7tUUUUUUUUUUfFGSItapKVmsV
                                                                  MD5:5A08CB714A17AF6F70775314C657CDA5
                                                                  SHA1:1ACEE2A91B5DDED62EB361C67B9700E9E1B629CC
                                                                  SHA-256:0DE06ABB8206A81ABB8056398FE7EC70F4EB753B36C3FD419267AB493CE0F287
                                                                  SHA-512:AEFD76180564B81EF97759D4C3BDF981DBA48E23EE2840BE32C96E79D07F7B3AE2AD50494F542064A2024410361AD5F7E759B898AA0640C32600E7CBF8613D71
                                                                  Malicious:false
                                                                  Preview:.... .c.......0w......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\Doc.pdf

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\0438.pdf.exe
                                                                  File Type:PDF document, version 1.7, 1 pages (zip deflate encoded)
                                                                  Category:dropped
                                                                  Size (bytes):125552
                                                                  Entropy (8bit):7.579988719622451
                                                                  Encrypted:false
                                                                  SSDEEP:1536:N0N5xSlECZcbZ42IlWpy67H/AvLpMpBXCF4KMvX6UkMZdEMLHMgifPdEoLIeLA+6:CNPSiJZ4xy8DlivXREMBOlEoMeLjCiQ
                                                                  MD5:7827620BA2CD12D54B41C006BA4D686C
                                                                  SHA1:F6B40CB23006AD0E1AFD4C08CA943A75258FAB34
                                                                  SHA-256:9DAA46F8D84B0E65E2D5FDF7FCD80FF6CA922278C32A2B5C9425C0C5EF7D2096
                                                                  SHA-512:9782FB4DBA6F62A589BF213AE5CCE3F66514319363F499B584DC854ACC1DCD94221102BDDAC982AA9DB36C5B7696BD1ABACF7C15771CDECC317B2F3421CCA321
                                                                  Malicious:false
                                                                  Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 11 0 R/MarkInfo<</Marked true>>/Metadata 22 0 R/ViewerPreferences 23 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image9 9 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 188>>..stream..x.E.K..@.......R..!.4 .|$FB.."ZH.+............x.h..!/."..f....X.Q.8M.D0aGK..+.J{x.....(.kJ.FBJ&|.7J...H..f..%..Nory..M'...m9%g.......4.(AV&............2...H..B...Z..o.V#.c.....6k..endstream..endobj..5 0 obj..<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/BCDEEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 20 0 R>>..endobj..6 0 obj..<</Type/FontDescriptor/FontName/BCDEEE+Calibri/Flags 3

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9jp4exf_g7he61_5us.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                  Category:dropped
                                                                  Size (bytes):144514
                                                                  Entropy (8bit):7.992637131260696
                                                                  Encrypted:true
                                                                  SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                  MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                  SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                  SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                  SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                  Malicious:false
                                                                  Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9luf3ib_g7he60_5us.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
                                                                  Category:dropped
                                                                  Size (bytes):144514
                                                                  Entropy (8bit):7.992637131260696
                                                                  Encrypted:true
                                                                  SSDEEP:3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
                                                                  MD5:BA1716D4FB435DA6C47CE77E3667E6A8
                                                                  SHA1:AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
                                                                  SHA-256:AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
                                                                  SHA-512:65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
                                                                  Malicious:false
                                                                  Preview:PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..|....,.A.....Z..a<.C._..../G|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-28 07-54-19-973.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with very long lines (393)
                                                                  Category:dropped
                                                                  Size (bytes):16525
                                                                  Entropy (8bit):5.345946398610936
                                                                  Encrypted:false
                                                                  SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                  MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                  SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                  SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                  SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                  Malicious:false
                                                                  Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):15114
                                                                  Entropy (8bit):5.333697653879864
                                                                  Encrypted:false
                                                                  SSDEEP:384:J2bv2cz2cm2Jj2Jj2J62J8Y2JG2Jd2Jd2Wg2WW2Wr2t42tW2tY2tW26z2672682l:JQFM4SptYhY6Ei3TnFhrDkjp2PIPE8mF
                                                                  MD5:8336270DE6DB3DF0FD4893BDC9ADEC17
                                                                  SHA1:5E4AF8A93326E37EF039B7319E16FC6115243BA4
                                                                  SHA-256:ADFAE1EFCBDC8950DB04A9607358B2B236682DE179A400FAF8A4EE3BF0371EFF
                                                                  SHA-512:4750FDC77D93021AC2F39AE81B1033DA6C30D0F81B707E6421337017BF60DCD740DE39DCB3A52CCDA01707BB561BAA922CF41C536907C6294FBF002DC31BD53D
                                                                  Malicious:false
                                                                  Preview:SessionID=52ef6af7-a8ac-4ed2-a902-b4e0805e9b2a.1730116459988 Timestamp=2024-10-28T07:54:19:988-0400 ThreadID=3756 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=52ef6af7-a8ac-4ed2-a902-b4e0805e9b2a.1730116459988 Timestamp=2024-10-28T07:54:19:990-0400 ThreadID=3756 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=52ef6af7-a8ac-4ed2-a902-b4e0805e9b2a.1730116459988 Timestamp=2024-10-28T07:54:19:990-0400 ThreadID=3756 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=52ef6af7-a8ac-4ed2-a902-b4e0805e9b2a.1730116459988 Timestamp=2024-10-28T07:54:19:991-0400 ThreadID=3756 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=52ef6af7-a8ac-4ed2-a902-b4e0805e9b2a.1730116459988 Timestamp=2024-10-28T07:54:19:991-0400 ThreadID=3756 Component=ngl-lib_NglAppLib Description="SetConf

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29752
                                                                  Entropy (8bit):5.388653477191486
                                                                  Encrypted:false
                                                                  SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rW:iGGihyTibXjb8
                                                                  MD5:A7B0ED2D32867B8CC3F0F71094029110
                                                                  SHA1:5AA4D327B8BA05B0867530FC5596D1EA356909D3
                                                                  SHA-256:23F0B5F5B0041AAF9CD7D567CF6D12482FB5F594CD2847E73F23A25C9D91F298
                                                                  SHA-512:1ED8B7A4B61B6558572013153D02930F4270696EA01ECA7698F36AFB99601F327599AFF40019C3BF66B551644C2CB0F22A42B0E261F33F4FDCD6B7267953DCE5
                                                                  Malicious:false
                                                                  Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\3d0c931a-5803-4ba8-adda-d1003768763c.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                  Category:dropped
                                                                  Size (bytes):386528
                                                                  Entropy (8bit):7.9736851559892425
                                                                  Encrypted:false
                                                                  SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                  MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                  SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                  SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                  SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                  Malicious:false
                                                                  Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\4d8cec60-8e97-4729-bf38-64ac611d0cc3.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                  Category:dropped
                                                                  Size (bytes):758601
                                                                  Entropy (8bit):7.98639316555857
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                  MD5:3A49135134665364308390AC398006F1
                                                                  SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                  SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                  SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                  Malicious:false
                                                                  Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\5b0238fa-3214-40af-9d9b-eb20aa65b46f.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                  Category:dropped
                                                                  Size (bytes):1407294
                                                                  Entropy (8bit):7.97605879016224
                                                                  Encrypted:false
                                                                  SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                  MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                  SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                  SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                  SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                  Malicious:false
                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\761c66ae-45e5-43de-841a-c0f0e62dad98.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                  Category:dropped
                                                                  Size (bytes):1419751
                                                                  Entropy (8bit):7.976496077007677
                                                                  Encrypted:false
                                                                  SSDEEP:24576:/x0WL07oXGZuwYIGNPJwdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:J0WLxXGZuwZGM3mlind9i4ufFXpAXkru
                                                                  MD5:E1FE9FA2454D30CD849F2060D8FED227
                                                                  SHA1:5B5A33E386D7A2254DB5934F688C1F1A72A9D6C9
                                                                  SHA-256:4B0AD0558FB8C3D63817011FCA33E51A9E9C46A91407B705C4E5150AE4E5A3E4
                                                                  SHA-512:C81A8B39C571531DC52A71E34188D3C95797B69E82A74896019723E0217A00D58367118886DDEEEC4AEAAF8A80931BA22459104847E2B0D8A77070BFEE3BE7F1
                                                                  Malicious:false
                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                  C:\Users\user\AppData\Local\Temp\pdf.msi

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\0438.pdf.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                  Category:dropped
                                                                  Size (bytes):11554816
                                                                  Entropy (8bit):7.9382387394429115
                                                                  Encrypted:false
                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                  Malicious:false
                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):98682
                                                                  Entropy (8bit):6.445287254681573
                                                                  Encrypted:false
                                                                  SSDEEP:1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
                                                                  MD5:7113425405A05E110DC458BBF93F608A
                                                                  SHA1:88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
                                                                  SHA-256:7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
                                                                  SHA-512:6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
                                                                  Malicious:false
                                                                  Preview:0...u0...\...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                  C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):737
                                                                  Entropy (8bit):7.501268097735403
                                                                  Encrypted:false
                                                                  SSDEEP:12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
                                                                  MD5:5274D23C3AB7C3D5A4F3F86D4249A545
                                                                  SHA1:8A3778F5083169B281B610F2036E79AEA3020192
                                                                  SHA-256:8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
                                                                  SHA-512:FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
                                                                  Malicious:false
                                                                  Preview:0...0.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0...*.H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R*.......~....)....i.*n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

                                                                  C:\Windows\Installer\42d2ef.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                  Category:dropped
                                                                  Size (bytes):11554816
                                                                  Entropy (8bit):7.9382387394429115
                                                                  Encrypted:false
                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                  Malicious:false
                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                  C:\Windows\Installer\42d2f2.msi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                  Category:dropped
                                                                  Size (bytes):11554816
                                                                  Entropy (8bit):7.9382387394429115
                                                                  Encrypted:false
                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                  Malicious:false
                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                  C:\Windows\Installer\MSIDA03.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):294216
                                                                  Entropy (8bit):4.850884515150002
                                                                  Encrypted:false
                                                                  SSDEEP:3072:ARoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+oNbynfs:ARoy25DXmNDXLDXX+oNbynfs
                                                                  MD5:1FD0EBFEB370957BF8009CCC259A27D1
                                                                  SHA1:618F8DCD9845757AE790FD34A0D7EE7FBC67DB27
                                                                  SHA-256:634543FA97F9695C4A84B205A18D3F2F5E86C7312B6E8C7D448262A717C5BD12
                                                                  SHA-512:CF5E6AD50E1C922CBA5E89E28FE5F90E7FA7BC880F554F7DA40046C388AEB59821C332302F05DEB58DC9364EA1BB76013B9A6EECFC10A1ADAD39F89E3A04599D
                                                                  Malicious:false
                                                                  Preview:...@IXOS.@.....@.>\Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49

                                                                  C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.1622271175128618
                                                                  Encrypted:false
                                                                  SSDEEP:12:JSbX72FjiAGiLIlHVRpqh/7777777777777777777777777vDHFGpZl0i8Q:JQQI56dF
                                                                  MD5:A6009B55135723E6DD67DB905DD2344C
                                                                  SHA1:C575D272D4F79D6E6196AC5257EB6D5B1822CE68
                                                                  SHA-256:31D2B7955F4AD70292D556424EAB52CF79244A31BC24520BEC2E8369F29E4485
                                                                  SHA-512:406B3C3D437BF69834FE535012FD588725E277E04891546ED3CAF7F7BACB477C019A002DEF4196F3F14817E2F58579CA7FA198DBCC6F50A96D3D8EA2A7FE73FE
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.7862157285028544
                                                                  Encrypted:false
                                                                  SSDEEP:48:V8Ph+uRc06WXJMnT5X9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOp:4h+1vnTEzm0WlfPuvqC0WlfIF/
                                                                  MD5:C3E28328351ECD3462AE13592FD443BA
                                                                  SHA1:6E380A25DED35D5A6BBCEA65774406042C3C809B
                                                                  SHA-256:1B7E53D6CEB113FCCC99286E783439BB75C8518BF25AC033E16698BEDB3BCD4D
                                                                  SHA-512:B1B54C3161FEB8AE70DEF5FDCB14277399D04D296E6A2C0FCA331493AE462A05FA6EB60DCE5B243E06B25444E5F9FDDFCE2EA57F69C39C8C1866E65D71646A42
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):53248
                                                                  Entropy (8bit):4.351781833522881
                                                                  Encrypted:false
                                                                  SSDEEP:384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
                                                                  MD5:CA680899D9330BEB85E6351E6DC0D27B
                                                                  SHA1:41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
                                                                  SHA-256:EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
                                                                  SHA-512:3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57344
                                                                  Entropy (8bit):4.774504587732323
                                                                  Encrypted:false
                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):49152
                                                                  Entropy (8bit):4.31126714354722
                                                                  Encrypted:false
                                                                  SSDEEP:384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
                                                                  MD5:6A4AFFF2CD33613166B37A0DAB99BD41
                                                                  SHA1:FBC0F1696213B459D099A5809D79CFC01253880F
                                                                  SHA-256:53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
                                                                  SHA-512:7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57344
                                                                  Entropy (8bit):4.774504587732323
                                                                  Encrypted:false
                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):57344
                                                                  Entropy (8bit):4.774504587732323
                                                                  Encrypted:false
                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):432221
                                                                  Entropy (8bit):5.375165202474663
                                                                  Encrypted:false
                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauV:zTtbmkExhMJCIpErs
                                                                  MD5:406F7FD7DA2582ED82771FB43009F00F
                                                                  SHA1:600EDB408492FEA2A10E35FCCF30BBD0F34B03CB
                                                                  SHA-256:41087FFA9DA9E31C6AD044E9F287D12E2E8605B415BE213914B12B33A1BA3EB6
                                                                  SHA-512:6C53567ECEA8B9766628FD98D55B8985DDDFDA3258BD973C6E630F8F0E22E928E28DCA15A82D4DD0F7D6799721BFB459624957DD0DFB9EA5AC69C8679E719B09
                                                                  Malicious:false
                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                  Download File
                                                                  Process:C:\Windows\System32\svchost.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):55
                                                                  Entropy (8bit):4.306461250274409
                                                                  Encrypted:false
                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                  Malicious:false
                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                  C:\Windows\Temp\~DF2043EB94E77080CD.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF21F83F99C6ED5022.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF3DD8FEB02F073146.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF5CBC55F26A09EF18.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.7862157285028544
                                                                  Encrypted:false
                                                                  SSDEEP:48:V8Ph+uRc06WXJMnT5X9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOp:4h+1vnTEzm0WlfPuvqC0WlfIF/
                                                                  MD5:C3E28328351ECD3462AE13592FD443BA
                                                                  SHA1:6E380A25DED35D5A6BBCEA65774406042C3C809B
                                                                  SHA-256:1B7E53D6CEB113FCCC99286E783439BB75C8518BF25AC033E16698BEDB3BCD4D
                                                                  SHA-512:B1B54C3161FEB8AE70DEF5FDCB14277399D04D296E6A2C0FCA331493AE462A05FA6EB60DCE5B243E06B25444E5F9FDDFCE2EA57F69C39C8C1866E65D71646A42
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF8A9090D5F971DB8E.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):20480
                                                                  Entropy (8bit):1.7862157285028544
                                                                  Encrypted:false
                                                                  SSDEEP:48:V8Ph+uRc06WXJMnT5X9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOp:4h+1vnTEzm0WlfPuvqC0WlfIF/
                                                                  MD5:C3E28328351ECD3462AE13592FD443BA
                                                                  SHA1:6E380A25DED35D5A6BBCEA65774406042C3C809B
                                                                  SHA-256:1B7E53D6CEB113FCCC99286E783439BB75C8518BF25AC033E16698BEDB3BCD4D
                                                                  SHA-512:B1B54C3161FEB8AE70DEF5FDCB14277399D04D296E6A2C0FCA331493AE462A05FA6EB60DCE5B243E06B25444E5F9FDDFCE2EA57F69C39C8C1866E65D71646A42
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DF8F9FEC63D06889BA.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.4151703296967835
                                                                  Encrypted:false
                                                                  SSDEEP:48:MlWuDM+CFXJjT55qA9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOdb:QWZ7T38zm0WlfPuvqC0WlfIF/
                                                                  MD5:5F464FF36B40C781698BFC75E7209460
                                                                  SHA1:D8064FBB6343CDCFC65B5C6C97E13064B9B8A715
                                                                  SHA-256:C8426CDDA248DA7F6CF10CFE21AC9807B7F5F9741AF7B1DC04EEE379038A66A2
                                                                  SHA-512:A0AE0C5E623372D75EF9D72451A7562267C6076E2A90C2386CD2DEBBA758B0D5D7C3DE89AE8D1E92F9FE1389E1EF72184AE05F50CDB5F4808D8FFA93CDFA8C7D
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFA292704E268E61DA.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFAC82CC35E0DB6E2F.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.4151703296967835
                                                                  Encrypted:false
                                                                  SSDEEP:48:MlWuDM+CFXJjT55qA9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOdb:QWZ7T38zm0WlfPuvqC0WlfIF/
                                                                  MD5:5F464FF36B40C781698BFC75E7209460
                                                                  SHA1:D8064FBB6343CDCFC65B5C6C97E13064B9B8A715
                                                                  SHA-256:C8426CDDA248DA7F6CF10CFE21AC9807B7F5F9741AF7B1DC04EEE379038A66A2
                                                                  SHA-512:A0AE0C5E623372D75EF9D72451A7562267C6076E2A90C2386CD2DEBBA758B0D5D7C3DE89AE8D1E92F9FE1389E1EF72184AE05F50CDB5F4808D8FFA93CDFA8C7D
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFAE5794EB82440BBC.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):73728
                                                                  Entropy (8bit):0.22162855536792636
                                                                  Encrypted:false
                                                                  SSDEEP:48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6AdZ:PH5FqC0WlfVm0WlfPuM
                                                                  MD5:BCCDFF0B6E288571EB82478D88B1C9E4
                                                                  SHA1:38E8F2D69B357AF92E33D765DD2772EACA6B5BE1
                                                                  SHA-256:A9DFC20D5217B14676432954CA96F280F20C950C9769C407AD2F384D46032FE8
                                                                  SHA-512:B3CE3264F362C3FA176A9FE6491EC5A44A8590CCB5177E78FD9B2C4C15BAF5EE0DBAEABD3A19142A45B05BA072E2353F3FFB59456140AD6B1CE050F36A4D8F2B
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFC3A3D374A3DF4AAD.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):1.4151703296967835
                                                                  Encrypted:false
                                                                  SSDEEP:48:MlWuDM+CFXJjT55qA9gU9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YVo9ISB29lOdb:QWZ7T38zm0WlfPuvqC0WlfIF/
                                                                  MD5:5F464FF36B40C781698BFC75E7209460
                                                                  SHA1:D8064FBB6343CDCFC65B5C6C97E13064B9B8A715
                                                                  SHA-256:C8426CDDA248DA7F6CF10CFE21AC9807B7F5F9741AF7B1DC04EEE379038A66A2
                                                                  SHA-512:A0AE0C5E623372D75EF9D72451A7562267C6076E2A90C2386CD2DEBBA758B0D5D7C3DE89AE8D1E92F9FE1389E1EF72184AE05F50CDB5F4808D8FFA93CDFA8C7D
                                                                  Malicious:false
                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFE355F07F6F4F6935.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):32768
                                                                  Entropy (8bit):0.06823846717123914
                                                                  Encrypted:false
                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOYYbmc6Vky6lZ:2F0i8n0itFzDHFTZ
                                                                  MD5:43121AF9C0468049B811D5DE9EE986C6
                                                                  SHA1:3D65F87A3C467D0DE2BF8F07A60621B947A9CE4C
                                                                  SHA-256:592C5B6D2ADD44B5EFCE1D5A353279925147188A1C15B56B1189E89FE97374E0
                                                                  SHA-512:0B09D5648F1374083996F24FF71AE87B22F152D907C91B84567CA27B985F05C447AF27527A3E760F44817300DB8680F73F5D86A36B9DC157AA3E6C5BB6BC6831
                                                                  Malicious:false
                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Windows\Temp\~DFF688C5673A8CBBC5.TMP

                                                                  Download File
                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):512
                                                                  Entropy (8bit):0.0
                                                                  Encrypted:false
                                                                  SSDEEP:3::
                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                  Malicious:false
                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Entropy (8bit):7.9367051756500695
                                                                  TrID:
                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:0438.pdf.exe
                                                                  File size:11'654'747 bytes
                                                                  MD5:2d11dba46735af1cb1c0a42e9564e20d
                                                                  SHA1:b2e17960c6d080f7aba7df87f57c08b4bc2e7051
                                                                  SHA256:e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
                                                                  SHA512:f053c18333c256c87492e7e74832f2ba695c1633cc80d59e4d426eda82d27d7402a22803e439bb2453f4fa12f00697de355edd61c300b7624c66723d7e54dad0
                                                                  SSDEEP:196608:tqwvI8YbsGBCEfbi57P6mCRTMFCxZ9zzvHLbax3QS+hbEPjwDhZzczDlUxMUd:ZIRwGjfbi5DCRoOPzzvfaEAPgOHm5d
                                                                  TLSH:42C6331BFF5D04EAF1AF99F899415022D7B57CC51720868F23B43E4AED736A1AA35302
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                  File Icon

                                                                  Icon Hash:3570b080889388e1

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x140032ee0
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x140000000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:2
                                                                  File Version Major:5
                                                                  File Version Minor:2
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:2
                                                                  Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  dec eax
                                                                  sub esp, 28h
                                                                  call 00007F53A8B04FA8h
                                                                  dec eax
                                                                  add esp, 28h
                                                                  jmp 00007F53A8B0493Fh
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  mov eax, esp
                                                                  dec eax
                                                                  mov dword ptr [eax+08h], ebx
                                                                  dec eax
                                                                  mov dword ptr [eax+10h], ebp
                                                                  dec eax
                                                                  mov dword ptr [eax+18h], esi
                                                                  dec eax
                                                                  mov dword ptr [eax+20h], edi
                                                                  inc ecx
                                                                  push esi
                                                                  dec eax
                                                                  sub esp, 20h
                                                                  dec ebp
                                                                  mov edx, dword ptr [ecx+38h]
                                                                  dec eax
                                                                  mov esi, edx
                                                                  dec ebp
                                                                  mov esi, eax
                                                                  dec eax
                                                                  mov ebp, ecx
                                                                  dec ecx
                                                                  mov edx, ecx
                                                                  dec eax
                                                                  mov ecx, esi
                                                                  dec ecx
                                                                  mov edi, ecx
                                                                  inc ecx
                                                                  mov ebx, dword ptr [edx]
                                                                  dec eax
                                                                  shl ebx, 04h
                                                                  dec ecx
                                                                  add ebx, edx
                                                                  dec esp
                                                                  lea eax, dword ptr [ebx+04h]
                                                                  call 00007F53A8B03DC3h
                                                                  mov eax, dword ptr [ebp+04h]
                                                                  and al, 66h
                                                                  neg al
                                                                  mov eax, 00000001h
                                                                  sbb edx, edx
                                                                  neg edx
                                                                  add edx, eax
                                                                  test dword ptr [ebx+04h], edx
                                                                  je 00007F53A8B04AD3h
                                                                  dec esp
                                                                  mov ecx, edi
                                                                  dec ebp
                                                                  mov eax, esi
                                                                  dec eax
                                                                  mov edx, esi
                                                                  dec eax
                                                                  mov ecx, ebp
                                                                  call 00007F53A8B06AE7h
                                                                  dec eax
                                                                  mov ebx, dword ptr [esp+30h]
                                                                  dec eax
                                                                  mov ebp, dword ptr [esp+38h]
                                                                  dec eax
                                                                  mov esi, dword ptr [esp+40h]
                                                                  dec eax
                                                                  mov edi, dword ptr [esp+48h]
                                                                  dec eax
                                                                  add esp, 20h
                                                                  inc ecx
                                                                  pop esi
                                                                  ret
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  dec eax
                                                                  sub esp, 48h
                                                                  dec eax
                                                                  lea ecx, dword ptr [esp+20h]
                                                                  call 00007F53A8AF3353h
                                                                  dec eax
                                                                  lea edx, dword ptr [00025747h]
                                                                  dec eax
                                                                  lea ecx, dword ptr [esp+20h]
                                                                  call 00007F53A8B05BA2h
                                                                  int3
                                                                  jmp 00007F53A8B0BD84h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5f334.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000x970.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x700000x5f3340x5f400ac83509a9abddcfebcee4527be350f1aFalse0.06483503526902887data2.1781366278912278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xd00000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  PNG0x706440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                  PNG0x7118c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                  RT_ICON0x727380x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m0.023615261709619195
                                                                  RT_ICON0xb47600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.3191489361702128
                                                                  RT_ICON0xb4bc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.11867219917012448
                                                                  RT_ICON0xb71700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.17284240150093808
                                                                  RT_ICON0xb82180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.04436294806577547
                                                                  RT_ICON0xc8a400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.08644307982994803
                                                                  RT_DIALOG0xccc680x286dataEnglishUnited States0.5092879256965944
                                                                  RT_DIALOG0xccef00x13adataEnglishUnited States0.60828025477707
                                                                  RT_DIALOG0xcd02c0xecdataEnglishUnited States0.6991525423728814
                                                                  RT_DIALOG0xcd1180x12edataEnglishUnited States0.5927152317880795
                                                                  RT_DIALOG0xcd2480x338dataEnglishUnited States0.45145631067961167
                                                                  RT_DIALOG0xcd5800x252dataEnglishUnited States0.5757575757575758
                                                                  RT_STRING0xcd7d40x1e2dataEnglishUnited States0.3900414937759336
                                                                  RT_STRING0xcd9b80x1ccdataEnglishUnited States0.4282608695652174
                                                                  RT_STRING0xcdb840x1b8dataEnglishUnited States0.45681818181818185
                                                                  RT_STRING0xcdd3c0x146dataEnglishUnited States0.5153374233128835
                                                                  RT_STRING0xcde840x46cdataEnglishUnited States0.3454063604240283
                                                                  RT_STRING0xce2f00x166dataEnglishUnited States0.49162011173184356
                                                                  RT_STRING0xce4580x152dataEnglishUnited States0.5059171597633136
                                                                  RT_STRING0xce5ac0x10adataEnglishUnited States0.49624060150375937
                                                                  RT_STRING0xce6b80xbcdataEnglishUnited States0.6329787234042553
                                                                  RT_STRING0xce7740x1c0dataEnglishUnited States0.5178571428571429
                                                                  RT_STRING0xce9340x250dataEnglishUnited States0.44256756756756754
                                                                  RT_GROUP_ICON0xceb840x5adata0.7555555555555555
                                                                  RT_MANIFEST0xcebe00x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                  gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  No network behavior found

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:07:54:14
                                                                  Start date:28/10/2024
                                                                  Path:C:\Users\user\Desktop\0438.pdf.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\0438.pdf.exe"
                                                                  Imagebase:0x7ff6c2d90000
                                                                  File size:11'654'747 bytes
                                                                  MD5 hash:2D11DBA46735AF1CB1C0A42E9564E20D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:07:54:15
                                                                  Start date:28/10/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
                                                                  Imagebase:0x7ff7adab0000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:07:54:15
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
                                                                  Imagebase:0x7ff6bc1b0000
                                                                  File size:5'641'176 bytes
                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:3
                                                                  Start time:07:54:15
                                                                  Start date:28/10/2024
                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                  Imagebase:0x7ff7adab0000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:4
                                                                  Start time:07:54:17
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                  Imagebase:0x7ff74bb60000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:5
                                                                  Start time:07:54:17
                                                                  Start date:28/10/2024
                                                                  Path:C:\Windows\System32\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                  Imagebase:0x7ff6eef20000
                                                                  File size:55'320 bytes
                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:6
                                                                  Start time:07:54:17
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1592,i,1356508992648061810,7446310958173615635,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                  Imagebase:0x7ff74bb60000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:07:54:25
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000007.00000000.1792302513.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 3%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:07:54:27
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                                                                  Imagebase:0x400000
                                                                  File size:7'753'808 bytes
                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1810551436.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                  Antivirus matches:
                                                                  • Detection: 3%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:07:54:28
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:12
                                                                  Start time:07:54:29
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                                                                  Imagebase:0x400000
                                                                  File size:7'753'808 bytes
                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:07:54:30
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:07:54:30
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                                                                  Imagebase:0x400000
                                                                  File size:7'753'808 bytes
                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:07:54:31
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                                                                  Imagebase:0x400000
                                                                  File size:7'753'808 bytes
                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:16
                                                                  Start time:07:54:33
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:17
                                                                  Start time:07:54:33
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:07:54:33
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:19
                                                                  Start time:07:54:34
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:07:54:35
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:07:54:36
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:24
                                                                  Start time:07:54:38
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:07:55:39
                                                                  Start date:28/10/2024
                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                  Imagebase:0x400000
                                                                  File size:6'307'408 bytes
                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:Borland Delphi
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:12.2%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:27.8%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:27
                                                                    execution_graph 25645 7ff6c2dcbf2c 25652 7ff6c2dcbc34 25645->25652 25657 7ff6c2dcd440 35 API calls 2 library calls 25652->25657 25654 7ff6c2dcbc3f 25658 7ff6c2dcd068 35 API calls abort 25654->25658 25657->25654 26359 7ff6c2dcbdf8 26360 7ff6c2dcbe1e GetModuleHandleW 26359->26360 26361 7ff6c2dcbe68 26359->26361 26360->26361 26369 7ff6c2dcbe2b 26360->26369 26376 7ff6c2dcf398 EnterCriticalSection 26361->26376 26369->26361 26377 7ff6c2dcbfb0 GetModuleHandleExW 26369->26377 26378 7ff6c2dcc001 26377->26378 26379 7ff6c2dcbfda GetProcAddress 26377->26379 26381 7ff6c2dcc011 26378->26381 26382 7ff6c2dcc00b FreeLibrary 26378->26382 26379->26378 26380 7ff6c2dcbff4 26379->26380 26380->26378 26381->26361 26382->26381 25386 7ff6c2dc03e0 25387 7ff6c2dc041f 25386->25387 25388 7ff6c2dc0497 25386->25388 25419 7ff6c2daaae0 25387->25419 25389 7ff6c2daaae0 48 API calls 25388->25389 25392 7ff6c2dc04ab 25389->25392 25394 7ff6c2dada98 48 API calls 25392->25394 25398 7ff6c2dc0442 BuildCatchObjectHelperInternal 25394->25398 25396 7ff6c2dc0541 25416 7ff6c2d9250c 25396->25416 25397 7ff6c2dc05cc 25402 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25397->25402 25398->25397 25399 7ff6c2dc05c6 25398->25399 25411 7ff6c2d91fa0 25398->25411 25429 7ff6c2dc7904 25399->25429 25404 7ff6c2dc05d2 25402->25404 25412 7ff6c2d91fb3 25411->25412 25413 7ff6c2d91fdc 25411->25413 25412->25413 25414 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25412->25414 25413->25396 25415 7ff6c2d92000 25414->25415 25417 7ff6c2d92513 25416->25417 25418 7ff6c2d92516 SetDlgItemTextW 25416->25418 25417->25418 25420 7ff6c2daaaf3 25419->25420 25434 7ff6c2da9774 25420->25434 25423 7ff6c2daab58 LoadStringW 25424 7ff6c2daab86 25423->25424 25425 7ff6c2daab71 LoadStringW 25423->25425 25426 7ff6c2dada98 25424->25426 25425->25424 25471 7ff6c2dad874 25426->25471 25574 7ff6c2dc783c 31 API calls 2 library calls 25429->25574 25431 7ff6c2dc791d 25575 7ff6c2dc7934 16 API calls abort 25431->25575 25441 7ff6c2da9638 25434->25441 25437 7ff6c2da97d9 25451 7ff6c2dc2320 25437->25451 25442 7ff6c2da9692 25441->25442 25450 7ff6c2da9730 25441->25450 25444 7ff6c2da96c0 25442->25444 25464 7ff6c2db0f68 WideCharToMultiByte 25442->25464 25449 7ff6c2da96ef 25444->25449 25466 7ff6c2daaa88 45 API calls _snwprintf 25444->25466 25445 7ff6c2dc2320 _handle_error 8 API calls 25446 7ff6c2da9764 25445->25446 25446->25437 25460 7ff6c2da9800 25446->25460 25467 7ff6c2dca270 31 API calls 2 library calls 25449->25467 25450->25445 25452 7ff6c2dc2329 25451->25452 25453 7ff6c2da97f2 25452->25453 25454 7ff6c2dc2550 IsProcessorFeaturePresent 25452->25454 25453->25423 25453->25424 25455 7ff6c2dc2568 25454->25455 25468 7ff6c2dc2744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 25455->25468 25457 7ff6c2dc257b 25469 7ff6c2dc2510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 25457->25469 25461 7ff6c2da9840 25460->25461 25463 7ff6c2da9869 25460->25463 25470 7ff6c2dca270 31 API calls 2 library calls 25461->25470 25463->25437 25465 7ff6c2db0faa 25464->25465 25465->25444 25466->25449 25467->25450 25468->25457 25470->25463 25487 7ff6c2dad4d0 25471->25487 25475 7ff6c2dad8e5 _snwprintf 25484 7ff6c2dad974 25475->25484 25501 7ff6c2dc9ef0 25475->25501 25528 7ff6c2d99d78 33 API calls 25475->25528 25477 7ff6c2dad9a3 25478 7ff6c2dada17 25477->25478 25481 7ff6c2dada3f 25477->25481 25480 7ff6c2dc2320 _handle_error 8 API calls 25478->25480 25482 7ff6c2dada2b 25480->25482 25483 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25481->25483 25482->25398 25485 7ff6c2dada44 25483->25485 25484->25477 25529 7ff6c2d99d78 33 API calls 25484->25529 25488 7ff6c2dad665 25487->25488 25489 7ff6c2dad502 25487->25489 25491 7ff6c2dacb80 25488->25491 25489->25488 25490 7ff6c2d91744 33 API calls 25489->25490 25490->25489 25492 7ff6c2dacc80 25491->25492 25493 7ff6c2dacbb6 25491->25493 25546 7ff6c2d92004 33 API calls std::_Xinvalid_argument 25492->25546 25496 7ff6c2dacc20 25493->25496 25497 7ff6c2dacc7b 25493->25497 25499 7ff6c2dacbc6 25493->25499 25496->25499 25530 7ff6c2dc21d0 25496->25530 25539 7ff6c2d91f80 25497->25539 25499->25475 25502 7ff6c2dc9f4e 25501->25502 25503 7ff6c2dc9f36 25501->25503 25502->25503 25505 7ff6c2dc9f58 25502->25505 25562 7ff6c2dcd69c 15 API calls _invalid_parameter_noinfo 25503->25562 25564 7ff6c2dc7ef0 35 API calls 2 library calls 25505->25564 25507 7ff6c2dc9f3b 25563 7ff6c2dc78e4 31 API calls _invalid_parameter_noinfo 25507->25563 25508 7ff6c2dc9f69 __scrt_get_show_window_mode 25565 7ff6c2dc7e70 15 API calls _set_errno_from_matherr 25508->25565 25510 7ff6c2dc2320 _handle_error 8 API calls 25511 7ff6c2dca10b 25510->25511 25511->25475 25513 7ff6c2dc9fd4 25566 7ff6c2dc82f8 46 API calls 3 library calls 25513->25566 25515 7ff6c2dc9fdd 25516 7ff6c2dca014 25515->25516 25517 7ff6c2dc9fe5 25515->25517 25519 7ff6c2dca06c 25516->25519 25520 7ff6c2dca092 25516->25520 25521 7ff6c2dca023 25516->25521 25524 7ff6c2dca01a 25516->25524 25567 7ff6c2dcd90c 25517->25567 25525 7ff6c2dcd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 25519->25525 25520->25519 25522 7ff6c2dca09c 25520->25522 25523 7ff6c2dcd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 25521->25523 25526 7ff6c2dcd90c Concurrency::details::SchedulerProxy::DeleteThis 15 API calls 25522->25526 25527 7ff6c2dc9f46 25523->25527 25524->25519 25524->25521 25525->25527 25526->25527 25527->25510 25528->25475 25529->25477 25532 7ff6c2dc21db 25530->25532 25531 7ff6c2dc21f4 25531->25499 25532->25531 25534 7ff6c2dc21fa 25532->25534 25547 7ff6c2dcbbc0 25532->25547 25535 7ff6c2dc2205 25534->25535 25550 7ff6c2dc2f7c RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 25534->25550 25536 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 25535->25536 25538 7ff6c2dc220b 25536->25538 25540 7ff6c2d91f8e std::bad_alloc::bad_alloc 25539->25540 25557 7ff6c2dc4078 25540->25557 25542 7ff6c2d91f9f 25543 7ff6c2d91fdc 25542->25543 25544 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25542->25544 25543->25492 25545 7ff6c2d92000 25544->25545 25551 7ff6c2dcbc00 25547->25551 25550->25535 25556 7ff6c2dcf398 EnterCriticalSection 25551->25556 25558 7ff6c2dc40b4 RtlPcToFileHeader 25557->25558 25559 7ff6c2dc4097 25557->25559 25560 7ff6c2dc40cc 25558->25560 25561 7ff6c2dc40db RaiseException 25558->25561 25559->25558 25560->25561 25561->25542 25562->25507 25563->25527 25564->25508 25565->25513 25566->25515 25568 7ff6c2dcd911 RtlFreeHeap 25567->25568 25572 7ff6c2dcd941 Concurrency::details::SchedulerProxy::DeleteThis 25567->25572 25569 7ff6c2dcd92c 25568->25569 25568->25572 25573 7ff6c2dcd69c 15 API calls _invalid_parameter_noinfo 25569->25573 25571 7ff6c2dcd931 GetLastError 25571->25572 25572->25527 25573->25571 25574->25431 25581 7ff6c2dc20f0 25582 7ff6c2dc2106 _com_error::_com_error 25581->25582 25583 7ff6c2dc4078 std::_Xinvalid_argument 2 API calls 25582->25583 25584 7ff6c2dc2117 25583->25584 25587 7ff6c2dc1900 25584->25587 25613 7ff6c2dc1558 25587->25613 25590 7ff6c2dc198b 25591 7ff6c2dc1868 DloadReleaseSectionWriteAccess 6 API calls 25590->25591 25592 7ff6c2dc1998 RaiseException 25591->25592 25593 7ff6c2dc1bb5 25592->25593 25594 7ff6c2dc19b4 25595 7ff6c2dc1a3d LoadLibraryExA 25594->25595 25596 7ff6c2dc1b85 25594->25596 25598 7ff6c2dc1aa9 25594->25598 25599 7ff6c2dc1abd 25594->25599 25597 7ff6c2dc1a54 GetLastError 25595->25597 25595->25598 25621 7ff6c2dc1868 25596->25621 25601 7ff6c2dc1a7e 25597->25601 25602 7ff6c2dc1a69 25597->25602 25598->25599 25603 7ff6c2dc1ab4 FreeLibrary 25598->25603 25599->25596 25600 7ff6c2dc1b1b GetProcAddress 25599->25600 25600->25596 25606 7ff6c2dc1b30 GetLastError 25600->25606 25605 7ff6c2dc1868 DloadReleaseSectionWriteAccess 6 API calls 25601->25605 25602->25598 25602->25601 25603->25599 25607 7ff6c2dc1a8b RaiseException 25605->25607 25608 7ff6c2dc1b45 25606->25608 25607->25593 25608->25596 25609 7ff6c2dc1868 DloadReleaseSectionWriteAccess 6 API calls 25608->25609 25610 7ff6c2dc1b67 RaiseException 25609->25610 25611 7ff6c2dc1558 _com_raise_error 6 API calls 25610->25611 25612 7ff6c2dc1b81 25611->25612 25612->25596 25614 7ff6c2dc156e 25613->25614 25620 7ff6c2dc15d3 25613->25620 25629 7ff6c2dc1604 25614->25629 25617 7ff6c2dc15ce 25619 7ff6c2dc1604 DloadReleaseSectionWriteAccess 3 API calls 25617->25619 25619->25620 25620->25590 25620->25594 25622 7ff6c2dc1878 25621->25622 25628 7ff6c2dc18d1 25621->25628 25623 7ff6c2dc1604 DloadReleaseSectionWriteAccess 3 API calls 25622->25623 25624 7ff6c2dc187d 25623->25624 25625 7ff6c2dc18cc 25624->25625 25626 7ff6c2dc17d8 DloadProtectSection 3 API calls 25624->25626 25627 7ff6c2dc1604 DloadReleaseSectionWriteAccess 3 API calls 25625->25627 25626->25625 25627->25628 25628->25593 25630 7ff6c2dc161f 25629->25630 25631 7ff6c2dc1573 25629->25631 25630->25631 25632 7ff6c2dc1624 GetModuleHandleW 25630->25632 25631->25617 25636 7ff6c2dc17d8 25631->25636 25633 7ff6c2dc163e GetProcAddress 25632->25633 25634 7ff6c2dc1639 25632->25634 25633->25634 25635 7ff6c2dc1653 GetProcAddress 25633->25635 25634->25631 25635->25634 25637 7ff6c2dc17fa DloadProtectSection 25636->25637 25638 7ff6c2dc183a VirtualProtect 25637->25638 25639 7ff6c2dc1802 25637->25639 25641 7ff6c2dc16a4 VirtualQuery GetSystemInfo 25637->25641 25638->25639 25639->25617 25641->25638 28378 7ff6c2dc11cf 28379 7ff6c2dc1102 28378->28379 28380 7ff6c2dc1900 _com_raise_error 14 API calls 28379->28380 28380->28379 26385 7ff6c2dc1491 26386 7ff6c2dc13c9 26385->26386 26387 7ff6c2dc1900 _com_raise_error 14 API calls 26386->26387 26388 7ff6c2dc1408 26387->26388 26389 7ff6c2dbb190 26732 7ff6c2d9255c 26389->26732 26391 7ff6c2dbb1db 26392 7ff6c2dbb1ef 26391->26392 26393 7ff6c2dbbe93 26391->26393 26547 7ff6c2dbb20c 26391->26547 26396 7ff6c2dbb1ff 26392->26396 26397 7ff6c2dbb2db 26392->26397 26392->26547 26998 7ff6c2dbf390 26393->26998 26401 7ff6c2dbb2a9 26396->26401 26402 7ff6c2dbb207 26396->26402 26404 7ff6c2dbb391 26397->26404 26409 7ff6c2dbb2f5 26397->26409 26398 7ff6c2dc2320 _handle_error 8 API calls 26403 7ff6c2dbc350 26398->26403 26399 7ff6c2dbbec9 26406 7ff6c2dbbef0 GetDlgItem SendMessageW 26399->26406 26407 7ff6c2dbbed5 SendDlgItemMessageW 26399->26407 26400 7ff6c2dbbeba SendMessageW 26400->26399 26408 7ff6c2dbb2cb EndDialog 26401->26408 26401->26547 26412 7ff6c2daaae0 48 API calls 26402->26412 26402->26547 26740 7ff6c2d922bc GetDlgItem 26404->26740 26411 7ff6c2da62dc 35 API calls 26406->26411 26407->26406 26408->26547 26413 7ff6c2daaae0 48 API calls 26409->26413 26414 7ff6c2dbbf47 GetDlgItem 26411->26414 26415 7ff6c2dbb236 26412->26415 26416 7ff6c2dbb313 SetDlgItemTextW 26413->26416 27017 7ff6c2d92520 26414->27017 27021 7ff6c2d91ec4 34 API calls _handle_error 26415->27021 26421 7ff6c2dbb326 26416->26421 26419 7ff6c2dbb3f5 26433 7ff6c2dbbcc5 26419->26433 26557 7ff6c2dbb3b1 EndDialog 26419->26557 26420 7ff6c2dbb408 GetDlgItem 26425 7ff6c2dbb44f SetFocus 26420->26425 26426 7ff6c2dbb422 SendMessageW SendMessageW 26420->26426 26430 7ff6c2dbb340 GetMessageW 26421->26430 26421->26547 26424 7ff6c2dbb246 26429 7ff6c2dbb25c 26424->26429 26436 7ff6c2d9250c SetDlgItemTextW 26424->26436 26431 7ff6c2dbb465 26425->26431 26432 7ff6c2dbb4f2 26425->26432 26426->26425 26427 7ff6c2dbb3da 26434 7ff6c2d91fa0 31 API calls 26427->26434 26445 7ff6c2dbc363 26429->26445 26429->26547 26438 7ff6c2dbb35e IsDialogMessageW 26430->26438 26430->26547 26439 7ff6c2daaae0 48 API calls 26431->26439 26754 7ff6c2d98d04 26432->26754 26441 7ff6c2daaae0 48 API calls 26433->26441 26434->26547 26436->26429 26438->26421 26444 7ff6c2dbb373 TranslateMessage DispatchMessageW 26438->26444 26440 7ff6c2dbb46f 26439->26440 26455 7ff6c2d9129c 33 API calls 26440->26455 26446 7ff6c2dbbcd6 SetDlgItemTextW 26441->26446 26443 7ff6c2dbb52c 26764 7ff6c2dbef80 26443->26764 26444->26421 26451 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26445->26451 26450 7ff6c2daaae0 48 API calls 26446->26450 26456 7ff6c2dbbd08 26450->26456 26457 7ff6c2dbc368 26451->26457 26454 7ff6c2daaae0 48 API calls 26460 7ff6c2dbb555 26454->26460 26461 7ff6c2dbb498 26455->26461 26472 7ff6c2d9129c 33 API calls 26456->26472 26466 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26457->26466 26463 7ff6c2dada98 48 API calls 26460->26463 26464 7ff6c2dbf0a4 24 API calls 26461->26464 26469 7ff6c2dbb568 26463->26469 26470 7ff6c2dbb4a5 26464->26470 26473 7ff6c2dbc36e 26466->26473 26778 7ff6c2dbf0a4 26469->26778 26470->26457 26492 7ff6c2dbb4e8 26470->26492 26500 7ff6c2dbbd31 26472->26500 26483 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26473->26483 26482 7ff6c2dbbdda 26493 7ff6c2daaae0 48 API calls 26482->26493 26494 7ff6c2dbc374 26483->26494 26488 7ff6c2d91fa0 31 API calls 26498 7ff6c2dbb586 26488->26498 26491 7ff6c2dbb5ec 26503 7ff6c2dbb61a 26491->26503 27023 7ff6c2da32a8 26491->27023 26492->26491 27022 7ff6c2dbfa80 33 API calls 2 library calls 26492->27022 26505 7ff6c2dbbde4 26493->26505 26509 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26494->26509 26498->26473 26498->26492 26500->26482 26510 7ff6c2d9129c 33 API calls 26500->26510 26792 7ff6c2da2f58 26503->26792 26516 7ff6c2d9129c 33 API calls 26505->26516 26515 7ff6c2dbc37a 26509->26515 26517 7ff6c2dbbd7f 26510->26517 26523 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26515->26523 26522 7ff6c2dbbe0d 26516->26522 26525 7ff6c2daaae0 48 API calls 26517->26525 26520 7ff6c2dbb634 GetLastError 26521 7ff6c2dbb64c 26520->26521 26804 7ff6c2da7fc4 26521->26804 26537 7ff6c2d9129c 33 API calls 26522->26537 26528 7ff6c2dbc380 26523->26528 26529 7ff6c2dbbd8a 26525->26529 26527 7ff6c2dbb60e 27026 7ff6c2db9d90 12 API calls _handle_error 26527->27026 26538 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26528->26538 26534 7ff6c2d91150 33 API calls 26529->26534 26539 7ff6c2dbbda2 26534->26539 26536 7ff6c2dbb65e 26541 7ff6c2dbb665 GetLastError 26536->26541 26542 7ff6c2dbb674 26536->26542 26544 7ff6c2dbbe4e 26537->26544 26545 7ff6c2dbc386 26538->26545 26551 7ff6c2d92034 33 API calls 26539->26551 26541->26542 26543 7ff6c2dbb71c 26542->26543 26548 7ff6c2dbb72b 26542->26548 26549 7ff6c2dbb68b GetTickCount 26542->26549 26543->26548 26565 7ff6c2dbbb79 26543->26565 26558 7ff6c2d91fa0 31 API calls 26544->26558 26550 7ff6c2d9255c 61 API calls 26545->26550 26547->26398 26554 7ff6c2dbba50 26548->26554 26562 7ff6c2da6454 34 API calls 26548->26562 26807 7ff6c2d94228 26549->26807 26553 7ff6c2dbc3e4 26550->26553 26555 7ff6c2dbbdbe 26551->26555 26559 7ff6c2dbc3e8 26553->26559 26568 7ff6c2dbc489 GetDlgItem SetFocus 26553->26568 26595 7ff6c2dbc3fd 26553->26595 26554->26557 27035 7ff6c2d9bd0c 33 API calls 26554->27035 26563 7ff6c2d91fa0 31 API calls 26555->26563 26557->26427 26566 7ff6c2dbbe78 26558->26566 26575 7ff6c2dc2320 _handle_error 8 API calls 26559->26575 26570 7ff6c2dbb74e 26562->26570 26571 7ff6c2dbbdcc 26563->26571 26581 7ff6c2daaae0 48 API calls 26565->26581 26573 7ff6c2d91fa0 31 API calls 26566->26573 26567 7ff6c2dbba75 27036 7ff6c2d91150 26567->27036 26579 7ff6c2dbc4ba 26568->26579 27027 7ff6c2dab914 102 API calls 26570->27027 26578 7ff6c2d91fa0 31 API calls 26571->26578 26572 7ff6c2dbb6ba 26580 7ff6c2d91fa0 31 API calls 26572->26580 26582 7ff6c2dbbe83 26573->26582 26584 7ff6c2dbca97 26575->26584 26578->26482 26592 7ff6c2d9129c 33 API calls 26579->26592 26586 7ff6c2dbb6c8 26580->26586 26587 7ff6c2dbbba7 SetDlgItemTextW 26581->26587 26588 7ff6c2d91fa0 31 API calls 26582->26588 26583 7ff6c2dbba8a 26589 7ff6c2daaae0 48 API calls 26583->26589 26585 7ff6c2dbb768 26591 7ff6c2dada98 48 API calls 26585->26591 26817 7ff6c2da2134 26586->26817 26593 7ff6c2d92534 26587->26593 26588->26427 26594 7ff6c2dbba97 26589->26594 26590 7ff6c2dbc434 SendDlgItemMessageW 26596 7ff6c2dbc454 26590->26596 26597 7ff6c2dbc45d EndDialog 26590->26597 26598 7ff6c2dbb7aa GetCommandLineW 26591->26598 26599 7ff6c2dbc4cc 26592->26599 26601 7ff6c2dbbbc5 SetDlgItemTextW GetDlgItem 26593->26601 26602 7ff6c2d91150 33 API calls 26594->26602 26595->26559 26595->26590 26596->26597 26597->26559 26603 7ff6c2dbb84f 26598->26603 26604 7ff6c2dbb869 26598->26604 27040 7ff6c2da80d8 33 API calls 26599->27040 26608 7ff6c2dbbbf0 GetWindowLongPtrW SetWindowLongPtrW 26601->26608 26609 7ff6c2dbbc13 26601->26609 26610 7ff6c2dbbaaa 26602->26610 26616 7ff6c2d920b0 33 API calls 26603->26616 27028 7ff6c2dbab54 33 API calls _handle_error 26604->27028 26605 7ff6c2dbc4e0 26611 7ff6c2d9250c SetDlgItemTextW 26605->26611 26608->26609 26833 7ff6c2dbce88 26609->26833 26615 7ff6c2d91fa0 31 API calls 26610->26615 26617 7ff6c2dbc4f4 26611->26617 26612 7ff6c2dbb87a 27029 7ff6c2dbab54 33 API calls _handle_error 26612->27029 26622 7ff6c2dbbab5 26615->26622 26616->26604 26627 7ff6c2dbc526 SendDlgItemMessageW FindFirstFileW 26617->26627 26619 7ff6c2dbb6f5 GetLastError 26620 7ff6c2dbb704 26619->26620 26624 7ff6c2da204c 100 API calls 26620->26624 26626 7ff6c2d91fa0 31 API calls 26622->26626 26623 7ff6c2dbb88b 27030 7ff6c2dbab54 33 API calls _handle_error 26623->27030 26629 7ff6c2dbb711 26624->26629 26625 7ff6c2dbce88 160 API calls 26630 7ff6c2dbbc3c 26625->26630 26631 7ff6c2dbbac3 26626->26631 26632 7ff6c2dbc57b 26627->26632 26725 7ff6c2dbca04 26627->26725 26634 7ff6c2d91fa0 31 API calls 26629->26634 26983 7ff6c2dbf974 26630->26983 26641 7ff6c2daaae0 48 API calls 26631->26641 26642 7ff6c2daaae0 48 API calls 26632->26642 26633 7ff6c2dbb89c 27031 7ff6c2dab9b4 102 API calls 26633->27031 26634->26543 26638 7ff6c2dbb8b3 27032 7ff6c2dbfbdc 33 API calls 26638->27032 26639 7ff6c2dbca81 26639->26559 26640 7ff6c2dbce88 160 API calls 26655 7ff6c2dbbc6a 26640->26655 26645 7ff6c2dbbadb 26641->26645 26646 7ff6c2dbc59e 26642->26646 26644 7ff6c2dbcaa9 26648 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26644->26648 26656 7ff6c2d9129c 33 API calls 26645->26656 26657 7ff6c2d9129c 33 API calls 26646->26657 26647 7ff6c2dbb8d2 CreateFileMappingW 26650 7ff6c2dbb911 MapViewOfFile 26647->26650 26651 7ff6c2dbb953 ShellExecuteExW 26647->26651 26652 7ff6c2dbcaae 26648->26652 26649 7ff6c2dbbc96 26997 7ff6c2d92298 GetDlgItem EnableWindow 26649->26997 27033 7ff6c2dc3640 26650->27033 26672 7ff6c2dbb974 26651->26672 26658 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26652->26658 26655->26649 26659 7ff6c2dbce88 160 API calls 26655->26659 26667 7ff6c2dbbb04 26656->26667 26660 7ff6c2dbc5cd 26657->26660 26661 7ff6c2dbcab4 26658->26661 26659->26649 26662 7ff6c2d91150 33 API calls 26660->26662 26665 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26661->26665 26663 7ff6c2dbc5e8 26662->26663 27041 7ff6c2d9e164 33 API calls 2 library calls 26663->27041 26664 7ff6c2dbb9c3 26673 7ff6c2dbb9ef 26664->26673 26674 7ff6c2dbb9dc UnmapViewOfFile CloseHandle 26664->26674 26670 7ff6c2dbcaba 26665->26670 26666 7ff6c2dbbb5a 26668 7ff6c2d91fa0 31 API calls 26666->26668 26667->26515 26667->26666 26668->26557 26677 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26670->26677 26671 7ff6c2dbc5ff 26675 7ff6c2d91fa0 31 API calls 26671->26675 26672->26664 26680 7ff6c2dbb9b1 Sleep 26672->26680 26673->26494 26676 7ff6c2dbba25 26673->26676 26674->26673 26679 7ff6c2dbc60c 26675->26679 26678 7ff6c2d91fa0 31 API calls 26676->26678 26681 7ff6c2dbcac0 26677->26681 26682 7ff6c2dbba42 26678->26682 26679->26652 26685 7ff6c2d91fa0 31 API calls 26679->26685 26680->26664 26680->26672 26683 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26681->26683 26684 7ff6c2d91fa0 31 API calls 26682->26684 26686 7ff6c2dbcac6 26683->26686 26684->26554 26687 7ff6c2dbc673 26685->26687 26689 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26686->26689 26688 7ff6c2d9250c SetDlgItemTextW 26687->26688 26690 7ff6c2dbc687 FindClose 26688->26690 26691 7ff6c2dbcacc 26689->26691 26692 7ff6c2dbc6a3 26690->26692 26693 7ff6c2dbc797 SendDlgItemMessageW 26690->26693 27042 7ff6c2dba2cc 10 API calls _handle_error 26692->27042 26694 7ff6c2dbc7cb 26693->26694 26698 7ff6c2daaae0 48 API calls 26694->26698 26696 7ff6c2dbc6c6 26697 7ff6c2daaae0 48 API calls 26696->26697 26699 7ff6c2dbc6cf 26697->26699 26700 7ff6c2dbc7d8 26698->26700 26701 7ff6c2dada98 48 API calls 26699->26701 26702 7ff6c2d9129c 33 API calls 26700->26702 26705 7ff6c2dbc6ec BuildCatchObjectHelperInternal 26701->26705 26704 7ff6c2dbc807 26702->26704 26703 7ff6c2d91fa0 31 API calls 26706 7ff6c2dbc783 26703->26706 26707 7ff6c2d91150 33 API calls 26704->26707 26705->26661 26705->26703 26708 7ff6c2d9250c SetDlgItemTextW 26706->26708 26709 7ff6c2dbc822 26707->26709 26708->26693 27043 7ff6c2d9e164 33 API calls 2 library calls 26709->27043 26711 7ff6c2dbc839 26712 7ff6c2d91fa0 31 API calls 26711->26712 26713 7ff6c2dbc845 BuildCatchObjectHelperInternal 26712->26713 26714 7ff6c2d91fa0 31 API calls 26713->26714 26715 7ff6c2dbc87f 26714->26715 26716 7ff6c2d91fa0 31 API calls 26715->26716 26717 7ff6c2dbc88c 26716->26717 26717->26670 26718 7ff6c2d91fa0 31 API calls 26717->26718 26719 7ff6c2dbc8f3 26718->26719 26720 7ff6c2d9250c SetDlgItemTextW 26719->26720 26721 7ff6c2dbc907 26720->26721 26721->26725 27044 7ff6c2dba2cc 10 API calls _handle_error 26721->27044 26723 7ff6c2dbc932 26724 7ff6c2daaae0 48 API calls 26723->26724 26726 7ff6c2dbc93c 26724->26726 26725->26559 26725->26639 26725->26644 26725->26686 26727 7ff6c2dada98 48 API calls 26726->26727 26730 7ff6c2dbc959 BuildCatchObjectHelperInternal 26727->26730 26728 7ff6c2d91fa0 31 API calls 26729 7ff6c2dbc9f0 26728->26729 26731 7ff6c2d9250c SetDlgItemTextW 26729->26731 26730->26681 26730->26728 26731->26725 26733 7ff6c2d925d0 26732->26733 26734 7ff6c2d9256a 26732->26734 26733->26391 26734->26733 27045 7ff6c2daa4ac 26734->27045 26736 7ff6c2d9258f 26736->26733 26737 7ff6c2d925a4 GetDlgItem 26736->26737 26737->26733 26738 7ff6c2d925b7 26737->26738 26738->26733 26739 7ff6c2d925be SetWindowTextW 26738->26739 26739->26733 26741 7ff6c2d92334 26740->26741 26742 7ff6c2d922fc 26740->26742 27094 7ff6c2d923f8 GetWindowTextLengthW 26741->27094 26744 7ff6c2d9129c 33 API calls 26742->26744 26745 7ff6c2d9232a BuildCatchObjectHelperInternal 26744->26745 26746 7ff6c2d92389 26745->26746 26747 7ff6c2d91fa0 31 API calls 26745->26747 26750 7ff6c2d923f0 26746->26750 26751 7ff6c2d923c8 26746->26751 26747->26746 26748 7ff6c2dc2320 _handle_error 8 API calls 26749 7ff6c2d923dd 26748->26749 26749->26419 26749->26420 26749->26557 26752 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26750->26752 26751->26748 26753 7ff6c2d923f5 26752->26753 26755 7ff6c2d98d34 26754->26755 26762 7ff6c2d98de8 26754->26762 26756 7ff6c2d98d42 BuildCatchObjectHelperInternal 26755->26756 26759 7ff6c2d98de3 26755->26759 26761 7ff6c2d98d91 26755->26761 26756->26443 26760 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 26759->26760 26760->26762 26761->26756 26763 7ff6c2dc21d0 33 API calls 26761->26763 27106 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26762->27106 26763->26756 26768 7ff6c2dbefb0 26764->26768 26765 7ff6c2dc2320 _handle_error 8 API calls 26766 7ff6c2dbb537 26765->26766 26766->26454 26767 7ff6c2dbefd7 26767->26765 26768->26767 27107 7ff6c2d9bd0c 33 API calls 26768->27107 26770 7ff6c2dbf02a 26771 7ff6c2d91150 33 API calls 26770->26771 26772 7ff6c2dbf03f 26771->26772 26773 7ff6c2d91fa0 31 API calls 26772->26773 26775 7ff6c2dbf04f BuildCatchObjectHelperInternal 26772->26775 26773->26775 26774 7ff6c2d91fa0 31 API calls 26776 7ff6c2dbf076 26774->26776 26775->26774 26777 7ff6c2d91fa0 31 API calls 26776->26777 26777->26767 27108 7ff6c2dbae1c PeekMessageW 26778->27108 26781 7ff6c2dbf0f5 26785 7ff6c2dbf101 ShowWindow SendMessageW SendMessageW 26781->26785 26782 7ff6c2dbf143 SendMessageW SendMessageW 26783 7ff6c2dbf1a4 SendMessageW 26782->26783 26784 7ff6c2dbf189 26782->26784 26786 7ff6c2dbf1c3 26783->26786 26787 7ff6c2dbf1c6 SendMessageW SendMessageW 26783->26787 26784->26783 26785->26782 26786->26787 26788 7ff6c2dbf1f3 SendMessageW 26787->26788 26789 7ff6c2dbf218 SendMessageW 26787->26789 26788->26789 26790 7ff6c2dc2320 _handle_error 8 API calls 26789->26790 26791 7ff6c2dbb578 26790->26791 26791->26488 26793 7ff6c2da309d 26792->26793 26800 7ff6c2da2f8e 26792->26800 26794 7ff6c2dc2320 _handle_error 8 API calls 26793->26794 26795 7ff6c2da30b3 26794->26795 26795->26520 26795->26521 26796 7ff6c2da3077 26796->26793 26797 7ff6c2da3684 56 API calls 26796->26797 26797->26793 26798 7ff6c2d9129c 33 API calls 26798->26800 26800->26796 26800->26798 26801 7ff6c2da30c8 26800->26801 27113 7ff6c2da3684 26800->27113 26802 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26801->26802 26803 7ff6c2da30cd 26802->26803 26805 7ff6c2da7fcf 26804->26805 26806 7ff6c2da7fd2 SetCurrentDirectoryW 26804->26806 26805->26806 26806->26536 26808 7ff6c2d94255 26807->26808 26809 7ff6c2d9426a 26808->26809 26810 7ff6c2d9129c 33 API calls 26808->26810 26811 7ff6c2dc2320 _handle_error 8 API calls 26809->26811 26810->26809 26812 7ff6c2d942a1 26811->26812 26813 7ff6c2d93c84 26812->26813 26814 7ff6c2d93cab 26813->26814 27147 7ff6c2d9710c 26814->27147 26816 7ff6c2d93cbb BuildCatchObjectHelperInternal 26816->26572 26819 7ff6c2da216a 26817->26819 26818 7ff6c2da219e 26821 7ff6c2da227f 26818->26821 26823 7ff6c2da6a0c 49 API calls 26818->26823 26819->26818 26820 7ff6c2da21b1 CreateFileW 26819->26820 26820->26818 26822 7ff6c2da22af 26821->26822 26826 7ff6c2d920b0 33 API calls 26821->26826 26824 7ff6c2dc2320 _handle_error 8 API calls 26822->26824 26825 7ff6c2da2209 26823->26825 26827 7ff6c2da22c4 26824->26827 26828 7ff6c2da2246 26825->26828 26829 7ff6c2da220d CreateFileW 26825->26829 26826->26822 26827->26619 26827->26620 26828->26821 26830 7ff6c2da22d8 26828->26830 26829->26828 26831 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26830->26831 26832 7ff6c2da22dd 26831->26832 27159 7ff6c2dbaa08 26833->27159 26835 7ff6c2dbd1ee 26836 7ff6c2d91fa0 31 API calls 26835->26836 26837 7ff6c2dbd1f7 26836->26837 26838 7ff6c2dc2320 _handle_error 8 API calls 26837->26838 26840 7ff6c2dbbc2b 26838->26840 26839 7ff6c2dad22c 33 API calls 26970 7ff6c2dbcf03 BuildCatchObjectHelperInternal 26839->26970 26840->26625 26841 7ff6c2dbeefa 27283 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26841->27283 26844 7ff6c2d98d04 33 API calls 26844->26970 26845 7ff6c2dbef00 27284 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26845->27284 26847 7ff6c2dbef06 26852 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26847->26852 26849 7ff6c2dbeeee 26850 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26849->26850 26851 7ff6c2dbeef4 26850->26851 27282 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26851->27282 26854 7ff6c2dbef0c 26852->26854 26856 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26854->26856 26857 7ff6c2dbef12 26856->26857 26862 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26857->26862 26858 7ff6c2dbee4a 26859 7ff6c2dbeed2 26858->26859 26863 7ff6c2d920b0 33 API calls 26858->26863 26870 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 26859->26870 26860 7ff6c2dbeee8 27281 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26860->27281 26861 7ff6c2d913a4 33 API calls 26865 7ff6c2dbdc3a GetTempPathW 26861->26865 26866 7ff6c2dbef18 26862->26866 26864 7ff6c2dbee77 26863->26864 27280 7ff6c2dbabe8 33 API calls 3 library calls 26864->27280 26865->26970 26875 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26866->26875 26867 7ff6c2da62dc 35 API calls 26867->26970 26870->26860 26871 7ff6c2dcbb8c 43 API calls 26871->26970 26873 7ff6c2dbee8d 26880 7ff6c2d91fa0 31 API calls 26873->26880 26883 7ff6c2dbeea4 BuildCatchObjectHelperInternal 26873->26883 26874 7ff6c2d92520 SetWindowTextW 26874->26970 26878 7ff6c2dbef1e 26875->26878 26884 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26878->26884 26879 7ff6c2dbe7f3 26879->26859 26879->26860 26882 7ff6c2dc21d0 33 API calls 26879->26882 26893 7ff6c2dbe83b BuildCatchObjectHelperInternal 26879->26893 26880->26883 26881 7ff6c2d91fa0 31 API calls 26881->26859 26882->26893 26883->26881 26886 7ff6c2dbef24 26884->26886 26885 7ff6c2dbaa08 33 API calls 26885->26970 26891 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26886->26891 26888 7ff6c2dbef6c 27286 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26888->27286 26889 7ff6c2d91fa0 31 API calls 26889->26858 26890 7ff6c2dbef78 27287 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26890->27287 26898 7ff6c2dbef2a 26891->26898 26892 7ff6c2da3f30 54 API calls 26892->26970 26903 7ff6c2d920b0 33 API calls 26893->26903 26944 7ff6c2dbeb8f 26893->26944 26895 7ff6c2dbef72 26904 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 26895->26904 26896 7ff6c2d920b0 33 API calls 26896->26970 26909 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26898->26909 26901 7ff6c2da5820 33 API calls 26901->26970 26902 7ff6c2dbef66 26907 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 26902->26907 26910 7ff6c2dbe963 26903->26910 26904->26890 26906 7ff6c2dbed40 26906->26890 26906->26895 26924 7ff6c2dbed3b BuildCatchObjectHelperInternal 26906->26924 26928 7ff6c2dc21d0 33 API calls 26906->26928 26907->26888 26908 7ff6c2dbec2a 26908->26888 26908->26902 26911 7ff6c2dbec72 BuildCatchObjectHelperInternal 26908->26911 26920 7ff6c2dc21d0 33 API calls 26908->26920 26908->26924 26917 7ff6c2dbef30 26909->26917 26919 7ff6c2d9129c 33 API calls 26910->26919 26952 7ff6c2dbef60 26910->26952 27202 7ff6c2dbf4e0 26911->27202 26913 7ff6c2dbd5e9 GetDlgItem 26921 7ff6c2d92520 SetWindowTextW 26913->26921 26915 7ff6c2db99c8 31 API calls 26915->26970 26916 7ff6c2d9e164 33 API calls 26916->26970 26925 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26917->26925 26918 7ff6c2da3d34 51 API calls 26918->26970 26926 7ff6c2dbe9a6 26919->26926 26920->26911 26927 7ff6c2dbd608 SendMessageW 26921->26927 26924->26889 26929 7ff6c2dbef36 26925->26929 27276 7ff6c2dad22c 26926->27276 26927->26970 26928->26924 26934 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26929->26934 26932 7ff6c2da5b60 53 API calls 26932->26970 26933 7ff6c2dadc2c 33 API calls 26933->26970 26936 7ff6c2dbef3c 26934->26936 26935 7ff6c2dbd63c SendMessageW 26935->26970 26940 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26936->26940 26945 7ff6c2dbef42 26940->26945 26942 7ff6c2d9129c 33 API calls 26974 7ff6c2dbe9d1 26942->26974 26943 7ff6c2dbef54 26947 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26943->26947 26944->26906 26944->26908 26944->26943 26946 7ff6c2dbef5a 26944->26946 26951 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26945->26951 26949 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26946->26949 26947->26946 26949->26952 26950 7ff6c2d94228 33 API calls 26950->26970 26954 7ff6c2dbef48 26951->26954 27285 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26952->27285 26953 7ff6c2da32a8 51 API calls 26953->26970 26955 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26954->26955 26958 7ff6c2dbef4e 26955->26958 26956 7ff6c2da5aa8 33 API calls 26956->26970 26957 7ff6c2d9250c SetDlgItemTextW 26957->26970 26962 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26958->26962 26959 7ff6c2da7df4 47 API calls 26959->26970 26960 7ff6c2d91150 33 API calls 26960->26970 26962->26943 26964 7ff6c2d92034 33 API calls 26964->26970 26965 7ff6c2d91fa0 31 API calls 26965->26974 26966 7ff6c2d91fa0 31 API calls 26966->26970 26967 7ff6c2d92674 31 API calls 26967->26970 26969 7ff6c2db13c4 CompareStringW 26969->26974 26970->26835 26970->26839 26970->26841 26970->26844 26970->26845 26970->26847 26970->26849 26970->26851 26970->26854 26970->26857 26970->26858 26970->26861 26970->26866 26970->26867 26970->26871 26970->26874 26970->26878 26970->26879 26970->26885 26970->26886 26970->26892 26970->26896 26970->26898 26970->26901 26970->26915 26970->26916 26970->26917 26970->26918 26970->26929 26970->26932 26970->26933 26970->26935 26970->26936 26970->26945 26970->26950 26970->26953 26970->26956 26970->26957 26970->26959 26970->26960 26970->26964 26970->26966 26970->26967 26971 7ff6c2dbdf99 EndDialog 26970->26971 26973 7ff6c2da32bc 51 API calls 26970->26973 26976 7ff6c2dbdb21 MoveFileW 26970->26976 26979 7ff6c2d9129c 33 API calls 26970->26979 26981 7ff6c2da2f58 56 API calls 26970->26981 27163 7ff6c2db13c4 CompareStringW 26970->27163 27164 7ff6c2dba440 26970->27164 27240 7ff6c2dacfa4 35 API calls _invalid_parameter_noinfo_noreturn 26970->27240 27241 7ff6c2db95b4 33 API calls Concurrency::cancel_current_task 26970->27241 27242 7ff6c2dc0684 31 API calls _invalid_parameter_noinfo_noreturn 26970->27242 27243 7ff6c2d9df4c 47 API calls BuildCatchObjectHelperInternal 26970->27243 27244 7ff6c2dba834 33 API calls _invalid_parameter_noinfo_noreturn 26970->27244 27245 7ff6c2db9518 33 API calls 26970->27245 27246 7ff6c2dbabe8 33 API calls 3 library calls 26970->27246 27247 7ff6c2da7368 33 API calls 2 library calls 26970->27247 27248 7ff6c2da4088 33 API calls 26970->27248 27249 7ff6c2da65b0 33 API calls 3 library calls 26970->27249 27250 7ff6c2da72cc 26970->27250 27254 7ff6c2d91744 33 API calls 4 library calls 26970->27254 27255 7ff6c2da31bc 26970->27255 27269 7ff6c2da3ea0 FindClose 26970->27269 27270 7ff6c2db13f4 CompareStringW 26970->27270 27271 7ff6c2db9cd0 47 API calls 26970->27271 27272 7ff6c2db87d8 51 API calls 3 library calls 26970->27272 27273 7ff6c2dbab54 33 API calls _handle_error 26970->27273 27274 7ff6c2da5b08 CompareStringW 26970->27274 27275 7ff6c2da7eb0 47 API calls 26970->27275 26971->26970 26973->26970 26974->26942 26974->26944 26974->26954 26974->26958 26974->26965 26974->26969 26975 7ff6c2dad22c 33 API calls 26974->26975 26975->26974 26977 7ff6c2dbdb70 26976->26977 26978 7ff6c2dbdb55 MoveFileExW 26976->26978 26977->26970 26980 7ff6c2d91fa0 31 API calls 26977->26980 26978->26977 26979->26970 26980->26977 26981->26970 26984 7ff6c2dbf9a3 26983->26984 26985 7ff6c2d920b0 33 API calls 26984->26985 26987 7ff6c2dbf9b9 26985->26987 26986 7ff6c2dbf9ee 27300 7ff6c2d9e34c 26986->27300 26987->26986 26988 7ff6c2d920b0 33 API calls 26987->26988 26988->26986 26990 7ff6c2dbfa4b 27320 7ff6c2d9e7a8 26990->27320 26994 7ff6c2dbfa61 26995 7ff6c2dc2320 _handle_error 8 API calls 26994->26995 26996 7ff6c2dbbc52 26995->26996 26996->26640 26999 7ff6c2db849c 4 API calls 26998->26999 27000 7ff6c2dbf3bf 26999->27000 27001 7ff6c2dbf4b7 27000->27001 27002 7ff6c2dbf3c7 GetWindow 27000->27002 27003 7ff6c2dc2320 _handle_error 8 API calls 27001->27003 27007 7ff6c2dbf3e2 27002->27007 27004 7ff6c2dbbe9b 27003->27004 27004->26399 27004->26400 27005 7ff6c2dbf3ee GetClassNameW 28375 7ff6c2db13c4 CompareStringW 27005->28375 27007->27001 27007->27005 27008 7ff6c2dbf417 GetWindowLongPtrW 27007->27008 27009 7ff6c2dbf496 GetWindow 27007->27009 27008->27009 27010 7ff6c2dbf429 SendMessageW 27008->27010 27009->27001 27009->27007 27010->27009 27011 7ff6c2dbf445 GetObjectW 27010->27011 28376 7ff6c2db8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27011->28376 27013 7ff6c2dbf461 27014 7ff6c2db84cc 4 API calls 27013->27014 28377 7ff6c2db8df4 16 API calls _handle_error 27013->28377 27014->27013 27016 7ff6c2dbf479 SendMessageW DeleteObject 27016->27009 27018 7ff6c2d92527 27017->27018 27019 7ff6c2d9252a SetWindowTextW 27017->27019 27018->27019 27020 7ff6c2dfe2e0 27019->27020 27021->26424 27022->26491 27024 7ff6c2da32bc 51 API calls 27023->27024 27025 7ff6c2da32b1 27024->27025 27025->26503 27025->26527 27026->26503 27027->26585 27028->26612 27029->26623 27030->26633 27031->26638 27032->26647 27034 7ff6c2dc3620 27033->27034 27034->26651 27035->26567 27037 7ff6c2d91177 27036->27037 27038 7ff6c2d92034 33 API calls 27037->27038 27039 7ff6c2d91185 BuildCatchObjectHelperInternal 27038->27039 27039->26583 27040->26605 27041->26671 27042->26696 27043->26711 27044->26723 27046 7ff6c2da3e28 swprintf 46 API calls 27045->27046 27047 7ff6c2daa509 27046->27047 27048 7ff6c2db0f68 WideCharToMultiByte 27047->27048 27049 7ff6c2daa519 27048->27049 27050 7ff6c2daa589 27049->27050 27064 7ff6c2da9800 31 API calls 27049->27064 27068 7ff6c2daa56a SetDlgItemTextW 27049->27068 27070 7ff6c2da9408 27050->27070 27053 7ff6c2daa6f2 GetSystemMetrics GetWindow 27055 7ff6c2daa821 27053->27055 27056 7ff6c2daa71d 27053->27056 27054 7ff6c2daa603 27057 7ff6c2daa6c2 27054->27057 27058 7ff6c2daa60c GetWindowLongPtrW 27054->27058 27060 7ff6c2dc2320 _handle_error 8 API calls 27055->27060 27056->27055 27067 7ff6c2daa73e GetWindowRect 27056->27067 27069 7ff6c2daa800 GetWindow 27056->27069 27085 7ff6c2da95a8 27057->27085 27061 7ff6c2dfe2c0 27058->27061 27065 7ff6c2daa830 27060->27065 27062 7ff6c2daa6aa GetWindowRect 27061->27062 27062->27057 27064->27049 27065->26736 27066 7ff6c2daa6e5 SetWindowTextW 27066->27053 27067->27056 27068->27049 27069->27055 27069->27056 27071 7ff6c2da95a8 47 API calls 27070->27071 27073 7ff6c2da944f 27071->27073 27072 7ff6c2dc2320 _handle_error 8 API calls 27074 7ff6c2da958e GetWindowRect GetClientRect 27072->27074 27075 7ff6c2d9129c 33 API calls 27073->27075 27083 7ff6c2da955a 27073->27083 27074->27053 27074->27054 27076 7ff6c2da949c 27075->27076 27077 7ff6c2da95a1 27076->27077 27079 7ff6c2d9129c 33 API calls 27076->27079 27078 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27077->27078 27080 7ff6c2da95a7 27078->27080 27081 7ff6c2da9514 27079->27081 27082 7ff6c2da959c 27081->27082 27081->27083 27084 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27082->27084 27083->27072 27084->27077 27086 7ff6c2da3e28 swprintf 46 API calls 27085->27086 27087 7ff6c2da95eb 27086->27087 27088 7ff6c2db0f68 WideCharToMultiByte 27087->27088 27089 7ff6c2da9603 27088->27089 27090 7ff6c2da9800 31 API calls 27089->27090 27091 7ff6c2da961b 27090->27091 27092 7ff6c2dc2320 _handle_error 8 API calls 27091->27092 27093 7ff6c2da962b 27092->27093 27093->27053 27093->27066 27095 7ff6c2d913a4 33 API calls 27094->27095 27096 7ff6c2d92462 GetWindowTextW 27095->27096 27097 7ff6c2d92494 27096->27097 27098 7ff6c2d9129c 33 API calls 27097->27098 27099 7ff6c2d924a2 27098->27099 27102 7ff6c2d92505 27099->27102 27104 7ff6c2d924dd 27099->27104 27100 7ff6c2dc2320 _handle_error 8 API calls 27101 7ff6c2d924f3 27100->27101 27101->26745 27103 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27102->27103 27105 7ff6c2d9250a 27103->27105 27104->27100 27107->26770 27109 7ff6c2dbae80 GetDlgItem 27108->27109 27110 7ff6c2dbae3c GetMessageW 27108->27110 27109->26781 27109->26782 27111 7ff6c2dbae5b IsDialogMessageW 27110->27111 27112 7ff6c2dbae6a TranslateMessage DispatchMessageW 27110->27112 27111->27109 27111->27112 27112->27109 27115 7ff6c2da36b3 27113->27115 27114 7ff6c2da36e0 27116 7ff6c2da32bc 51 API calls 27114->27116 27115->27114 27117 7ff6c2da36cc CreateDirectoryW 27115->27117 27118 7ff6c2da36ee 27116->27118 27117->27114 27119 7ff6c2da377d 27117->27119 27120 7ff6c2da3791 GetLastError 27118->27120 27123 7ff6c2da6a0c 49 API calls 27118->27123 27121 7ff6c2da378d 27119->27121 27133 7ff6c2da3d34 27119->27133 27120->27121 27124 7ff6c2dc2320 _handle_error 8 API calls 27121->27124 27125 7ff6c2da371c 27123->27125 27126 7ff6c2da37b9 27124->27126 27127 7ff6c2da3720 CreateDirectoryW 27125->27127 27128 7ff6c2da373b 27125->27128 27126->26800 27127->27128 27129 7ff6c2da3774 27128->27129 27130 7ff6c2da37ce 27128->27130 27129->27119 27129->27120 27131 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27130->27131 27132 7ff6c2da37d3 27131->27132 27134 7ff6c2da3d5e SetFileAttributesW 27133->27134 27135 7ff6c2da3d5b 27133->27135 27136 7ff6c2da3d74 27134->27136 27143 7ff6c2da3df5 27134->27143 27135->27134 27137 7ff6c2da6a0c 49 API calls 27136->27137 27139 7ff6c2da3d99 27137->27139 27138 7ff6c2dc2320 _handle_error 8 API calls 27140 7ff6c2da3e0a 27138->27140 27141 7ff6c2da3d9d SetFileAttributesW 27139->27141 27142 7ff6c2da3dbc 27139->27142 27140->27121 27141->27142 27142->27143 27144 7ff6c2da3e1a 27142->27144 27143->27138 27145 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27144->27145 27146 7ff6c2da3e1f 27145->27146 27148 7ff6c2d97206 27147->27148 27149 7ff6c2d9713b 27147->27149 27157 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 27148->27157 27153 7ff6c2d9714b BuildCatchObjectHelperInternal 27149->27153 27156 7ff6c2d93f48 33 API calls 2 library calls 27149->27156 27151 7ff6c2d9720b 27154 7ff6c2d97273 27151->27154 27158 7ff6c2d9889c 8 API calls BuildCatchObjectHelperInternal 27151->27158 27153->26816 27154->26816 27156->27153 27157->27151 27158->27151 27160 7ff6c2dbaa36 27159->27160 27161 7ff6c2dbaa2f 27159->27161 27160->27161 27288 7ff6c2d91744 33 API calls 4 library calls 27160->27288 27161->26970 27163->26970 27165 7ff6c2dba47f 27164->27165 27186 7ff6c2dba706 27164->27186 27289 7ff6c2dbcdf8 33 API calls 27165->27289 27167 7ff6c2dc2320 _handle_error 8 API calls 27169 7ff6c2dba717 27167->27169 27168 7ff6c2dba49e 27170 7ff6c2d9129c 33 API calls 27168->27170 27169->26913 27171 7ff6c2dba4de 27170->27171 27172 7ff6c2d9129c 33 API calls 27171->27172 27173 7ff6c2dba517 27172->27173 27174 7ff6c2d9129c 33 API calls 27173->27174 27175 7ff6c2dba54a 27174->27175 27290 7ff6c2dba834 33 API calls _invalid_parameter_noinfo_noreturn 27175->27290 27177 7ff6c2dba734 27179 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27177->27179 27178 7ff6c2dba573 27178->27177 27180 7ff6c2dba73a 27178->27180 27181 7ff6c2dba740 27178->27181 27184 7ff6c2d920b0 33 API calls 27178->27184 27185 7ff6c2dba685 27178->27185 27179->27180 27182 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27180->27182 27183 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27181->27183 27182->27181 27187 7ff6c2dba746 27183->27187 27184->27185 27185->27186 27185->27187 27188 7ff6c2dba72f 27185->27188 27186->27167 27189 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27187->27189 27191 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27188->27191 27190 7ff6c2dba74c 27189->27190 27192 7ff6c2d9255c 61 API calls 27190->27192 27191->27177 27193 7ff6c2dba795 27192->27193 27194 7ff6c2dba7b1 27193->27194 27195 7ff6c2dba801 SetDlgItemTextW 27193->27195 27199 7ff6c2dba7a1 27193->27199 27196 7ff6c2dc2320 _handle_error 8 API calls 27194->27196 27195->27194 27197 7ff6c2dba827 27196->27197 27197->26913 27198 7ff6c2dba7ad 27198->27194 27200 7ff6c2dba7b7 EndDialog 27198->27200 27199->27194 27199->27198 27291 7ff6c2dabb00 102 API calls 27199->27291 27200->27194 27207 7ff6c2dbf529 __scrt_get_show_window_mode 27202->27207 27218 7ff6c2dbf87d 27202->27218 27203 7ff6c2d91fa0 31 API calls 27204 7ff6c2dbf89c 27203->27204 27205 7ff6c2dc2320 _handle_error 8 API calls 27204->27205 27206 7ff6c2dbf8a8 27205->27206 27206->26924 27208 7ff6c2dbf684 27207->27208 27292 7ff6c2db13c4 CompareStringW 27207->27292 27210 7ff6c2d9129c 33 API calls 27208->27210 27211 7ff6c2dbf6c0 27210->27211 27212 7ff6c2da32a8 51 API calls 27211->27212 27213 7ff6c2dbf6ca 27212->27213 27214 7ff6c2d91fa0 31 API calls 27213->27214 27217 7ff6c2dbf6d5 27214->27217 27215 7ff6c2dbf742 ShellExecuteExW 27216 7ff6c2dbf846 27215->27216 27223 7ff6c2dbf755 27215->27223 27216->27218 27221 7ff6c2dbf8fb 27216->27221 27217->27215 27220 7ff6c2d9129c 33 API calls 27217->27220 27218->27203 27219 7ff6c2dbf78e 27294 7ff6c2dbfe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27219->27294 27224 7ff6c2dbf717 27220->27224 27225 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27221->27225 27222 7ff6c2dbf7e3 CloseHandle 27226 7ff6c2dbf801 27222->27226 27227 7ff6c2dbf7f2 27222->27227 27223->27219 27223->27222 27232 7ff6c2dbf781 ShowWindow 27223->27232 27293 7ff6c2da5b60 53 API calls 2 library calls 27224->27293 27230 7ff6c2dbf900 27225->27230 27226->27216 27237 7ff6c2dbf837 ShowWindow 27226->27237 27295 7ff6c2db13c4 CompareStringW 27227->27295 27229 7ff6c2dbf725 27235 7ff6c2d91fa0 31 API calls 27229->27235 27232->27219 27234 7ff6c2dbf7a6 27234->27222 27238 7ff6c2dbf7b4 GetExitCodeProcess 27234->27238 27236 7ff6c2dbf72f 27235->27236 27236->27215 27237->27216 27238->27222 27239 7ff6c2dbf7c7 27238->27239 27239->27222 27240->26970 27241->26970 27242->26970 27243->26970 27244->26970 27245->26970 27246->26970 27247->26970 27248->26970 27249->26970 27251 7ff6c2da72ea 27250->27251 27296 7ff6c2d9b3a8 27251->27296 27254->26970 27256 7ff6c2da31e4 27255->27256 27257 7ff6c2da31e7 DeleteFileW 27255->27257 27256->27257 27258 7ff6c2da31fd 27257->27258 27265 7ff6c2da327c 27257->27265 27259 7ff6c2da6a0c 49 API calls 27258->27259 27262 7ff6c2da3222 27259->27262 27260 7ff6c2dc2320 _handle_error 8 API calls 27261 7ff6c2da3291 27260->27261 27261->26970 27263 7ff6c2da3226 DeleteFileW 27262->27263 27264 7ff6c2da3243 27262->27264 27263->27264 27264->27265 27266 7ff6c2da32a1 27264->27266 27265->27260 27267 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27266->27267 27268 7ff6c2da32a6 27267->27268 27270->26970 27271->26970 27272->26970 27273->26970 27274->26970 27275->26970 27278 7ff6c2dad25e 27276->27278 27277 7ff6c2dad292 27277->26974 27278->27277 27279 7ff6c2d91744 33 API calls 27278->27279 27279->27278 27280->26873 27282->26841 27283->26845 27284->26847 27285->26902 27288->27160 27289->27168 27290->27178 27291->27198 27292->27208 27293->27229 27294->27234 27295->27226 27299 7ff6c2d9b3f2 __scrt_get_show_window_mode 27296->27299 27297 7ff6c2dc2320 _handle_error 8 API calls 27298 7ff6c2d9b4b6 27297->27298 27298->26970 27299->27297 27356 7ff6c2da86ec 27300->27356 27302 7ff6c2d9e3c4 27362 7ff6c2d9e600 27302->27362 27304 7ff6c2d9e549 27309 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27304->27309 27305 7ff6c2d9e454 27305->27304 27306 7ff6c2d9e4d4 27305->27306 27307 7ff6c2dc21d0 33 API calls 27306->27307 27308 7ff6c2d9e4f0 27307->27308 27368 7ff6c2db3148 102 API calls 27308->27368 27317 7ff6c2d9e54e 27309->27317 27311 7ff6c2d9e51d 27312 7ff6c2dc2320 _handle_error 8 API calls 27311->27312 27314 7ff6c2d9e52d 27312->27314 27313 7ff6c2da18c2 27315 7ff6c2da190d 27313->27315 27318 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27313->27318 27314->26990 27315->26990 27316 7ff6c2d91fa0 31 API calls 27316->27317 27317->27313 27317->27315 27317->27316 27319 7ff6c2da193b 27318->27319 27322 7ff6c2d9e7ea 27320->27322 27321 7ff6c2d9e8a1 27332 7ff6c2d9e900 27321->27332 27376 7ff6c2d9f578 27321->27376 27322->27321 27323 7ff6c2d9e864 27322->27323 27369 7ff6c2da3ec8 27322->27369 27323->27321 27325 7ff6c2d9e993 27323->27325 27326 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27325->27326 27330 7ff6c2d9e998 27326->27330 27327 7ff6c2d9e955 27329 7ff6c2dc2320 _handle_error 8 API calls 27327->27329 27331 7ff6c2d9e97e 27329->27331 27334 7ff6c2d9e578 27331->27334 27332->27327 27412 7ff6c2d928a4 82 API calls 2 library calls 27332->27412 28361 7ff6c2da15d8 27334->28361 27337 7ff6c2d9e59e 27338 7ff6c2d91fa0 31 API calls 27337->27338 27340 7ff6c2d9e5b7 27338->27340 27339 7ff6c2db1870 108 API calls 27339->27337 27341 7ff6c2d91fa0 31 API calls 27340->27341 27342 7ff6c2d9e5c3 27341->27342 27343 7ff6c2d91fa0 31 API calls 27342->27343 27344 7ff6c2d9e5cf 27343->27344 27345 7ff6c2da878c 108 API calls 27344->27345 27346 7ff6c2d9e5db 27345->27346 27347 7ff6c2d91fa0 31 API calls 27346->27347 27348 7ff6c2d9e5e4 27347->27348 27349 7ff6c2d91fa0 31 API calls 27348->27349 27353 7ff6c2d9e5ed 27349->27353 27350 7ff6c2da18c2 27351 7ff6c2da190d 27350->27351 27354 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27350->27354 27351->26994 27352 7ff6c2d91fa0 31 API calls 27352->27353 27353->27350 27353->27351 27353->27352 27355 7ff6c2da193b 27354->27355 27357 7ff6c2da870a 27356->27357 27358 7ff6c2dc21d0 33 API calls 27357->27358 27359 7ff6c2da872f 27358->27359 27360 7ff6c2dc21d0 33 API calls 27359->27360 27361 7ff6c2da8759 27360->27361 27361->27302 27363 7ff6c2d9e627 27362->27363 27366 7ff6c2d9e62c BuildCatchObjectHelperInternal 27362->27366 27364 7ff6c2d91fa0 31 API calls 27363->27364 27364->27366 27365 7ff6c2d91fa0 31 API calls 27367 7ff6c2d9e668 BuildCatchObjectHelperInternal 27365->27367 27366->27365 27366->27367 27367->27305 27368->27311 27370 7ff6c2da72cc 8 API calls 27369->27370 27371 7ff6c2da3ee1 27370->27371 27372 7ff6c2da3f0f 27371->27372 27413 7ff6c2da40bc 27371->27413 27372->27322 27375 7ff6c2da3efa FindClose 27375->27372 27377 7ff6c2d9f598 _snwprintf 27376->27377 27439 7ff6c2d92950 27377->27439 27380 7ff6c2d9f5cc 27385 7ff6c2d9f5fc 27380->27385 27454 7ff6c2d933e4 27380->27454 27705 7ff6c2d92c54 27385->27705 27386 7ff6c2d9f5f8 27386->27385 27486 7ff6c2d93ad8 27386->27486 27391 7ff6c2d9f7cb 27496 7ff6c2d9f8a4 27391->27496 27392 7ff6c2d98d04 33 API calls 27394 7ff6c2d9f662 27392->27394 27725 7ff6c2da7918 48 API calls 2 library calls 27394->27725 27396 7ff6c2d9f677 27397 7ff6c2da3ec8 55 API calls 27396->27397 27404 7ff6c2d9f6ad 27397->27404 27399 7ff6c2d9f842 27399->27385 27517 7ff6c2d969f8 27399->27517 27528 7ff6c2d9f930 27399->27528 27405 7ff6c2d9f89a 27404->27405 27406 7ff6c2d9f74d 27404->27406 27407 7ff6c2da3ec8 55 API calls 27404->27407 27726 7ff6c2da7918 48 API calls 2 library calls 27404->27726 27408 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27405->27408 27406->27391 27406->27405 27409 7ff6c2d9f895 27406->27409 27407->27404 27411 7ff6c2d9f8a0 27408->27411 27410 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27409->27410 27410->27405 27412->27327 27414 7ff6c2da41d2 FindNextFileW 27413->27414 27415 7ff6c2da40f9 FindFirstFileW 27413->27415 27417 7ff6c2da41e1 GetLastError 27414->27417 27418 7ff6c2da41f3 27414->27418 27415->27418 27419 7ff6c2da411e 27415->27419 27420 7ff6c2da41c0 27417->27420 27421 7ff6c2da4211 27418->27421 27424 7ff6c2d920b0 33 API calls 27418->27424 27422 7ff6c2da6a0c 49 API calls 27419->27422 27425 7ff6c2dc2320 _handle_error 8 API calls 27420->27425 27428 7ff6c2d9129c 33 API calls 27421->27428 27423 7ff6c2da4144 27422->27423 27426 7ff6c2da4148 FindFirstFileW 27423->27426 27434 7ff6c2da4167 27423->27434 27424->27421 27427 7ff6c2da3ef4 27425->27427 27426->27434 27427->27372 27427->27375 27429 7ff6c2da423b 27428->27429 27431 7ff6c2da8090 47 API calls 27429->27431 27430 7ff6c2da41af GetLastError 27430->27420 27432 7ff6c2da4249 27431->27432 27432->27420 27437 7ff6c2da430f 27432->27437 27433 7ff6c2da4314 27435 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27433->27435 27434->27418 27434->27430 27434->27433 27436 7ff6c2da431a 27435->27436 27438 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27437->27438 27438->27433 27440 7ff6c2d9296c 27439->27440 27441 7ff6c2da86ec 33 API calls 27440->27441 27442 7ff6c2d9298d 27441->27442 27443 7ff6c2dc21d0 33 API calls 27442->27443 27446 7ff6c2d92ac2 27442->27446 27444 7ff6c2d92ab0 27443->27444 27444->27446 27448 7ff6c2d991c8 35 API calls 27444->27448 27727 7ff6c2da4d04 27446->27727 27448->27446 27449 7ff6c2da2ca8 27453 7ff6c2da24c0 54 API calls 27449->27453 27450 7ff6c2da2cc1 27451 7ff6c2da2cc5 27450->27451 27741 7ff6c2d9b7e8 99 API calls 2 library calls 27450->27741 27451->27380 27453->27450 27481 7ff6c2da28d0 104 API calls 27454->27481 27455 7ff6c2d93674 27742 7ff6c2d928a4 82 API calls 2 library calls 27455->27742 27456 7ff6c2d93431 __scrt_get_show_window_mode 27463 7ff6c2d9344e 27456->27463 27467 7ff6c2d93601 27456->27467 27478 7ff6c2da2bb0 101 API calls 27456->27478 27458 7ff6c2d969f8 141 API calls 27460 7ff6c2d93682 27458->27460 27459 7ff6c2d934cc 27482 7ff6c2da28d0 104 API calls 27459->27482 27460->27458 27461 7ff6c2d9370c 27460->27461 27460->27467 27483 7ff6c2da2aa0 101 API calls 27460->27483 27466 7ff6c2d93740 27461->27466 27461->27467 27743 7ff6c2d928a4 82 API calls 2 library calls 27461->27743 27463->27455 27463->27460 27464 7ff6c2d935cb 27464->27463 27465 7ff6c2d935d7 27464->27465 27465->27467 27468 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27465->27468 27466->27467 27470 7ff6c2d9384d 27466->27470 27484 7ff6c2da2bb0 101 API calls 27466->27484 27467->27386 27472 7ff6c2d93891 27468->27472 27469 7ff6c2d934eb 27469->27464 27479 7ff6c2da2aa0 101 API calls 27469->27479 27470->27467 27471 7ff6c2d920b0 33 API calls 27470->27471 27471->27467 27472->27386 27473 7ff6c2d935a7 27473->27464 27485 7ff6c2da28d0 104 API calls 27473->27485 27474 7ff6c2d969f8 141 API calls 27475 7ff6c2d9378e 27474->27475 27475->27474 27476 7ff6c2d93803 27475->27476 27477 7ff6c2da2aa0 101 API calls 27475->27477 27480 7ff6c2da2aa0 101 API calls 27476->27480 27477->27475 27478->27459 27479->27473 27480->27470 27481->27456 27482->27469 27483->27460 27484->27475 27485->27464 27487 7ff6c2d93af9 27486->27487 27492 7ff6c2d93b55 27486->27492 27744 7ff6c2d93378 27487->27744 27489 7ff6c2dc2320 _handle_error 8 API calls 27490 7ff6c2d93b67 27489->27490 27490->27391 27490->27392 27492->27489 27493 7ff6c2d93b6c 27494 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27493->27494 27495 7ff6c2d93b71 27494->27495 27975 7ff6c2da886c 27496->27975 27498 7ff6c2d9f8ba 27979 7ff6c2daef60 GetSystemTime SystemTimeToFileTime 27498->27979 27501 7ff6c2db0994 27502 7ff6c2dc0340 27501->27502 27503 7ff6c2da7df4 47 API calls 27502->27503 27504 7ff6c2dc0373 27503->27504 27505 7ff6c2daaae0 48 API calls 27504->27505 27506 7ff6c2dc0387 27505->27506 27507 7ff6c2dada98 48 API calls 27506->27507 27508 7ff6c2dc0397 27507->27508 27509 7ff6c2d91fa0 31 API calls 27508->27509 27510 7ff6c2dc03a2 27509->27510 27988 7ff6c2dbfc68 27510->27988 27518 7ff6c2d96a0e 27517->27518 27523 7ff6c2d96a0a 27517->27523 27527 7ff6c2da2bb0 101 API calls 27518->27527 27519 7ff6c2d96a1b 27520 7ff6c2d96a3e 27519->27520 27521 7ff6c2d96a2f 27519->27521 28083 7ff6c2d95130 130 API calls 2 library calls 27520->28083 27521->27523 28000 7ff6c2d95e24 27521->28000 27523->27399 27524 7ff6c2d96a3c 27524->27523 28084 7ff6c2d9466c 82 API calls 27524->28084 27527->27519 27529 7ff6c2d9f978 27528->27529 27532 7ff6c2d9f9b0 27529->27532 27541 7ff6c2d9fa34 27529->27541 28206 7ff6c2db612c 146 API calls 3 library calls 27529->28206 27531 7ff6c2da1189 27533 7ff6c2da118e 27531->27533 27534 7ff6c2da11e1 27531->27534 27532->27531 27538 7ff6c2d9f9d0 27532->27538 27532->27541 27533->27541 28254 7ff6c2d9dd08 179 API calls 27533->28254 27534->27541 28255 7ff6c2db612c 146 API calls 3 library calls 27534->28255 27535 7ff6c2dc2320 _handle_error 8 API calls 27536 7ff6c2da11c4 27535->27536 27536->27399 27538->27541 28121 7ff6c2d99bb0 27538->28121 27541->27535 27542 7ff6c2d9fad6 28134 7ff6c2da5ef8 27542->28134 27706 7ff6c2d92c74 27705->27706 27709 7ff6c2d92c88 27705->27709 27706->27709 28340 7ff6c2d92d80 108 API calls _invalid_parameter_noinfo_noreturn 27706->28340 27707 7ff6c2d91fa0 31 API calls 27710 7ff6c2d92ca1 27707->27710 27709->27707 27712 7ff6c2d92d64 27710->27712 28341 7ff6c2d93090 31 API calls _invalid_parameter_noinfo_noreturn 27710->28341 27714 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27712->27714 27713 7ff6c2d92d08 28342 7ff6c2d93090 31 API calls _invalid_parameter_noinfo_noreturn 27713->28342 27717 7ff6c2d92d7c 27714->27717 27716 7ff6c2d92d14 27718 7ff6c2d91fa0 31 API calls 27716->27718 27719 7ff6c2d92d20 27718->27719 28343 7ff6c2da878c 27719->28343 27725->27396 27726->27404 27728 7ff6c2da4d32 __scrt_get_show_window_mode 27727->27728 27737 7ff6c2da4bac 27728->27737 27730 7ff6c2da4d54 27731 7ff6c2da4d90 27730->27731 27733 7ff6c2da4dae 27730->27733 27732 7ff6c2dc2320 _handle_error 8 API calls 27731->27732 27734 7ff6c2d92b32 27732->27734 27735 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27733->27735 27734->27380 27734->27449 27736 7ff6c2da4db3 27735->27736 27738 7ff6c2da4c27 27737->27738 27740 7ff6c2da4c2f BuildCatchObjectHelperInternal 27737->27740 27739 7ff6c2d91fa0 31 API calls 27738->27739 27739->27740 27740->27730 27741->27451 27742->27467 27743->27466 27745 7ff6c2d9339a 27744->27745 27748 7ff6c2d93396 27744->27748 27750 7ff6c2d93294 27745->27750 27748->27492 27748->27493 27749 7ff6c2da2aa0 101 API calls 27749->27748 27751 7ff6c2d932bb 27750->27751 27753 7ff6c2d932f6 27750->27753 27752 7ff6c2d969f8 141 API calls 27751->27752 27756 7ff6c2d932db 27752->27756 27758 7ff6c2d96e74 27753->27758 27756->27749 27762 7ff6c2d96e95 27758->27762 27759 7ff6c2d969f8 141 API calls 27759->27762 27760 7ff6c2d9331d 27760->27756 27763 7ff6c2d93904 27760->27763 27762->27759 27762->27760 27790 7ff6c2dae808 27762->27790 27798 7ff6c2d96a7c 27763->27798 27766 7ff6c2d9396a 27769 7ff6c2d93989 27766->27769 27770 7ff6c2d9399a 27766->27770 27767 7ff6c2d93a8a 27771 7ff6c2dc2320 _handle_error 8 API calls 27767->27771 27831 7ff6c2db0d54 33 API calls 27769->27831 27775 7ff6c2d939a3 27770->27775 27776 7ff6c2d939ec 27770->27776 27774 7ff6c2d93a9e 27771->27774 27772 7ff6c2d93ab3 27777 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27772->27777 27774->27756 27832 7ff6c2db0c80 33 API calls 27775->27832 27833 7ff6c2d926b4 33 API calls BuildCatchObjectHelperInternal 27776->27833 27779 7ff6c2d93ab8 27777->27779 27784 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27779->27784 27780 7ff6c2d939b0 27785 7ff6c2d91fa0 31 API calls 27780->27785 27788 7ff6c2d939c0 BuildCatchObjectHelperInternal 27780->27788 27782 7ff6c2d91fa0 31 API calls 27789 7ff6c2d9394f 27782->27789 27783 7ff6c2d93a13 27834 7ff6c2db0ae8 34 API calls _invalid_parameter_noinfo_noreturn 27783->27834 27787 7ff6c2d93abe 27784->27787 27785->27788 27788->27782 27789->27767 27789->27772 27789->27779 27791 7ff6c2dae811 27790->27791 27792 7ff6c2dae82b 27791->27792 27796 7ff6c2d9b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27791->27796 27794 7ff6c2dae845 SetThreadExecutionState 27792->27794 27797 7ff6c2d9b664 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27792->27797 27796->27792 27797->27794 27799 7ff6c2d96a96 _snwprintf 27798->27799 27800 7ff6c2d96ae4 27799->27800 27801 7ff6c2d96ac4 27799->27801 27802 7ff6c2d96d4d 27800->27802 27806 7ff6c2d96b0f 27800->27806 27873 7ff6c2d928a4 82 API calls 2 library calls 27801->27873 27902 7ff6c2d928a4 82 API calls 2 library calls 27802->27902 27805 7ff6c2d96ad0 27807 7ff6c2dc2320 _handle_error 8 API calls 27805->27807 27806->27805 27835 7ff6c2db1f94 27806->27835 27808 7ff6c2d9394b 27807->27808 27808->27766 27808->27789 27830 7ff6c2d92794 33 API calls __std_swap_ranges_trivially_swappable 27808->27830 27811 7ff6c2d96b6e 27874 7ff6c2d928a4 82 API calls 2 library calls 27811->27874 27812 7ff6c2d96b80 27813 7ff6c2d96b85 27812->27813 27875 7ff6c2d940b0 27812->27875 27814 7ff6c2d96c2a 27813->27814 27829 7ff6c2d96b7b 27813->27829 27879 7ff6c2da8968 109 API calls 27813->27879 27844 7ff6c2da4760 27814->27844 27820 7ff6c2d96c52 27821 7ff6c2d96cd1 27820->27821 27822 7ff6c2d96cc7 27820->27822 27880 7ff6c2db1f20 27821->27880 27848 7ff6c2da1794 27822->27848 27825 7ff6c2d96ccf 27900 7ff6c2da4700 8 API calls _handle_error 27825->27900 27863 7ff6c2db1870 27829->27863 27830->27766 27831->27789 27832->27780 27833->27783 27834->27789 27836 7ff6c2db2056 std::bad_alloc::bad_alloc 27835->27836 27839 7ff6c2db1fc5 std::bad_alloc::bad_alloc 27835->27839 27838 7ff6c2dc4078 std::_Xinvalid_argument 2 API calls 27836->27838 27837 7ff6c2d96b59 27837->27811 27837->27812 27837->27813 27838->27839 27839->27837 27840 7ff6c2db200f std::bad_alloc::bad_alloc 27839->27840 27841 7ff6c2dc4078 std::_Xinvalid_argument 2 API calls 27839->27841 27840->27837 27842 7ff6c2dc4078 std::_Xinvalid_argument 2 API calls 27840->27842 27841->27840 27843 7ff6c2db20a9 27842->27843 27845 7ff6c2da4780 27844->27845 27847 7ff6c2da478a 27844->27847 27846 7ff6c2dc21d0 33 API calls 27845->27846 27846->27847 27847->27820 27849 7ff6c2da17be __scrt_get_show_window_mode 27848->27849 27903 7ff6c2da8a48 27849->27903 27864 7ff6c2db188e 27863->27864 27866 7ff6c2db18a1 27864->27866 27928 7ff6c2dae948 27864->27928 27870 7ff6c2db18d8 27866->27870 27919 7ff6c2dc236c 27866->27919 27868 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27869 7ff6c2db1ad0 27868->27869 27872 7ff6c2db1a37 27870->27872 27923 7ff6c2daa984 27870->27923 27872->27868 27873->27805 27874->27829 27876 7ff6c2d940d7 __scrt_get_show_window_mode 27875->27876 27877 7ff6c2d940dd 27875->27877 27876->27813 27877->27876 27935 7ff6c2d94120 27877->27935 27879->27814 27881 7ff6c2db1f29 27880->27881 27882 7ff6c2db1f5d 27881->27882 27883 7ff6c2db1f55 27881->27883 27884 7ff6c2db1f49 27881->27884 27882->27825 27971 7ff6c2db3964 156 API calls 27883->27971 27941 7ff6c2db20ac 27884->27941 27902->27805 27905 7ff6c2da8bcd 27903->27905 27909 7ff6c2da8a91 BuildCatchObjectHelperInternal 27903->27909 27904 7ff6c2da8c1a 27905->27904 27907 7ff6c2d9a174 8 API calls 27905->27907 27907->27904 27908 7ff6c2db612c 146 API calls 27908->27909 27909->27905 27909->27908 27910 7ff6c2da8c1f 27909->27910 27911 7ff6c2da4888 108 API calls 27909->27911 27912 7ff6c2da28d0 104 API calls 27909->27912 27911->27909 27912->27909 27920 7ff6c2dc239f 27919->27920 27921 7ff6c2dc23c8 27920->27921 27922 7ff6c2db1870 108 API calls 27920->27922 27921->27870 27922->27920 27924 7ff6c2daa995 27923->27924 27925 7ff6c2daa9dd 27923->27925 27924->27925 27926 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 27924->27926 27925->27872 27927 7ff6c2daa9fe 27926->27927 27929 7ff6c2daecd8 103 API calls 27928->27929 27930 7ff6c2dae95f ReleaseSemaphore 27929->27930 27931 7ff6c2dae984 27930->27931 27932 7ff6c2dae9a3 DeleteCriticalSection CloseHandle CloseHandle 27930->27932 27933 7ff6c2daea5c 101 API calls 27931->27933 27934 7ff6c2dae98e CloseHandle 27933->27934 27934->27931 27934->27932 27938 7ff6c2d94149 27935->27938 27940 7ff6c2d94168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 27935->27940 27936 7ff6c2d92018 33 API calls 27937 7ff6c2d941eb 27936->27937 27939 7ff6c2dc21d0 33 API calls 27938->27939 27938->27940 27939->27940 27940->27936 27943 7ff6c2db20c8 __scrt_get_show_window_mode 27941->27943 27971->27882 27976 7ff6c2da8882 27975->27976 27977 7ff6c2da8892 27975->27977 27982 7ff6c2da23f0 27976->27982 27977->27498 27980 7ff6c2dc2320 _handle_error 8 API calls 27979->27980 27981 7ff6c2d9f7dc 27980->27981 27981->27399 27981->27501 27983 7ff6c2da240f 27982->27983 27986 7ff6c2da2aa0 101 API calls 27983->27986 27984 7ff6c2da2428 27987 7ff6c2da2bb0 101 API calls 27984->27987 27985 7ff6c2da2438 27985->27977 27986->27984 27987->27985 27989 7ff6c2dbfc94 27988->27989 27990 7ff6c2d9129c 33 API calls 27989->27990 27991 7ff6c2dbfca4 27990->27991 27992 7ff6c2dbf0a4 24 API calls 27991->27992 28001 7ff6c2d95e67 28000->28001 28002 7ff6c2d95ea5 28001->28002 28009 7ff6c2d95eb7 28001->28009 28031 7ff6c2d96084 28001->28031 28095 7ff6c2d928a4 82 API calls 2 library calls 28002->28095 28005 7ff6c2d96134 28102 7ff6c2d96fcc 82 API calls 28005->28102 28007 7ff6c2d95f44 28097 7ff6c2d96d88 82 API calls 28007->28097 28008 7ff6c2d969af 28011 7ff6c2dc2320 _handle_error 8 API calls 28008->28011 28009->28005 28009->28007 28096 7ff6c2d96f38 33 API calls BuildCatchObjectHelperInternal 28009->28096 28014 7ff6c2d969c3 28011->28014 28013 7ff6c2d969e4 28015 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 28013->28015 28014->27524 28019 7ff6c2d969e9 28015->28019 28016 7ff6c2d96973 28079 7ff6c2d95eb2 28016->28079 28115 7ff6c2d9466c 82 API calls 28016->28115 28022 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 28019->28022 28020 7ff6c2d9612e 28020->28005 28020->28016 28024 7ff6c2da85f0 104 API calls 28020->28024 28021 7ff6c2d96034 28026 7ff6c2dc236c 108 API calls 28021->28026 28021->28031 28023 7ff6c2d969ef 28022->28023 28027 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 28023->28027 28025 7ff6c2d961a4 28024->28025 28025->28005 28028 7ff6c2d9606e 28026->28028 28029 7ff6c2d969f5 28027->28029 28085 7ff6c2da85f0 28031->28085 28032 7ff6c2d96097 28101 7ff6c2d9433c 82 API calls 2 library calls 28032->28101 28035 7ff6c2d95f5d 28035->28021 28035->28032 28098 7ff6c2d9433c 82 API calls 2 library calls 28035->28098 28099 7ff6c2d96d88 82 API calls 28035->28099 28100 7ff6c2d9a1a0 109 API calls _handle_error 28035->28100 28039 7ff6c2d960a1 28041 7ff6c2dc236c 108 API calls 28039->28041 28039->28079 28079->28008 28079->28013 28079->28023 28083->27524 28086 7ff6c2da8614 28085->28086 28087 7ff6c2da869a 28085->28087 28088 7ff6c2d940b0 33 API calls 28086->28088 28092 7ff6c2da867c 28086->28092 28089 7ff6c2d940b0 33 API calls 28087->28089 28087->28092 28091 7ff6c2da864d 28088->28091 28090 7ff6c2da86b3 28089->28090 28094 7ff6c2da28d0 104 API calls 28090->28094 28116 7ff6c2d9a174 28091->28116 28092->28020 28094->28092 28095->28079 28097->28035 28098->28035 28099->28035 28100->28035 28101->28039 28102->28079 28117 7ff6c2d9a185 28116->28117 28118 7ff6c2d9a19a 28117->28118 28118->28092 28122 7ff6c2d99be7 28121->28122 28123 7ff6c2d99c1b 28122->28123 28127 7ff6c2d99c83 28122->28127 28130 7ff6c2d99cae 28122->28130 28256 7ff6c2da5294 28122->28256 28274 7ff6c2dadb60 28122->28274 28124 7ff6c2dc2320 _handle_error 8 API calls 28123->28124 28125 7ff6c2d99c9d 28124->28125 28125->27542 28129 7ff6c2d91fa0 31 API calls 28127->28129 28129->28123 28131 7ff6c2d99cbf 28130->28131 28278 7ff6c2dada48 CompareStringW 28130->28278 28131->28127 28133 7ff6c2d920b0 33 API calls 28131->28133 28133->28127 28147 7ff6c2da5f3a 28134->28147 28135 7ff6c2dc2320 _handle_error 8 API calls 28138 7ff6c2d9fb29 28135->28138 28136 7ff6c2da61ce 28282 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 28136->28282 28140 7ff6c2d9129c 33 API calls 28141 7ff6c2da6129 28140->28141 28142 7ff6c2d91fa0 31 API calls 28141->28142 28143 7ff6c2da613b BuildCatchObjectHelperInternal 28141->28143 28142->28143 28144 7ff6c2da619b 28143->28144 28144->28135 28147->28136 28147->28140 28147->28144 28206->27532 28254->27541 28255->27541 28257 7ff6c2da52d4 28256->28257 28261 7ff6c2da5312 __vcrt_InitializeCriticalSectionEx 28257->28261 28269 7ff6c2da5339 __vcrt_InitializeCriticalSectionEx 28257->28269 28279 7ff6c2db13f4 CompareStringW 28257->28279 28258 7ff6c2dc2320 _handle_error 8 API calls 28259 7ff6c2da5503 28258->28259 28259->28122 28263 7ff6c2da5382 __vcrt_InitializeCriticalSectionEx 28261->28263 28261->28269 28280 7ff6c2db13f4 CompareStringW 28261->28280 28264 7ff6c2da5439 28263->28264 28265 7ff6c2d9129c 33 API calls 28263->28265 28263->28269 28268 7ff6c2da551b 28264->28268 28270 7ff6c2da5489 28264->28270 28266 7ff6c2da5426 28265->28266 28267 7ff6c2da72cc 8 API calls 28266->28267 28267->28264 28272 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 28268->28272 28269->28258 28270->28269 28281 7ff6c2db13f4 CompareStringW 28270->28281 28273 7ff6c2da5520 28272->28273 28275 7ff6c2dadb73 28274->28275 28276 7ff6c2d920b0 33 API calls 28275->28276 28277 7ff6c2dadb91 28275->28277 28276->28277 28277->28122 28278->28131 28279->28261 28280->28263 28281->28269 28340->27709 28341->27713 28342->27716 28344 7ff6c2da87af 28343->28344 28345 7ff6c2da87df 28343->28345 28346 7ff6c2dc236c 108 API calls 28344->28346 28348 7ff6c2dc236c 108 API calls 28345->28348 28355 7ff6c2da882b 28345->28355 28347 7ff6c2da87ca 28346->28347 28350 7ff6c2dc236c 108 API calls 28347->28350 28351 7ff6c2da8814 28348->28351 28350->28345 28353 7ff6c2dc236c 108 API calls 28351->28353 28352 7ff6c2da8845 28354 7ff6c2da461c 108 API calls 28352->28354 28353->28355 28356 7ff6c2da8851 28354->28356 28357 7ff6c2da461c 28355->28357 28358 7ff6c2da4632 28357->28358 28360 7ff6c2da463a 28357->28360 28359 7ff6c2dae948 108 API calls 28358->28359 28359->28360 28360->28352 28362 7ff6c2da163e 28361->28362 28366 7ff6c2da1681 28361->28366 28362->28366 28367 7ff6c2da31bc 51 API calls 28362->28367 28363 7ff6c2da16a0 28365 7ff6c2d9e600 31 API calls 28363->28365 28364 7ff6c2d91fa0 31 API calls 28364->28366 28371 7ff6c2da16de 28365->28371 28366->28363 28366->28364 28367->28362 28368 7ff6c2da175b 28369 7ff6c2dc2320 _handle_error 8 API calls 28368->28369 28372 7ff6c2d9e58a 28369->28372 28370 7ff6c2da178d 28373 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 28370->28373 28371->28368 28371->28370 28372->27337 28372->27339 28374 7ff6c2da1792 28373->28374 28375->27007 28376->27013 28377->27016 25642 7ff6c2dc0df5 14 API calls _com_raise_error 25661 7ff6c2dc2d6c 25686 7ff6c2dc27fc 25661->25686 25664 7ff6c2dc2eb8 25785 7ff6c2dc3170 7 API calls 2 library calls 25664->25785 25665 7ff6c2dc2d88 __scrt_acquire_startup_lock 25667 7ff6c2dc2ec2 25665->25667 25669 7ff6c2dc2da6 25665->25669 25786 7ff6c2dc3170 7 API calls 2 library calls 25667->25786 25670 7ff6c2dc2dcb 25669->25670 25676 7ff6c2dc2de8 __scrt_release_startup_lock 25669->25676 25694 7ff6c2dccd90 25669->25694 25672 7ff6c2dc2ecd abort 25673 7ff6c2dc2e51 25698 7ff6c2dc32bc 25673->25698 25675 7ff6c2dc2e56 25701 7ff6c2dccd20 25675->25701 25676->25673 25782 7ff6c2dcc050 35 API calls __GSHandlerCheck_EH 25676->25782 25787 7ff6c2dc2fb0 25686->25787 25689 7ff6c2dc2827 25689->25664 25689->25665 25690 7ff6c2dc282b 25789 7ff6c2dccc50 25690->25789 25695 7ff6c2dccdeb 25694->25695 25696 7ff6c2dccdcc 25694->25696 25695->25676 25696->25695 25806 7ff6c2d91120 25696->25806 25849 7ff6c2dc3cf0 25698->25849 25851 7ff6c2dd0730 25701->25851 25703 7ff6c2dc2e5e 25706 7ff6c2dc0754 25703->25706 25704 7ff6c2dccd2f 25704->25703 25855 7ff6c2dd0ac0 35 API calls _snwprintf 25704->25855 25857 7ff6c2dadfd0 25706->25857 25710 7ff6c2dc079a 25944 7ff6c2db946c 25710->25944 25712 7ff6c2dc07a4 __scrt_get_show_window_mode 25949 7ff6c2db9a14 25712->25949 25714 7ff6c2dc096e GetCommandLineW 25718 7ff6c2dc0980 25714->25718 25757 7ff6c2dc0b42 25714->25757 25715 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25717 7ff6c2dc0de2 25715->25717 25716 7ff6c2dc0819 25716->25714 25764 7ff6c2dc0ddc 25716->25764 25721 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25717->25721 26006 7ff6c2d9129c 25718->26006 25720 7ff6c2dc0b51 25723 7ff6c2dc0b68 BuildCatchObjectHelperInternal 25720->25723 25726 7ff6c2d91fa0 31 API calls 25720->25726 25724 7ff6c2dc0de8 25721->25724 25727 7ff6c2d91fa0 31 API calls 25723->25727 25728 7ff6c2dc1900 _com_raise_error 14 API calls 25724->25728 25725 7ff6c2dc09a5 26016 7ff6c2dbcad0 102 API calls 3 library calls 25725->26016 25726->25723 25730 7ff6c2dc0b93 SetEnvironmentVariableW GetLocalTime 25727->25730 25731 7ff6c2dc0e34 25728->25731 25971 7ff6c2da3e28 25730->25971 25732 7ff6c2dc09af 25732->25717 25736 7ff6c2dc09f9 OpenFileMappingW 25732->25736 25737 7ff6c2dc0adb 25732->25737 25739 7ff6c2dc0ad0 CloseHandle 25736->25739 25740 7ff6c2dc0a19 MapViewOfFile 25736->25740 25744 7ff6c2d9129c 33 API calls 25737->25744 25739->25757 25740->25739 25742 7ff6c2dc0a3f UnmapViewOfFile MapViewOfFile 25740->25742 25742->25739 25745 7ff6c2dc0a71 25742->25745 25743 7ff6c2dc0c75 25999 7ff6c2db67b4 25743->25999 25747 7ff6c2dc0b00 25744->25747 26017 7ff6c2dba190 33 API calls 2 library calls 25745->26017 26021 7ff6c2dbfd0c 35 API calls 2 library calls 25747->26021 25751 7ff6c2dc0a81 26018 7ff6c2dbfd0c 35 API calls 2 library calls 25751->26018 25753 7ff6c2db67b4 33 API calls 25756 7ff6c2dc0c87 DialogBoxParamW 25753->25756 25754 7ff6c2dc0b0a 25754->25757 25759 7ff6c2dc0dd7 25754->25759 25755 7ff6c2dc0a90 26019 7ff6c2dab9b4 102 API calls 25755->26019 25765 7ff6c2dc0cd3 25756->25765 25959 7ff6c2da6454 25757->25959 25762 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25759->25762 25760 7ff6c2dc0aa5 26020 7ff6c2dabb00 102 API calls 25760->26020 25762->25764 25763 7ff6c2dc0ab8 25768 7ff6c2dc0ac7 UnmapViewOfFile 25763->25768 25764->25715 25766 7ff6c2dc0ce6 Sleep 25765->25766 25767 7ff6c2dc0cec 25765->25767 25766->25767 25769 7ff6c2dc0cfa 25767->25769 26022 7ff6c2db9f4c 49 API calls 2 library calls 25767->26022 25768->25739 25771 7ff6c2dc0d06 DeleteObject 25769->25771 25772 7ff6c2dc0d1f DeleteObject 25771->25772 25773 7ff6c2dc0d25 25771->25773 25772->25773 25774 7ff6c2dc0d6d 25773->25774 25775 7ff6c2dc0d5b 25773->25775 26002 7ff6c2db94e4 25774->26002 26023 7ff6c2dbfe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 25775->26023 25778 7ff6c2dc0d60 CloseHandle 25778->25774 25782->25673 25785->25667 25786->25672 25788 7ff6c2dc281e __scrt_dllmain_crt_thread_attach 25787->25788 25788->25689 25788->25690 25790 7ff6c2dd0d4c 25789->25790 25791 7ff6c2dc2830 25790->25791 25794 7ff6c2dcec00 25790->25794 25791->25689 25793 7ff6c2dc51a0 7 API calls 2 library calls 25791->25793 25793->25689 25805 7ff6c2dcf398 EnterCriticalSection 25794->25805 25811 7ff6c2d991c8 25806->25811 25810 7ff6c2dc2a01 25810->25696 25819 7ff6c2da56a4 25811->25819 25813 7ff6c2d991df 25822 7ff6c2dab788 25813->25822 25817 7ff6c2d91130 25818 7ff6c2dc29bc 34 API calls 25817->25818 25818->25810 25828 7ff6c2da56e8 25819->25828 25837 7ff6c2d913a4 25822->25837 25825 7ff6c2d99a28 25826 7ff6c2da56e8 2 API calls 25825->25826 25827 7ff6c2d99a36 25826->25827 25827->25817 25829 7ff6c2da56fe __scrt_get_show_window_mode 25828->25829 25832 7ff6c2daeba4 25829->25832 25835 7ff6c2daeb58 GetCurrentProcess GetProcessAffinityMask 25832->25835 25836 7ff6c2da56de 25835->25836 25836->25813 25838 7ff6c2d9142d 25837->25838 25839 7ff6c2d913ad 25837->25839 25838->25825 25840 7ff6c2d913ce 25839->25840 25841 7ff6c2d9143d 25839->25841 25844 7ff6c2dc21d0 33 API calls 25840->25844 25845 7ff6c2d913db __scrt_get_show_window_mode 25840->25845 25848 7ff6c2d92018 33 API calls std::_Xinvalid_argument 25841->25848 25844->25845 25847 7ff6c2d9197c 31 API calls _invalid_parameter_noinfo_noreturn 25845->25847 25847->25838 25850 7ff6c2dc32d3 GetStartupInfoW 25849->25850 25850->25675 25852 7ff6c2dd0749 25851->25852 25853 7ff6c2dd073d 25851->25853 25852->25704 25856 7ff6c2dd0570 48 API calls 4 library calls 25853->25856 25855->25704 25856->25852 26024 7ff6c2dc2450 25857->26024 25860 7ff6c2dae026 GetProcAddress 25862 7ff6c2dae053 GetProcAddress 25860->25862 25863 7ff6c2dae03b 25860->25863 25861 7ff6c2dae07b 25864 7ff6c2dae503 25861->25864 26057 7ff6c2dcb788 39 API calls _snwprintf 25861->26057 25862->25861 25866 7ff6c2dae068 25862->25866 25863->25862 25865 7ff6c2da6454 34 API calls 25864->25865 25868 7ff6c2dae50c 25865->25868 25866->25861 26026 7ff6c2da7df4 25868->26026 25869 7ff6c2dae3b0 25869->25864 25871 7ff6c2dae3ba 25869->25871 25872 7ff6c2da6454 34 API calls 25871->25872 25873 7ff6c2dae3c3 CreateFileW 25872->25873 25875 7ff6c2dae4f0 CloseHandle 25873->25875 25876 7ff6c2dae403 SetFilePointer 25873->25876 25879 7ff6c2d91fa0 31 API calls 25875->25879 25876->25875 25878 7ff6c2dae41c ReadFile 25876->25878 25877 7ff6c2dae51a 25885 7ff6c2dae53e CompareStringW 25877->25885 25886 7ff6c2d9129c 33 API calls 25877->25886 25889 7ff6c2d91fa0 31 API calls 25877->25889 25919 7ff6c2dae5cc 25877->25919 26034 7ff6c2da51a4 25877->26034 26039 7ff6c2da8090 25877->26039 26043 7ff6c2da32bc 25877->26043 25878->25875 25880 7ff6c2dae444 25878->25880 25879->25864 25881 7ff6c2dae800 25880->25881 25882 7ff6c2dae458 25880->25882 26066 7ff6c2dc2624 8 API calls 25881->26066 25887 7ff6c2d9129c 33 API calls 25882->25887 25884 7ff6c2dae805 25885->25877 25886->25877 25892 7ff6c2dae48f 25887->25892 25889->25877 25891 7ff6c2dae63a 25893 7ff6c2dae7c2 25891->25893 25894 7ff6c2dae648 25891->25894 25896 7ff6c2dae4db 25892->25896 26058 7ff6c2dad0a0 33 API calls 25892->26058 25898 7ff6c2d91fa0 31 API calls 25893->25898 26059 7ff6c2da7eb0 47 API calls 25894->26059 25900 7ff6c2d91fa0 31 API calls 25896->25900 25899 7ff6c2dae7cb 25898->25899 25903 7ff6c2d91fa0 31 API calls 25899->25903 25904 7ff6c2dae4e5 25900->25904 25901 7ff6c2dae651 25905 7ff6c2da51a4 9 API calls 25901->25905 25902 7ff6c2d9129c 33 API calls 25902->25919 25907 7ff6c2dae7d5 25903->25907 25908 7ff6c2d91fa0 31 API calls 25904->25908 25906 7ff6c2dae656 25905->25906 25909 7ff6c2dae706 25906->25909 25916 7ff6c2dae661 25906->25916 25911 7ff6c2dc2320 _handle_error 8 API calls 25907->25911 25908->25875 25912 7ff6c2dada98 48 API calls 25909->25912 25910 7ff6c2da8090 47 API calls 25910->25919 25913 7ff6c2dae7e4 25911->25913 25914 7ff6c2dae74b AllocConsole 25912->25914 25934 7ff6c2da62dc GetCurrentDirectoryW 25913->25934 25917 7ff6c2dae6fb 25914->25917 25918 7ff6c2dae755 GetCurrentProcessId AttachConsole 25914->25918 25915 7ff6c2d91fa0 31 API calls 25915->25919 25922 7ff6c2daaae0 48 API calls 25916->25922 25923 7ff6c2d919e0 std::locale::global 31 API calls 25917->25923 25920 7ff6c2dae76c 25918->25920 25919->25891 25919->25902 25919->25910 25919->25915 25921 7ff6c2da32bc 51 API calls 25919->25921 25927 7ff6c2dae778 GetStdHandle WriteConsoleW Sleep FreeConsole 25920->25927 25921->25919 25924 7ff6c2dae6a5 25922->25924 25925 7ff6c2dae7b9 ExitProcess 25923->25925 25926 7ff6c2dada98 48 API calls 25924->25926 25928 7ff6c2dae6c3 25926->25928 25927->25917 25929 7ff6c2daaae0 48 API calls 25928->25929 25930 7ff6c2dae6ce 25929->25930 26060 7ff6c2dadc2c 33 API calls 25930->26060 25932 7ff6c2dae6da 26061 7ff6c2d919e0 25932->26061 25935 7ff6c2da6300 25934->25935 25940 7ff6c2da638d 25934->25940 25936 7ff6c2d913a4 33 API calls 25935->25936 25937 7ff6c2da631b GetCurrentDirectoryW 25936->25937 25938 7ff6c2da6341 25937->25938 26167 7ff6c2d920b0 25938->26167 25940->25710 25941 7ff6c2da634f 25941->25940 25942 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25941->25942 25943 7ff6c2da63a9 25942->25943 25945 7ff6c2dadd88 25944->25945 25946 7ff6c2db9481 OleInitialize 25945->25946 25947 7ff6c2db94a7 25946->25947 25948 7ff6c2db94cd SHGetMalloc 25947->25948 25948->25712 25950 7ff6c2db9a49 25949->25950 25956 7ff6c2db9a4e BuildCatchObjectHelperInternal 25949->25956 25951 7ff6c2d91fa0 31 API calls 25950->25951 25951->25956 25952 7ff6c2d91fa0 31 API calls 25958 7ff6c2db9a7d BuildCatchObjectHelperInternal 25952->25958 25953 7ff6c2db9aac BuildCatchObjectHelperInternal 25955 7ff6c2d91fa0 31 API calls 25953->25955 25957 7ff6c2db9adb BuildCatchObjectHelperInternal 25953->25957 25954 7ff6c2d91fa0 31 API calls 25954->25953 25955->25957 25956->25952 25956->25958 25957->25716 25958->25953 25958->25954 25960 7ff6c2d913a4 33 API calls 25959->25960 25961 7ff6c2da6489 25960->25961 25962 7ff6c2da648c GetModuleFileNameW 25961->25962 25963 7ff6c2da64dc 25961->25963 25964 7ff6c2da64de 25962->25964 25965 7ff6c2da64a7 25962->25965 25966 7ff6c2d9129c 33 API calls 25963->25966 25964->25963 25965->25961 25968 7ff6c2da6506 25966->25968 25967 7ff6c2da653e 25967->25720 25968->25967 25969 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 25968->25969 25970 7ff6c2da6560 25969->25970 25972 7ff6c2da3e4d _snwprintf 25971->25972 25973 7ff6c2dc9ef0 swprintf 46 API calls 25972->25973 25974 7ff6c2da3e69 SetEnvironmentVariableW GetModuleHandleW LoadIconW 25973->25974 25975 7ff6c2dbb014 LoadBitmapW 25974->25975 25976 7ff6c2dbb03e 25975->25976 25977 7ff6c2dbb046 25975->25977 26172 7ff6c2db8624 FindResourceW 25976->26172 25979 7ff6c2dbb04e GetObjectW 25977->25979 25980 7ff6c2dbb063 25977->25980 25979->25980 26187 7ff6c2db849c 25980->26187 25983 7ff6c2dbb0ce 25994 7ff6c2da98ac 25983->25994 25984 7ff6c2dbb09e 26192 7ff6c2db8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25984->26192 25985 7ff6c2db8624 11 API calls 25987 7ff6c2dbb08a 25985->25987 25987->25984 25989 7ff6c2dbb092 DeleteObject 25987->25989 25988 7ff6c2dbb0a7 26193 7ff6c2db84cc 25988->26193 25989->25984 25993 7ff6c2dbb0bf DeleteObject 25993->25983 26200 7ff6c2da98dc 25994->26200 25996 7ff6c2da98ba 26267 7ff6c2daa43c GetModuleHandleW FindResourceW 25996->26267 25998 7ff6c2da98c2 25998->25743 26000 7ff6c2dc21d0 33 API calls 25999->26000 26001 7ff6c2db67fa 26000->26001 26001->25753 26003 7ff6c2db9501 26002->26003 26004 7ff6c2db950a OleUninitialize 26003->26004 26005 7ff6c2dfe330 26004->26005 26007 7ff6c2d912d0 26006->26007 26014 7ff6c2d9139b 26006->26014 26008 7ff6c2d912de BuildCatchObjectHelperInternal 26007->26008 26011 7ff6c2d91396 26007->26011 26013 7ff6c2d91338 26007->26013 26008->25725 26012 7ff6c2d91f80 Concurrency::cancel_current_task 33 API calls 26011->26012 26012->26014 26013->26008 26015 7ff6c2dc21d0 33 API calls 26013->26015 26349 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26014->26349 26015->26008 26016->25732 26017->25751 26018->25755 26019->25760 26020->25763 26021->25754 26022->25769 26023->25778 26025 7ff6c2dadff4 GetModuleHandleW 26024->26025 26025->25860 26025->25861 26027 7ff6c2da7e0c 26026->26027 26028 7ff6c2da7e23 26027->26028 26029 7ff6c2da7e55 26027->26029 26031 7ff6c2d9129c 33 API calls 26028->26031 26067 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26029->26067 26033 7ff6c2da7e47 26031->26033 26032 7ff6c2da7e5a 26033->25877 26035 7ff6c2da51c8 GetVersionExW 26034->26035 26036 7ff6c2da51fb 26034->26036 26035->26036 26037 7ff6c2dc2320 _handle_error 8 API calls 26036->26037 26038 7ff6c2da5228 26037->26038 26038->25877 26040 7ff6c2da80a5 26039->26040 26068 7ff6c2da8188 26040->26068 26042 7ff6c2da80ca 26042->25877 26044 7ff6c2da32e4 26043->26044 26045 7ff6c2da32e7 GetFileAttributesW 26043->26045 26044->26045 26046 7ff6c2da32f8 26045->26046 26047 7ff6c2da3375 26045->26047 26077 7ff6c2da6a0c 26046->26077 26048 7ff6c2dc2320 _handle_error 8 API calls 26047->26048 26050 7ff6c2da3389 26048->26050 26050->25877 26052 7ff6c2da3323 GetFileAttributesW 26053 7ff6c2da333c 26052->26053 26053->26047 26054 7ff6c2da3399 26053->26054 26055 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26054->26055 26056 7ff6c2da339e 26055->26056 26057->25869 26058->25892 26059->25901 26060->25932 26062 7ff6c2d91fa0 26061->26062 26063 7ff6c2d91fdc 26062->26063 26064 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26062->26064 26063->25917 26065 7ff6c2d92000 26064->26065 26066->25884 26067->26032 26069 7ff6c2da8326 26068->26069 26073 7ff6c2da81ba 26068->26073 26076 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26069->26076 26071 7ff6c2da81d4 BuildCatchObjectHelperInternal 26071->26042 26072 7ff6c2da832b 26073->26071 26075 7ff6c2da58a4 33 API calls 2 library calls 26073->26075 26075->26071 26076->26072 26078 7ff6c2da6a4b 26077->26078 26096 7ff6c2da6a44 26077->26096 26081 7ff6c2d9129c 33 API calls 26078->26081 26079 7ff6c2dc2320 _handle_error 8 API calls 26080 7ff6c2da331f 26079->26080 26080->26052 26080->26053 26082 7ff6c2da6a76 26081->26082 26083 7ff6c2da6cc7 26082->26083 26084 7ff6c2da6a96 26082->26084 26085 7ff6c2da62dc 35 API calls 26083->26085 26086 7ff6c2da6ab0 26084->26086 26110 7ff6c2da6b49 26084->26110 26088 7ff6c2da6ce6 26085->26088 26114 7ff6c2da70ab 26086->26114 26150 7ff6c2d9c098 33 API calls 2 library calls 26086->26150 26087 7ff6c2da6eef 26135 7ff6c2da70cf 26087->26135 26159 7ff6c2d9c098 33 API calls 2 library calls 26087->26159 26088->26087 26090 7ff6c2da6d1b 26088->26090 26091 7ff6c2da6b44 26088->26091 26123 7ff6c2da70bd 26090->26123 26153 7ff6c2d9c098 33 API calls 2 library calls 26090->26153 26092 7ff6c2da70b1 26091->26092 26094 7ff6c2da70d5 26091->26094 26091->26096 26104 7ff6c2da70a6 26091->26104 26102 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26092->26102 26103 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26094->26103 26096->26079 26097 7ff6c2da6b03 26105 7ff6c2d91fa0 31 API calls 26097->26105 26118 7ff6c2da6b15 BuildCatchObjectHelperInternal 26097->26118 26099 7ff6c2da6f56 26160 7ff6c2d911cc 33 API calls BuildCatchObjectHelperInternal 26099->26160 26115 7ff6c2da70b7 26102->26115 26109 7ff6c2da70db 26103->26109 26108 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26104->26108 26105->26118 26107 7ff6c2d91fa0 31 API calls 26107->26091 26108->26114 26117 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26109->26117 26110->26091 26111 7ff6c2d9129c 33 API calls 26110->26111 26119 7ff6c2da6bbe 26111->26119 26112 7ff6c2da6f69 26161 7ff6c2da57ac 33 API calls BuildCatchObjectHelperInternal 26112->26161 26113 7ff6c2da70c3 26121 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26113->26121 26162 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26114->26162 26122 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26115->26122 26116 7ff6c2d91fa0 31 API calls 26133 7ff6c2da6df5 26116->26133 26124 7ff6c2da70e1 26117->26124 26118->26107 26151 7ff6c2da5820 33 API calls 26119->26151 26126 7ff6c2da70c9 26121->26126 26122->26123 26163 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26123->26163 26164 7ff6c2d9704c 47 API calls BuildCatchObjectHelperInternal 26126->26164 26127 7ff6c2da6bd3 26152 7ff6c2d9e164 33 API calls 2 library calls 26127->26152 26128 7ff6c2da6d76 BuildCatchObjectHelperInternal 26128->26113 26128->26116 26131 7ff6c2d91fa0 31 API calls 26132 7ff6c2da6fec 26131->26132 26136 7ff6c2d91fa0 31 API calls 26132->26136 26137 7ff6c2da6e21 26133->26137 26154 7ff6c2d91744 33 API calls 4 library calls 26133->26154 26134 7ff6c2da6f79 BuildCatchObjectHelperInternal 26134->26109 26134->26131 26165 7ff6c2d92004 33 API calls std::_Xinvalid_argument 26135->26165 26139 7ff6c2da6ff6 26136->26139 26137->26126 26143 7ff6c2d9129c 33 API calls 26137->26143 26138 7ff6c2d91fa0 31 API calls 26141 7ff6c2da6c6d 26138->26141 26142 7ff6c2d91fa0 31 API calls 26139->26142 26145 7ff6c2d91fa0 31 API calls 26141->26145 26142->26091 26146 7ff6c2da6ec2 26143->26146 26144 7ff6c2da6be9 BuildCatchObjectHelperInternal 26144->26115 26144->26138 26145->26091 26155 7ff6c2d92034 26146->26155 26148 7ff6c2da6edf 26149 7ff6c2d91fa0 31 API calls 26148->26149 26149->26091 26150->26097 26151->26127 26152->26144 26153->26128 26154->26137 26156 7ff6c2d92085 26155->26156 26158 7ff6c2d92059 BuildCatchObjectHelperInternal 26155->26158 26166 7ff6c2d915b8 33 API calls 3 library calls 26156->26166 26158->26148 26159->26099 26160->26112 26161->26134 26164->26135 26166->26158 26168 7ff6c2d920f6 26167->26168 26170 7ff6c2d920cb BuildCatchObjectHelperInternal 26167->26170 26171 7ff6c2d91474 33 API calls 3 library calls 26168->26171 26170->25941 26171->26170 26173 7ff6c2db864f SizeofResource 26172->26173 26174 7ff6c2db879b 26172->26174 26173->26174 26175 7ff6c2db8669 LoadResource 26173->26175 26174->25977 26175->26174 26176 7ff6c2db8682 LockResource 26175->26176 26176->26174 26177 7ff6c2db8697 GlobalAlloc 26176->26177 26177->26174 26178 7ff6c2db86b8 GlobalLock 26177->26178 26179 7ff6c2db8792 GlobalFree 26178->26179 26180 7ff6c2db86ca BuildCatchObjectHelperInternal 26178->26180 26179->26174 26181 7ff6c2db86d8 CreateStreamOnHGlobal 26180->26181 26182 7ff6c2db8789 GlobalUnlock 26181->26182 26183 7ff6c2db86f6 GdipAlloc 26181->26183 26182->26179 26184 7ff6c2db870b 26183->26184 26184->26182 26185 7ff6c2db8772 26184->26185 26186 7ff6c2db875a GdipCreateHBITMAPFromBitmap 26184->26186 26185->26182 26186->26185 26188 7ff6c2db84cc 4 API calls 26187->26188 26189 7ff6c2db84aa 26188->26189 26190 7ff6c2db84b9 26189->26190 26198 7ff6c2db8504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26189->26198 26190->25983 26190->25984 26190->25985 26192->25988 26194 7ff6c2db84de 26193->26194 26196 7ff6c2db84e3 26193->26196 26199 7ff6c2db8590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26194->26199 26197 7ff6c2db8df4 16 API calls _handle_error 26196->26197 26197->25993 26198->26190 26199->26196 26203 7ff6c2da98fe _snwprintf 26200->26203 26201 7ff6c2da9973 26318 7ff6c2da68b0 48 API calls 26201->26318 26203->26201 26205 7ff6c2da9a89 26203->26205 26204 7ff6c2d91fa0 31 API calls 26207 7ff6c2da99fd 26204->26207 26205->26207 26210 7ff6c2d920b0 33 API calls 26205->26210 26206 7ff6c2da997d BuildCatchObjectHelperInternal 26206->26204 26208 7ff6c2daa42e 26206->26208 26269 7ff6c2da24c0 26207->26269 26209 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26208->26209 26211 7ff6c2daa434 26209->26211 26210->26207 26215 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26211->26215 26214 7ff6c2da9a22 26216 7ff6c2da204c 100 API calls 26214->26216 26218 7ff6c2daa43a 26215->26218 26219 7ff6c2da9a2b 26216->26219 26217 7ff6c2da9b17 26287 7ff6c2dca450 26217->26287 26219->26211 26221 7ff6c2da9a66 26219->26221 26226 7ff6c2dc2320 _handle_error 8 API calls 26221->26226 26222 7ff6c2da9aad 26222->26217 26223 7ff6c2da8e58 33 API calls 26222->26223 26223->26222 26225 7ff6c2dca450 31 API calls 26238 7ff6c2da9b57 __vcrt_InitializeCriticalSectionEx 26225->26238 26227 7ff6c2daa40e 26226->26227 26227->25996 26228 7ff6c2da9c89 26230 7ff6c2da2aa0 101 API calls 26228->26230 26241 7ff6c2da9d5c 26228->26241 26232 7ff6c2da9ca1 26230->26232 26233 7ff6c2da28d0 104 API calls 26232->26233 26232->26241 26239 7ff6c2da9cc9 26233->26239 26238->26228 26238->26241 26295 7ff6c2da2bb0 26238->26295 26304 7ff6c2da28d0 26238->26304 26309 7ff6c2da2aa0 26238->26309 26239->26241 26261 7ff6c2da9cd7 __vcrt_InitializeCriticalSectionEx 26239->26261 26319 7ff6c2db0bbc MultiByteToWideChar 26239->26319 26314 7ff6c2da204c 26241->26314 26242 7ff6c2daa1ec 26254 7ff6c2daa2c2 26242->26254 26325 7ff6c2dccf90 31 API calls 2 library calls 26242->26325 26244 7ff6c2daa157 26244->26242 26322 7ff6c2dccf90 31 API calls 2 library calls 26244->26322 26247 7ff6c2daa14b 26247->25996 26248 7ff6c2daa2ae 26248->26254 26327 7ff6c2da8cd0 33 API calls 2 library calls 26248->26327 26249 7ff6c2daa3a2 26251 7ff6c2dca450 31 API calls 26249->26251 26250 7ff6c2daa249 26326 7ff6c2dcb7bc 31 API calls _invalid_parameter_noinfo_noreturn 26250->26326 26253 7ff6c2daa3cb 26251->26253 26256 7ff6c2dca450 31 API calls 26253->26256 26254->26249 26258 7ff6c2da8e58 33 API calls 26254->26258 26255 7ff6c2daa16d 26323 7ff6c2dcb7bc 31 API calls _invalid_parameter_noinfo_noreturn 26255->26323 26256->26241 26258->26254 26259 7ff6c2daa1d8 26259->26242 26324 7ff6c2da8cd0 33 API calls 2 library calls 26259->26324 26261->26241 26261->26242 26261->26244 26261->26247 26262 7ff6c2daa429 26261->26262 26264 7ff6c2db0f68 WideCharToMultiByte 26261->26264 26320 7ff6c2daaa88 45 API calls _snwprintf 26261->26320 26321 7ff6c2dca270 31 API calls 2 library calls 26261->26321 26328 7ff6c2dc2624 8 API calls 26262->26328 26264->26261 26268 7ff6c2daa468 26267->26268 26268->25998 26270 7ff6c2da24fd CreateFileW 26269->26270 26272 7ff6c2da25ae GetLastError 26270->26272 26281 7ff6c2da266e 26270->26281 26273 7ff6c2da6a0c 49 API calls 26272->26273 26274 7ff6c2da25dc 26273->26274 26275 7ff6c2da25e0 CreateFileW GetLastError 26274->26275 26282 7ff6c2da262c 26274->26282 26275->26282 26276 7ff6c2da26b1 SetFileTime 26280 7ff6c2da26cf 26276->26280 26277 7ff6c2da2708 26278 7ff6c2dc2320 _handle_error 8 API calls 26277->26278 26279 7ff6c2da271b 26278->26279 26279->26214 26279->26222 26280->26277 26284 7ff6c2d920b0 33 API calls 26280->26284 26281->26276 26281->26280 26282->26281 26283 7ff6c2da2736 26282->26283 26285 7ff6c2dc7904 _invalid_parameter_noinfo_noreturn 31 API calls 26283->26285 26284->26277 26286 7ff6c2da273b 26285->26286 26288 7ff6c2dca47d 26287->26288 26294 7ff6c2dca492 26288->26294 26329 7ff6c2dcd69c 15 API calls _invalid_parameter_noinfo 26288->26329 26290 7ff6c2dca487 26330 7ff6c2dc78e4 31 API calls _invalid_parameter_noinfo 26290->26330 26292 7ff6c2dc2320 _handle_error 8 API calls 26293 7ff6c2da9b37 26292->26293 26293->26225 26294->26292 26296 7ff6c2da2bcd 26295->26296 26300 7ff6c2da2be9 26295->26300 26299 7ff6c2da2bfb 26296->26299 26331 7ff6c2d9b9c4 99 API calls std::_Xinvalid_argument 26296->26331 26298 7ff6c2da2c01 SetFilePointer 26298->26299 26301 7ff6c2da2c1e GetLastError 26298->26301 26299->26238 26300->26298 26300->26299 26301->26299 26302 7ff6c2da2c28 26301->26302 26302->26299 26332 7ff6c2d9b9c4 99 API calls std::_Xinvalid_argument 26302->26332 26305 7ff6c2da28f6 26304->26305 26306 7ff6c2da28fd 26304->26306 26305->26238 26306->26305 26308 7ff6c2da2320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26306->26308 26333 7ff6c2d9b8a4 99 API calls std::_Xinvalid_argument 26306->26333 26308->26306 26334 7ff6c2da2778 26309->26334 26311 7ff6c2da2ac7 26311->26238 26315 7ff6c2da2066 26314->26315 26316 7ff6c2da2072 26314->26316 26315->26316 26342 7ff6c2da20d0 26315->26342 26318->26206 26319->26261 26320->26261 26321->26261 26322->26255 26323->26259 26324->26242 26325->26250 26326->26248 26327->26254 26328->26208 26329->26290 26330->26294 26340 7ff6c2da2789 _snwprintf 26334->26340 26335 7ff6c2da27b5 26336 7ff6c2dc2320 _handle_error 8 API calls 26335->26336 26338 7ff6c2da281d 26336->26338 26337 7ff6c2da2890 SetFilePointer 26337->26335 26339 7ff6c2da28b8 GetLastError 26337->26339 26338->26311 26341 7ff6c2d9b9c4 99 API calls std::_Xinvalid_argument 26338->26341 26339->26335 26340->26335 26340->26337 26343 7ff6c2da2102 26342->26343 26344 7ff6c2da20ea 26342->26344 26345 7ff6c2da2126 26343->26345 26348 7ff6c2d9b544 99 API calls 26343->26348 26344->26343 26346 7ff6c2da20f6 CloseHandle 26344->26346 26345->26316 26346->26343 26348->26345 28388 7ff6c2dcd94c 28389 7ff6c2dcd95b abort 28388->28389 28390 7ff6c2dcd997 28388->28390 28389->28390 28391 7ff6c2dcd97e HeapAlloc 28389->28391 28394 7ff6c2dcbbc0 abort 2 API calls 28389->28394 28395 7ff6c2dcd69c 15 API calls _invalid_parameter_noinfo 28390->28395 28391->28389 28393 7ff6c2dcd995 28391->28393 28394->28389 28395->28393

                                                                    Executed Functions

                                                                    Function 00007FF6C2DBB190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                    • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                    • API String ID: 255727823-2702805183
                                                                    • Opcode ID: f09fb21a4dca633731e21fa30c3b65a2e70867797e80f2e70a23c2b24a2a3025
                                                                    • Instruction ID: 5d433e36fe7c01657ca28522fb81cfdda5e27e919ae93a639d352fced84cd329
                                                                    • Opcode Fuzzy Hash: f09fb21a4dca633731e21fa30c3b65a2e70867797e80f2e70a23c2b24a2a3025
                                                                    • Instruction Fuzzy Hash: B4D2B022A0878285FA209F25E8646FA6361FFA578AF404331DDCD867E5DEBCF544C760
                                                                    Function 00007FF6C2DBCE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                    • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                    • API String ID: 3007431893-3916287355
                                                                    • Opcode ID: 13eb6110c4e0ac35ec007d1b6c7a4b17d7f990185731ca232e56026f253a956b
                                                                    • Instruction ID: 5a1ffb5e49d3fb80b63571bde21ca53320278d6dcbb9ae13625d7287982d0c64
                                                                    • Opcode Fuzzy Hash: 13eb6110c4e0ac35ec007d1b6c7a4b17d7f990185731ca232e56026f253a956b
                                                                    • Instruction Fuzzy Hash: E313BD22B04B8288EB10DF64D8502EC27A1EB6479DF900635DE9D97BD9DFB8F594C360
                                                                    Function 00007FF6C2DC0754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1466 7ff6c2dc0754-7ff6c2dc0829 call 7ff6c2dadfd0 call 7ff6c2da62dc call 7ff6c2db946c call 7ff6c2dc3cf0 call 7ff6c2db9a14 1477 7ff6c2dc0860-7ff6c2dc0883 1466->1477 1478 7ff6c2dc082b-7ff6c2dc0840 1466->1478 1481 7ff6c2dc0885-7ff6c2dc089a 1477->1481 1482 7ff6c2dc08ba-7ff6c2dc08dd 1477->1482 1479 7ff6c2dc0842-7ff6c2dc0855 1478->1479 1480 7ff6c2dc085b call 7ff6c2dc220c 1478->1480 1479->1480 1487 7ff6c2dc0ddd-7ff6c2dc0de2 call 7ff6c2dc7904 1479->1487 1480->1477 1483 7ff6c2dc08b5 call 7ff6c2dc220c 1481->1483 1484 7ff6c2dc089c-7ff6c2dc08af 1481->1484 1485 7ff6c2dc08df-7ff6c2dc08f4 1482->1485 1486 7ff6c2dc0914-7ff6c2dc0937 1482->1486 1483->1482 1484->1483 1484->1487 1490 7ff6c2dc090f call 7ff6c2dc220c 1485->1490 1491 7ff6c2dc08f6-7ff6c2dc0909 1485->1491 1492 7ff6c2dc096e-7ff6c2dc097a GetCommandLineW 1486->1492 1493 7ff6c2dc0939-7ff6c2dc094e 1486->1493 1503 7ff6c2dc0de3-7ff6c2dc0e2f call 7ff6c2dc7904 call 7ff6c2dc1900 1487->1503 1490->1486 1491->1487 1491->1490 1499 7ff6c2dc0980-7ff6c2dc09b7 call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2dbcad0 1492->1499 1500 7ff6c2dc0b47-7ff6c2dc0b5e call 7ff6c2da6454 1492->1500 1496 7ff6c2dc0950-7ff6c2dc0963 1493->1496 1497 7ff6c2dc0969 call 7ff6c2dc220c 1493->1497 1496->1487 1496->1497 1497->1492 1526 7ff6c2dc09b9-7ff6c2dc09cc 1499->1526 1527 7ff6c2dc09ec-7ff6c2dc09f3 1499->1527 1510 7ff6c2dc0b60-7ff6c2dc0b85 call 7ff6c2d91fa0 call 7ff6c2dc3640 1500->1510 1511 7ff6c2dc0b89-7ff6c2dc0ce4 call 7ff6c2d91fa0 SetEnvironmentVariableW GetLocalTime call 7ff6c2da3e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6c2dbb014 call 7ff6c2da98ac call 7ff6c2db67b4 * 2 DialogBoxParamW call 7ff6c2db68a8 * 2 1500->1511 1520 7ff6c2dc0e34-7ff6c2dc0e6a 1503->1520 1510->1511 1572 7ff6c2dc0ce6 Sleep 1511->1572 1573 7ff6c2dc0cec-7ff6c2dc0cf3 1511->1573 1525 7ff6c2dc0e6c 1520->1525 1525->1525 1530 7ff6c2dc09ce-7ff6c2dc09e1 1526->1530 1531 7ff6c2dc09e7 call 7ff6c2dc220c 1526->1531 1532 7ff6c2dc09f9-7ff6c2dc0a13 OpenFileMappingW 1527->1532 1533 7ff6c2dc0adb-7ff6c2dc0b12 call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2dbfd0c 1527->1533 1530->1503 1530->1531 1531->1527 1537 7ff6c2dc0ad0-7ff6c2dc0ad9 CloseHandle 1532->1537 1538 7ff6c2dc0a19-7ff6c2dc0a39 MapViewOfFile 1532->1538 1533->1500 1554 7ff6c2dc0b14-7ff6c2dc0b27 1533->1554 1537->1500 1538->1537 1541 7ff6c2dc0a3f-7ff6c2dc0a6f UnmapViewOfFile MapViewOfFile 1538->1541 1541->1537 1544 7ff6c2dc0a71-7ff6c2dc0aca call 7ff6c2dba190 call 7ff6c2dbfd0c call 7ff6c2dab9b4 call 7ff6c2dabb00 call 7ff6c2dabb70 UnmapViewOfFile 1541->1544 1544->1537 1557 7ff6c2dc0b42 call 7ff6c2dc220c 1554->1557 1558 7ff6c2dc0b29-7ff6c2dc0b3c 1554->1558 1557->1500 1558->1557 1561 7ff6c2dc0dd7-7ff6c2dc0ddc call 7ff6c2dc7904 1558->1561 1561->1487 1572->1573 1575 7ff6c2dc0cf5 call 7ff6c2db9f4c 1573->1575 1576 7ff6c2dc0cfa-7ff6c2dc0d1d call 7ff6c2dab8e0 DeleteObject 1573->1576 1575->1576 1580 7ff6c2dc0d1f DeleteObject 1576->1580 1581 7ff6c2dc0d25-7ff6c2dc0d2c 1576->1581 1580->1581 1582 7ff6c2dc0d2e-7ff6c2dc0d35 1581->1582 1583 7ff6c2dc0d48-7ff6c2dc0d59 1581->1583 1582->1583 1584 7ff6c2dc0d37-7ff6c2dc0d43 call 7ff6c2d9ba0c 1582->1584 1585 7ff6c2dc0d6d-7ff6c2dc0d7a 1583->1585 1586 7ff6c2dc0d5b-7ff6c2dc0d67 call 7ff6c2dbfe24 CloseHandle 1583->1586 1584->1583 1589 7ff6c2dc0d9f-7ff6c2dc0da4 call 7ff6c2db94e4 1585->1589 1590 7ff6c2dc0d7c-7ff6c2dc0d89 1585->1590 1586->1585 1597 7ff6c2dc0da9-7ff6c2dc0dd6 call 7ff6c2dc2320 1589->1597 1593 7ff6c2dc0d99-7ff6c2dc0d9b 1590->1593 1594 7ff6c2dc0d8b-7ff6c2dc0d93 1590->1594 1593->1589 1596 7ff6c2dc0d9d 1593->1596 1594->1589 1595 7ff6c2dc0d95-7ff6c2dc0d97 1594->1595 1595->1589 1596->1589
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                    • API String ID: 1048086575-3710569615
                                                                    • Opcode ID: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                    • Instruction ID: 41201f1c6d8368a8712f50869f21612591496c83d0cf1753d3e14c109368b448
                                                                    • Opcode Fuzzy Hash: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                    • Instruction Fuzzy Hash: 88127261A18B8285FB109F24E8552B96361FFA4B8AF404331DEDD86BA5DFBCF141C760
                                                                    Function 00007FF6C2DAA4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                    • String ID: $%s:$CAPTION
                                                                    • API String ID: 2100155373-404845831
                                                                    • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                    • Instruction ID: 4e77bba9c63321c52622be934b76aff59efec48765092e7a194c77d02d65d943
                                                                    • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                    • Instruction Fuzzy Hash: 5D912B32B1864286E714DF39E400A6AB7A1FB94789F445635EE8D87B98DF7CF805CB10
                                                                    Function 00007FF6C2DB8624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                    • String ID: PNG
                                                                    • API String ID: 211097158-364855578
                                                                    • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                    • Instruction ID: 30cb31cc90c5295a006b63aa3de459a9eb6b79a33defb21f573be3d4909c11d0
                                                                    • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                    • Instruction Fuzzy Hash: F0412125A19B0281EF159F16D85437963A0AFA8F9EF084635CD8DC7764EFBCF4898720
                                                                    Function 00007FF6C2D9F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: __tmp_reference_source_
                                                                    • API String ID: 3668304517-685763994
                                                                    • Opcode ID: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                    • Instruction ID: 72fe544c6afc0bfef6ccfaed4a68cb0cb244fc7a17c88aeb9305af4efda12f3b
                                                                    • Opcode Fuzzy Hash: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                    • Instruction Fuzzy Hash: 34E2A262A086C292EB649F25D0507AE6761FBA178AF404232DFDD937A5CFBCF454C720
                                                                    Function 00007FF6C2D94840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: CMT
                                                                    • API String ID: 3668304517-2756464174
                                                                    • Opcode ID: 900f1335872eede1b1a492564cf610b08fbb687fb420bf81384da2f580c8fe8c
                                                                    • Instruction ID: 2bb355afd962d672debb7205328c4804417277c11e5fa9503553a273473762aa
                                                                    • Opcode Fuzzy Hash: 900f1335872eede1b1a492564cf610b08fbb687fb420bf81384da2f580c8fe8c
                                                                    • Instruction Fuzzy Hash: 06E2E622B1868186EB18AF65D0602FD6761FB6578DF400235EE9E87796DFBCF065C320
                                                                    Function 00007FF6C2DA40BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3476 7ff6c2da40bc-7ff6c2da40f3 3477 7ff6c2da41d2-7ff6c2da41df FindNextFileW 3476->3477 3478 7ff6c2da40f9-7ff6c2da4101 3476->3478 3481 7ff6c2da41e1-7ff6c2da41f1 GetLastError 3477->3481 3482 7ff6c2da41f3-7ff6c2da41f6 3477->3482 3479 7ff6c2da4103 3478->3479 3480 7ff6c2da4106-7ff6c2da4118 FindFirstFileW 3478->3480 3479->3480 3480->3482 3483 7ff6c2da411e-7ff6c2da4146 call 7ff6c2da6a0c 3480->3483 3484 7ff6c2da41ca-7ff6c2da41cd 3481->3484 3485 7ff6c2da4211-7ff6c2da4253 call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2da8090 3482->3485 3486 7ff6c2da41f8-7ff6c2da4200 3482->3486 3496 7ff6c2da4167-7ff6c2da4170 3483->3496 3497 7ff6c2da4148-7ff6c2da4164 FindFirstFileW 3483->3497 3487 7ff6c2da42eb-7ff6c2da430e call 7ff6c2dc2320 3484->3487 3512 7ff6c2da4255-7ff6c2da426c 3485->3512 3513 7ff6c2da428c-7ff6c2da42e6 call 7ff6c2daf168 * 3 3485->3513 3489 7ff6c2da4202 3486->3489 3490 7ff6c2da4205-7ff6c2da420c call 7ff6c2d920b0 3486->3490 3489->3490 3490->3485 3500 7ff6c2da4172-7ff6c2da4189 3496->3500 3501 7ff6c2da41a9-7ff6c2da41ad 3496->3501 3497->3496 3505 7ff6c2da41a4 call 7ff6c2dc220c 3500->3505 3506 7ff6c2da418b-7ff6c2da419e 3500->3506 3501->3482 3503 7ff6c2da41af-7ff6c2da41be GetLastError 3501->3503 3507 7ff6c2da41c0-7ff6c2da41c6 3503->3507 3508 7ff6c2da41c8 3503->3508 3505->3501 3506->3505 3510 7ff6c2da4315-7ff6c2da431b call 7ff6c2dc7904 3506->3510 3507->3484 3507->3508 3508->3484 3515 7ff6c2da426e-7ff6c2da4281 3512->3515 3516 7ff6c2da4287 call 7ff6c2dc220c 3512->3516 3513->3487 3515->3516 3519 7ff6c2da430f-7ff6c2da4314 call 7ff6c2dc7904 3515->3519 3516->3513 3519->3510
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                    • String ID:
                                                                    • API String ID: 474548282-0
                                                                    • Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                    • Instruction ID: c72f9f9db004406c841dd23bc4e389c5c2ee7352eff9137db12b149276251637
                                                                    • Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                    • Instruction Fuzzy Hash: D761C562A08A4281EB109F25E84467D6361FBA57AAF504331EEFD837D9DFBCE484C710
                                                                    Function 00007FF6C2D95E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CMT
                                                                    • API String ID: 0-2756464174
                                                                    • Opcode ID: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                    • Instruction ID: 71fc300a3d4b7f49b142da9efc528634c98e880016e1cdf53af36690002ed136
                                                                    • Opcode Fuzzy Hash: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                    • Instruction Fuzzy Hash: 1142D522B0868196EB18EF74C1602FD67A1EB21749F400235EF9E93796DFB8F565C350
                                                                    Function 00007FF6C2DB1F20 Relevance: .3, Instructions: 337COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9760fb6421b16e0e583802a284a649d5527ae7ea6cefd943f702fc6b6a5a6041
                                                                    • Instruction ID: 93fa9decb3dc55e48cddd515c292ad078f1d8a9a877b36f19576e5f455ebe886
                                                                    • Opcode Fuzzy Hash: 9760fb6421b16e0e583802a284a649d5527ae7ea6cefd943f702fc6b6a5a6041
                                                                    • Instruction Fuzzy Hash: BCE1C432A082C28AEB64CF2994642AD7790FB6974EF044239DFCE87785DEBCF5418714
                                                                    Function 00007FF6C2DB3484 Relevance: .3, Instructions: 302COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7c168ed217d6ee94b639b5969f98ff9de4250cf063ee499b97091ccf975894c5
                                                                    • Instruction ID: a47d2d88321c704459aab152622544bb4e50f613ac8c94d212b515057c2dcde0
                                                                    • Opcode Fuzzy Hash: 7c168ed217d6ee94b639b5969f98ff9de4250cf063ee499b97091ccf975894c5
                                                                    • Instruction Fuzzy Hash: 73B1EFA2B04AC992DE98CE66D518BE9A391B714FC9F448136DE8D8B740DFBCF155C310
                                                                    Function 00007FF6C2DA4928 Relevance: .1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                    • String ID:
                                                                    • API String ID: 3340455307-0
                                                                    • Opcode ID: 9f1cbd0ae3de128b3baec150e1e4cd931595298ca254ea0b004e55239e899349
                                                                    • Instruction ID: f71ddb0742be28e9c9e09fdde9dd1196d740fcf893afa754232bd46e3a739fee
                                                                    • Opcode Fuzzy Hash: 9f1cbd0ae3de128b3baec150e1e4cd931595298ca254ea0b004e55239e899349
                                                                    • Instruction Fuzzy Hash: 16412722B19692C6FB64DF21A940B6A6252FBD478EF044234DE8E87795CEFCF442C314
                                                                    Function 00007FF6C2DADFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ff6c2dadfd0-7ff6c2dae024 call 7ff6c2dc2450 GetModuleHandleW 3 7ff6c2dae026-7ff6c2dae039 GetProcAddress 0->3 4 7ff6c2dae07b-7ff6c2dae3a5 0->4 5 7ff6c2dae053-7ff6c2dae066 GetProcAddress 3->5 6 7ff6c2dae03b-7ff6c2dae04a 3->6 7 7ff6c2dae503-7ff6c2dae521 call 7ff6c2da6454 call 7ff6c2da7df4 4->7 8 7ff6c2dae3ab-7ff6c2dae3b4 call 7ff6c2dcb788 4->8 5->4 10 7ff6c2dae068-7ff6c2dae078 5->10 6->5 19 7ff6c2dae525-7ff6c2dae52f call 7ff6c2da51a4 7->19 8->7 16 7ff6c2dae3ba-7ff6c2dae3fd call 7ff6c2da6454 CreateFileW 8->16 10->4 22 7ff6c2dae4f0-7ff6c2dae4fe CloseHandle call 7ff6c2d91fa0 16->22 23 7ff6c2dae403-7ff6c2dae416 SetFilePointer 16->23 27 7ff6c2dae531-7ff6c2dae53c call 7ff6c2dadd88 19->27 28 7ff6c2dae564-7ff6c2dae5ac call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2da8090 call 7ff6c2d91fa0 call 7ff6c2da32bc 19->28 22->7 23->22 25 7ff6c2dae41c-7ff6c2dae43e ReadFile 23->25 25->22 29 7ff6c2dae444-7ff6c2dae452 25->29 27->28 40 7ff6c2dae53e-7ff6c2dae562 CompareStringW 27->40 67 7ff6c2dae5b1-7ff6c2dae5b4 28->67 30 7ff6c2dae800-7ff6c2dae807 call 7ff6c2dc2624 29->30 31 7ff6c2dae458-7ff6c2dae4ac call 7ff6c2dc797c call 7ff6c2d9129c 29->31 49 7ff6c2dae4c3-7ff6c2dae4d9 call 7ff6c2dad0a0 31->49 40->28 44 7ff6c2dae5bd-7ff6c2dae5c6 40->44 44->19 47 7ff6c2dae5cc 44->47 50 7ff6c2dae5d1-7ff6c2dae5d4 47->50 61 7ff6c2dae4ae-7ff6c2dae4be call 7ff6c2dadd88 49->61 62 7ff6c2dae4db-7ff6c2dae4eb call 7ff6c2d91fa0 * 2 49->62 53 7ff6c2dae63f-7ff6c2dae642 50->53 54 7ff6c2dae5d6-7ff6c2dae5d9 50->54 57 7ff6c2dae7c2-7ff6c2dae7ff call 7ff6c2d91fa0 * 2 call 7ff6c2dc2320 53->57 58 7ff6c2dae648-7ff6c2dae65b call 7ff6c2da7eb0 call 7ff6c2da51a4 53->58 59 7ff6c2dae5dd-7ff6c2dae62d call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2da8090 call 7ff6c2d91fa0 call 7ff6c2da32bc 54->59 82 7ff6c2dae661-7ff6c2dae701 call 7ff6c2dadd88 * 2 call 7ff6c2daaae0 call 7ff6c2dada98 call 7ff6c2daaae0 call 7ff6c2dadc2c call 7ff6c2db87ac call 7ff6c2d919e0 58->82 83 7ff6c2dae706-7ff6c2dae753 call 7ff6c2dada98 AllocConsole 58->83 107 7ff6c2dae62f-7ff6c2dae638 59->107 108 7ff6c2dae63c 59->108 61->49 62->22 74 7ff6c2dae5ce 67->74 75 7ff6c2dae5b6 67->75 74->50 75->44 100 7ff6c2dae7b4-7ff6c2dae7bb call 7ff6c2d919e0 ExitProcess 82->100 94 7ff6c2dae7b0 83->94 95 7ff6c2dae755-7ff6c2dae7aa GetCurrentProcessId AttachConsole call 7ff6c2dae868 call 7ff6c2dae858 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->100 95->94 107->59 112 7ff6c2dae63a 107->112 108->53 112->53
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                    • API String ID: 1496594111-2013832382
                                                                    • Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                    • Instruction ID: 3d5638501bf229661e9e43f825e83798f6a9e0ff83efac441379661b0f65aca7
                                                                    • Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                    • Instruction Fuzzy Hash: 52322631A09F8299EB21DF20E8405E933A4FF64359F500336DE8D867A5EFB9E255C760
                                                                    Function 00007FF6C2DA98DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DA8E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C2DA8F8D
                                                                    • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6C2DA9F75
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DAA42F
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DAA435
                                                                      • Part of subcall function 00007FF6C2DB0BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6C2DB0B44), ref: 00007FF6C2DB0BE9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                    • API String ID: 3629253777-3268106645
                                                                    • Opcode ID: 96347e7981fae7733940ad93ba4258564ebec1a9a55cc8409c872ccb2165f156
                                                                    • Instruction ID: 3019e63c445ebc3528a8a5d5e30b46dbc6ddb9a6c9f7a3de0e61bb72e6f420bb
                                                                    • Opcode Fuzzy Hash: 96347e7981fae7733940ad93ba4258564ebec1a9a55cc8409c872ccb2165f156
                                                                    • Instruction Fuzzy Hash: 8E62AD22A19A82D5EB10DF24D444AFD6361FB60789F909332DE8E87795EFB8F544C360
                                                                    Function 00007FF6C2DC1900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1910 7ff6c2dc1900-7ff6c2dc1989 call 7ff6c2dc1558 1913 7ff6c2dc19b4-7ff6c2dc19d1 1910->1913 1914 7ff6c2dc198b-7ff6c2dc19af call 7ff6c2dc1868 RaiseException 1910->1914 1916 7ff6c2dc19d3-7ff6c2dc19e4 1913->1916 1917 7ff6c2dc19e6-7ff6c2dc19ea 1913->1917 1920 7ff6c2dc1bb8-7ff6c2dc1bd5 1914->1920 1919 7ff6c2dc19ed-7ff6c2dc19f9 1916->1919 1917->1919 1921 7ff6c2dc19fb-7ff6c2dc1a0d 1919->1921 1922 7ff6c2dc1a1a-7ff6c2dc1a1d 1919->1922 1930 7ff6c2dc1a13 1921->1930 1931 7ff6c2dc1b89-7ff6c2dc1b93 1921->1931 1923 7ff6c2dc1ac4-7ff6c2dc1acb 1922->1923 1924 7ff6c2dc1a23-7ff6c2dc1a26 1922->1924 1925 7ff6c2dc1adf-7ff6c2dc1ae2 1923->1925 1926 7ff6c2dc1acd-7ff6c2dc1adc 1923->1926 1927 7ff6c2dc1a28-7ff6c2dc1a3b 1924->1927 1928 7ff6c2dc1a3d-7ff6c2dc1a52 LoadLibraryExA 1924->1928 1932 7ff6c2dc1b85 1925->1932 1933 7ff6c2dc1ae8-7ff6c2dc1aec 1925->1933 1926->1925 1927->1928 1935 7ff6c2dc1aa9-7ff6c2dc1ab2 1927->1935 1934 7ff6c2dc1a54-7ff6c2dc1a67 GetLastError 1928->1934 1928->1935 1930->1922 1940 7ff6c2dc1bb0 call 7ff6c2dc1868 1931->1940 1941 7ff6c2dc1b95-7ff6c2dc1ba6 1931->1941 1932->1931 1938 7ff6c2dc1aee-7ff6c2dc1af2 1933->1938 1939 7ff6c2dc1b1b-7ff6c2dc1b2e GetProcAddress 1933->1939 1942 7ff6c2dc1a7e-7ff6c2dc1aa4 call 7ff6c2dc1868 RaiseException 1934->1942 1943 7ff6c2dc1a69-7ff6c2dc1a7c 1934->1943 1944 7ff6c2dc1ab4-7ff6c2dc1ab7 FreeLibrary 1935->1944 1945 7ff6c2dc1abd 1935->1945 1938->1939 1946 7ff6c2dc1af4-7ff6c2dc1aff 1938->1946 1939->1932 1949 7ff6c2dc1b30-7ff6c2dc1b43 GetLastError 1939->1949 1952 7ff6c2dc1bb5 1940->1952 1941->1940 1942->1920 1943->1935 1943->1942 1944->1945 1945->1923 1946->1939 1950 7ff6c2dc1b01-7ff6c2dc1b08 1946->1950 1954 7ff6c2dc1b45-7ff6c2dc1b58 1949->1954 1955 7ff6c2dc1b5a-7ff6c2dc1b81 call 7ff6c2dc1868 RaiseException call 7ff6c2dc1558 1949->1955 1950->1939 1957 7ff6c2dc1b0a-7ff6c2dc1b0f 1950->1957 1952->1920 1954->1932 1954->1955 1955->1932 1957->1939 1960 7ff6c2dc1b11-7ff6c2dc1b19 1957->1960 1960->1932 1960->1939
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                    • String ID: H
                                                                    • API String ID: 3432403771-2852464175
                                                                    • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                    • Instruction ID: 071ec9ebdac61231b0bde1b98324a02e9041204fe01c7a00c59a73c03221c3c7
                                                                    • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                    • Instruction Fuzzy Hash: 88915D32A05B618AEB00DF69D8402A833B1FB18B9EF544235DE8D97754EFB8F445C720
                                                                    Function 00007FF6C2DBF4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1988 7ff6c2dbf4e0-7ff6c2dbf523 1989 7ff6c2dbf894-7ff6c2dbf8b9 call 7ff6c2d91fa0 call 7ff6c2dc2320 1988->1989 1990 7ff6c2dbf529-7ff6c2dbf565 call 7ff6c2dc3cf0 1988->1990 1996 7ff6c2dbf567 1990->1996 1997 7ff6c2dbf56a-7ff6c2dbf571 1990->1997 1996->1997 1999 7ff6c2dbf573-7ff6c2dbf577 1997->1999 2000 7ff6c2dbf582-7ff6c2dbf586 1997->2000 2001 7ff6c2dbf579 1999->2001 2002 7ff6c2dbf57c-7ff6c2dbf580 1999->2002 2003 7ff6c2dbf588 2000->2003 2004 7ff6c2dbf58b-7ff6c2dbf596 2000->2004 2001->2002 2002->2004 2003->2004 2005 7ff6c2dbf628 2004->2005 2006 7ff6c2dbf59c 2004->2006 2008 7ff6c2dbf62c-7ff6c2dbf62f 2005->2008 2007 7ff6c2dbf5a2-7ff6c2dbf5a9 2006->2007 2009 7ff6c2dbf5ae-7ff6c2dbf5b3 2007->2009 2010 7ff6c2dbf5ab 2007->2010 2011 7ff6c2dbf631-7ff6c2dbf635 2008->2011 2012 7ff6c2dbf637-7ff6c2dbf63a 2008->2012 2013 7ff6c2dbf5e5-7ff6c2dbf5f0 2009->2013 2014 7ff6c2dbf5b5 2009->2014 2010->2009 2011->2012 2015 7ff6c2dbf660-7ff6c2dbf673 call 7ff6c2da63ac 2011->2015 2012->2015 2016 7ff6c2dbf63c-7ff6c2dbf643 2012->2016 2020 7ff6c2dbf5f5-7ff6c2dbf5fa 2013->2020 2021 7ff6c2dbf5f2 2013->2021 2017 7ff6c2dbf5ca-7ff6c2dbf5d0 2014->2017 2033 7ff6c2dbf675-7ff6c2dbf693 call 7ff6c2db13c4 2015->2033 2034 7ff6c2dbf698-7ff6c2dbf6ed call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2da32a8 call 7ff6c2d91fa0 2015->2034 2016->2015 2018 7ff6c2dbf645-7ff6c2dbf65c 2016->2018 2024 7ff6c2dbf5d2 2017->2024 2025 7ff6c2dbf5b7-7ff6c2dbf5be 2017->2025 2018->2015 2022 7ff6c2dbf600-7ff6c2dbf607 2020->2022 2023 7ff6c2dbf8ba-7ff6c2dbf8c1 2020->2023 2021->2020 2027 7ff6c2dbf609 2022->2027 2028 7ff6c2dbf60c-7ff6c2dbf612 2022->2028 2031 7ff6c2dbf8c3 2023->2031 2032 7ff6c2dbf8c6-7ff6c2dbf8cb 2023->2032 2024->2013 2029 7ff6c2dbf5c0 2025->2029 2030 7ff6c2dbf5c3-7ff6c2dbf5c8 2025->2030 2027->2028 2028->2023 2036 7ff6c2dbf618-7ff6c2dbf622 2028->2036 2029->2030 2030->2017 2037 7ff6c2dbf5d4-7ff6c2dbf5db 2030->2037 2031->2032 2038 7ff6c2dbf8de-7ff6c2dbf8e6 2032->2038 2039 7ff6c2dbf8cd-7ff6c2dbf8d4 2032->2039 2033->2034 2055 7ff6c2dbf6ef-7ff6c2dbf73d call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2da5b60 call 7ff6c2d91fa0 2034->2055 2056 7ff6c2dbf742-7ff6c2dbf74f ShellExecuteExW 2034->2056 2036->2005 2036->2007 2045 7ff6c2dbf5e0 2037->2045 2046 7ff6c2dbf5dd 2037->2046 2041 7ff6c2dbf8e8 2038->2041 2042 7ff6c2dbf8eb-7ff6c2dbf8f6 2038->2042 2047 7ff6c2dbf8d9 2039->2047 2048 7ff6c2dbf8d6 2039->2048 2041->2042 2042->2008 2045->2013 2046->2045 2047->2038 2048->2047 2055->2056 2057 7ff6c2dbf755-7ff6c2dbf75f 2056->2057 2058 7ff6c2dbf846-7ff6c2dbf84e 2056->2058 2060 7ff6c2dbf761-7ff6c2dbf764 2057->2060 2061 7ff6c2dbf76f-7ff6c2dbf772 2057->2061 2063 7ff6c2dbf850-7ff6c2dbf866 2058->2063 2064 7ff6c2dbf882-7ff6c2dbf88f 2058->2064 2060->2061 2067 7ff6c2dbf766-7ff6c2dbf76d 2060->2067 2068 7ff6c2dbf78e-7ff6c2dbf7ad call 7ff6c2dfe1b8 call 7ff6c2dbfe24 2061->2068 2069 7ff6c2dbf774-7ff6c2dbf77f call 7ff6c2dfe188 2061->2069 2065 7ff6c2dbf868-7ff6c2dbf87b 2063->2065 2066 7ff6c2dbf87d call 7ff6c2dc220c 2063->2066 2064->1989 2065->2066 2071 7ff6c2dbf8fb-7ff6c2dbf903 call 7ff6c2dc7904 2065->2071 2066->2064 2067->2061 2073 7ff6c2dbf7e3-7ff6c2dbf7f0 CloseHandle 2067->2073 2068->2073 2095 7ff6c2dbf7af-7ff6c2dbf7b2 2068->2095 2069->2068 2088 7ff6c2dbf781-7ff6c2dbf78c ShowWindow 2069->2088 2078 7ff6c2dbf805-7ff6c2dbf80c 2073->2078 2079 7ff6c2dbf7f2-7ff6c2dbf803 call 7ff6c2db13c4 2073->2079 2086 7ff6c2dbf82e-7ff6c2dbf830 2078->2086 2087 7ff6c2dbf80e-7ff6c2dbf811 2078->2087 2079->2078 2079->2086 2086->2058 2094 7ff6c2dbf832-7ff6c2dbf835 2086->2094 2087->2086 2093 7ff6c2dbf813-7ff6c2dbf828 2087->2093 2088->2068 2093->2086 2094->2058 2097 7ff6c2dbf837-7ff6c2dbf845 ShowWindow 2094->2097 2095->2073 2098 7ff6c2dbf7b4-7ff6c2dbf7c5 GetExitCodeProcess 2095->2098 2097->2058 2098->2073 2099 7ff6c2dbf7c7-7ff6c2dbf7dc 2098->2099 2099->2073
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                    • String ID: .exe$.inf$Install$p
                                                                    • API String ID: 1054546013-3607691742
                                                                    • Opcode ID: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                    • Instruction ID: 3d92eede178b96154d1213b0686d6decdbd8323af9204e5269124f32ab2fc6de
                                                                    • Opcode Fuzzy Hash: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                    • Instruction Fuzzy Hash: 33C19362F0860299FB10CF65D95027923B1AFA4B8AF444231EECD877A5DFBCF4518325
                                                                    Function 00007FF6C2DBF0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                    • String ID:
                                                                    • API String ID: 3569833718-0
                                                                    • Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                    • Instruction ID: 962ca0aaa1966977505f73b0f9c7f82a43e32fddfb3d7372e93b39ffaa0ba84d
                                                                    • Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                    • Instruction Fuzzy Hash: 5441E431F1464286F700CF61E814BAA23A0EB99B9EF440235DD8E87B95CFBDF4458768
                                                                    Function 00007FF6C2D9EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                    • Instruction ID: beb551efe18f2bc8cdb6343810859b87c8ff17d45f9aef8da5589b3587eba3af
                                                                    • Opcode Fuzzy Hash: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                    • Instruction Fuzzy Hash: 1612B062B08B4288EB10EF64D4542AD2361AB657ADF404332EE9D97BD9DFBCF095C350
                                                                    Function 00007FF6C2DA24C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3527 7ff6c2da24c0-7ff6c2da24fb 3528 7ff6c2da2506 3527->3528 3529 7ff6c2da24fd-7ff6c2da2504 3527->3529 3530 7ff6c2da2509-7ff6c2da2578 3528->3530 3529->3528 3529->3530 3531 7ff6c2da257a 3530->3531 3532 7ff6c2da257d-7ff6c2da25a8 CreateFileW 3530->3532 3531->3532 3533 7ff6c2da25ae-7ff6c2da25de GetLastError call 7ff6c2da6a0c 3532->3533 3534 7ff6c2da2688-7ff6c2da268d 3532->3534 3543 7ff6c2da25e0-7ff6c2da262a CreateFileW GetLastError 3533->3543 3544 7ff6c2da262c 3533->3544 3535 7ff6c2da2693-7ff6c2da2697 3534->3535 3537 7ff6c2da26a5-7ff6c2da26a9 3535->3537 3538 7ff6c2da2699-7ff6c2da269c 3535->3538 3541 7ff6c2da26cf-7ff6c2da26e3 3537->3541 3542 7ff6c2da26ab-7ff6c2da26af 3537->3542 3538->3537 3540 7ff6c2da269e 3538->3540 3540->3537 3546 7ff6c2da26e5-7ff6c2da26f0 3541->3546 3547 7ff6c2da270c-7ff6c2da2735 call 7ff6c2dc2320 3541->3547 3542->3541 3545 7ff6c2da26b1-7ff6c2da26c9 SetFileTime 3542->3545 3548 7ff6c2da2632-7ff6c2da263a 3543->3548 3544->3548 3545->3541 3550 7ff6c2da26f2-7ff6c2da26fa 3546->3550 3551 7ff6c2da2708 3546->3551 3552 7ff6c2da2673-7ff6c2da2686 3548->3552 3553 7ff6c2da263c-7ff6c2da2653 3548->3553 3555 7ff6c2da26ff-7ff6c2da2703 call 7ff6c2d920b0 3550->3555 3556 7ff6c2da26fc 3550->3556 3551->3547 3552->3535 3557 7ff6c2da266e call 7ff6c2dc220c 3553->3557 3558 7ff6c2da2655-7ff6c2da2668 3553->3558 3555->3551 3556->3555 3557->3552 3558->3557 3559 7ff6c2da2736-7ff6c2da273b call 7ff6c2dc7904 3558->3559
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3536497005-0
                                                                    • Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                    • Instruction ID: 524306a9c6585e68757bae4280d18d547d712ec86b7359e571489c3fd2130b77
                                                                    • Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                    • Instruction Fuzzy Hash: 2961F262A1868185E7208F2AE40476E67B1FB947ACF100334DEEE83BD8CF7DE4958750
                                                                    Function 00007FF6C2DBB014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                    • String ID: ]
                                                                    • API String ID: 3561356813-3352871620
                                                                    • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                    • Instruction ID: d1ac6991613470d94f6bb0e36222239920eab778b4a76a92aad0b0af43f32a96
                                                                    • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                    • Instruction Fuzzy Hash: 2C11B920B0938345FA249F21966477993D2AFA9BCAF180234DDDDC7B99DEACF8448710
                                                                    Function 00007FF6C2DBAE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                    • String ID:
                                                                    • API String ID: 1266772231-0
                                                                    • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                    • Instruction ID: bf8b6c3de9beae6546be1c0be59e00c9141e6301c4f5a712b09aa6df02ccef62
                                                                    • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                    • Instruction Fuzzy Hash: B5F0EC26B3854292FB649F25E8A5A762361BFA070AF805531ED8E81A54DF7CF508CB14
                                                                    Function 00007FF6C2DB91E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                    • String ID: EDIT
                                                                    • API String ID: 4243998846-3080729518
                                                                    • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                    • Instruction ID: 63f7c83ba672b62460890bfea955356077173b8bfc28b79d3a5c4e9e72dcf90e
                                                                    • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                    • Instruction Fuzzy Hash: F0011761F14B8381FA249F21A8207F66350AF79B4AF845231CDCD86755DEACF1498A60
                                                                    Function 00007FF6C2DA2CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 3893 7ff6c2da2ce0-7ff6c2da2d0a 3894 7ff6c2da2d13-7ff6c2da2d1b 3893->3894 3895 7ff6c2da2d0c-7ff6c2da2d0e 3893->3895 3897 7ff6c2da2d2b 3894->3897 3898 7ff6c2da2d1d-7ff6c2da2d28 GetStdHandle 3894->3898 3896 7ff6c2da2ea9-7ff6c2da2ec4 call 7ff6c2dc2320 3895->3896 3900 7ff6c2da2d31-7ff6c2da2d3d 3897->3900 3898->3897 3902 7ff6c2da2d3f-7ff6c2da2d44 3900->3902 3903 7ff6c2da2d86-7ff6c2da2da2 WriteFile 3900->3903 3905 7ff6c2da2daf-7ff6c2da2db3 3902->3905 3906 7ff6c2da2d46-7ff6c2da2d7a WriteFile 3902->3906 3904 7ff6c2da2da6-7ff6c2da2da9 3903->3904 3904->3905 3907 7ff6c2da2ea2-7ff6c2da2ea6 3904->3907 3905->3907 3908 7ff6c2da2db9-7ff6c2da2dbd 3905->3908 3906->3904 3909 7ff6c2da2d7c-7ff6c2da2d82 3906->3909 3907->3896 3908->3907 3910 7ff6c2da2dc3-7ff6c2da2dd8 call 7ff6c2d9b4f8 3908->3910 3909->3906 3911 7ff6c2da2d84 3909->3911 3914 7ff6c2da2e1e-7ff6c2da2e6d call 7ff6c2dc797c call 7ff6c2d9129c call 7ff6c2d9bca8 3910->3914 3915 7ff6c2da2dda-7ff6c2da2de1 3910->3915 3911->3904 3914->3907 3926 7ff6c2da2e6f-7ff6c2da2e86 3914->3926 3915->3900 3916 7ff6c2da2de7-7ff6c2da2de9 3915->3916 3916->3900 3918 7ff6c2da2def-7ff6c2da2e19 3916->3918 3918->3900 3927 7ff6c2da2e88-7ff6c2da2e9b 3926->3927 3928 7ff6c2da2e9d call 7ff6c2dc220c 3926->3928 3927->3928 3929 7ff6c2da2ec5-7ff6c2da2ecb call 7ff6c2dc7904 3927->3929 3928->3907
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite$Handle
                                                                    • String ID:
                                                                    • API String ID: 4209713984-0
                                                                    • Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                    • Instruction ID: 7d0f77379e9f8074edab99a875263a59c62e367e45969472ad801e3ce7ff0f30
                                                                    • Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                    • Instruction Fuzzy Hash: E0510A62A18A4281EB119F16D40877A6310FF64B9AF440331DE8E87794DFBCF585C760
                                                                    Function 00007FF6C2DC03E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                    • String ID:
                                                                    • API String ID: 2912839123-0
                                                                    • Opcode ID: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                    • Instruction ID: d437fcdf600b64a76b900d824e4412593ca1920861ed786c21d6b20d58ae0da9
                                                                    • Opcode Fuzzy Hash: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                    • Instruction Fuzzy Hash: 7D51A162F2465285FB00AFA4D8442AD2322AF64F9AF404735DE9D96BD9DFBCF441C320
                                                                    Function 00007FF6C2DC2D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                    • String ID:
                                                                    • API String ID: 1452418845-0
                                                                    • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                    • Instruction ID: b6413ab252466a646c900d062f58299bd3a4759ef4eb923c42447d0e481e4651
                                                                    • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                    • Instruction Fuzzy Hash: 40315B20A0C20341EA55BF69A4593BA2391AF71B4EF440634EECEC77D3DEACB4458270
                                                                    Function 00007FF6C2DA3684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2359106489-0
                                                                    • Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                    • Instruction ID: 89997bcd127840f62b40898b088f87c0342f1b8574ed9743d13f1a43871a1277
                                                                    • Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                    • Instruction Fuzzy Hash: 0931C522A0C682C1EBA09F25A4446796352FFA879AF540331EEDDC37D5CFBCF4858620
                                                                    Function 00007FF6C2DA2320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$FileHandleRead
                                                                    • String ID:
                                                                    • API String ID: 2244327787-0
                                                                    • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                    • Instruction ID: ac719cc12a49d97fbd4fb888701123777fd2c083dce81b960f068b8fd36546c0
                                                                    • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                    • Instruction Fuzzy Hash: 2D218321A0C942C1EB605F12A4086396360FB66B9EF144738DEDEC6784CFBDF8858B31
                                                                    Function 00007FF6C2DAE948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DAECD8: ResetEvent.KERNEL32 ref: 00007FF6C2DAECF1
                                                                      • Part of subcall function 00007FF6C2DAECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6C2DAED07
                                                                    • ReleaseSemaphore.KERNEL32 ref: 00007FF6C2DAE974
                                                                    • CloseHandle.KERNELBASE ref: 00007FF6C2DAE993
                                                                    • DeleteCriticalSection.KERNEL32 ref: 00007FF6C2DAE9AA
                                                                    • CloseHandle.KERNEL32 ref: 00007FF6C2DAE9B7
                                                                      • Part of subcall function 00007FF6C2DAEA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C2DAE95F,?,?,?,00007FF6C2DA463A,?,?,?), ref: 00007FF6C2DAEA63
                                                                      • Part of subcall function 00007FF6C2DAEA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C2DAE95F,?,?,?,00007FF6C2DA463A,?,?,?), ref: 00007FF6C2DAEA6E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                    • String ID:
                                                                    • API String ID: 502429940-0
                                                                    • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                    • Instruction ID: 079e49c48a836b157d62eebc6f3249143519f05644d92501cec32aaaf29d842c
                                                                    • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                    • Instruction Fuzzy Hash: 33011B32A18E81D2E7599F22E944669B320FB94B85F004231DE9E83725CF79F4B5CB60
                                                                    Function 00007FF6C2DAEAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CreatePriority
                                                                    • String ID: CreateThread failed
                                                                    • API String ID: 2610526550-3849766595
                                                                    • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                    • Instruction ID: d1a4b95cff4141775aabe66b42fad33cdccccf5f5671ef432737a34d896219ac
                                                                    • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                    • Instruction Fuzzy Hash: 6C118E31A18A42C1E701DF10E8411AA7360FBA078AF484331EECD82768EFBCF596C720
                                                                    Function 00007FF6C2DB946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: DirectoryInitializeMallocSystem
                                                                    • String ID: riched20.dll
                                                                    • API String ID: 174490985-3360196438
                                                                    • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                    • Instruction ID: 6a807b798a93d1f76c9a989eb8d65cbbc0ff9e35953d072d5352dd7e91c06585
                                                                    • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                    • Instruction Fuzzy Hash: 8CF04F71618A4282EB009F60F4141AEB3A0FBA8759F840235EDCE82B54DFBCE149CB24
                                                                    Function 00007FF6C2DB095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DB853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6C2DB856C
                                                                      • Part of subcall function 00007FF6C2DAAAE0: LoadStringW.USER32 ref: 00007FF6C2DAAB67
                                                                      • Part of subcall function 00007FF6C2DAAAE0: LoadStringW.USER32 ref: 00007FF6C2DAAB80
                                                                      • Part of subcall function 00007FF6C2D91FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2D91FFB
                                                                      • Part of subcall function 00007FF6C2D9129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C2D91396
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DC01BB
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DC01C1
                                                                    • SendDlgItemMessageW.USER32 ref: 00007FF6C2DC01F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                    • String ID:
                                                                    • API String ID: 3106221260-0
                                                                    • Opcode ID: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                    • Instruction ID: 5dc6d5ee757327d9afe862c1bdb36d3eb617f0f8f76fea15f400c7060a21a9cd
                                                                    • Opcode Fuzzy Hash: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                    • Instruction Fuzzy Hash: 6B51B062F0464286FB10AFA5D4552FD2362ABA9B8DF404335EE8D977D6DEBCF5008360
                                                                    Function 00007FF6C2DA2134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2272807158-0
                                                                    • Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                    • Instruction ID: 771fae4407d9d079b06421f678089a6ca272fa8fe4adfcffb66ff80adb11b77d
                                                                    • Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                    • Instruction Fuzzy Hash: 0541A072A0878182EB108F16E44866963A1FB94BB9F105734DFEE43BD5CFBCE4918610
                                                                    Function 00007FF6C2D923F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2176759853-0
                                                                    • Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                    • Instruction ID: bc227c84e265bc1f4daa0460aaeecaa13330f24d4b60a414c8afbeadf997792a
                                                                    • Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                    • Instruction Fuzzy Hash: B321B162A18B8181EA10AF25A84017AA364FB99BE5F144335EFDD43B95DF7CE0908740
                                                                    Function 00007FF6C2DB1F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: std::bad_alloc::bad_alloc
                                                                    • String ID:
                                                                    • API String ID: 1875163511-0
                                                                    • Opcode ID: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
                                                                    • Instruction ID: 73dc6f717c18023bb0b6bdb93a7d53d40a27f3d1f15e0ef337376ccc8928a507
                                                                    • Opcode Fuzzy Hash: 0ac8b931c67533783bb99e44ed512301af0920adb1b65b15738df05c1e7b1342
                                                                    • Instruction Fuzzy Hash: EE31A323A0868651FB24AF14E4583B963A0FB64B8DF644231DACD867A9DFFCF546C311
                                                                    Function 00007FF6C2DA3D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1203560049-0
                                                                    • Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                    • Instruction ID: 1414a799131c9442b8084bcfa9449f8c9cdbc9095bd0d172ece4863288a3164f
                                                                    • Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                    • Instruction Fuzzy Hash: EC21F822A08B81C1EF209F25E4452696361FF98B99F504330EEDE867D5EF7CE541CA10
                                                                    Function 00007FF6C2DA31BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3118131910-0
                                                                    • Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                    • Instruction ID: 291a092997f1e5b3ce2d01d68c0e68a5567b8c8a4d8c69277a6e6a86ecb4eae0
                                                                    • Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                    • Instruction Fuzzy Hash: 2E21B622A18B8181EF509F25E44462E6361FB98B99F505330EEDE82B99DF7CF141CB60
                                                                    Function 00007FF6C2DA32BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1203560049-0
                                                                    • Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                    • Instruction ID: ddfa0a793eb134673124e7dfc2176faf1e5effa93b5bd50d6bdfc18979406b5b
                                                                    • Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                    • Instruction Fuzzy Hash: 81217432A18B8181EB509F29E4441296361FBD8BA9F500331EEDD83BE5DF7CE581C750
                                                                    Function 00007FF6C2DCBF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                    • Instruction ID: 87820fbec7c2ef480c0b1ac274e75749f7ed8f8004e4d7c2e165052ec66ffa80
                                                                    • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                    • Instruction Fuzzy Hash: BBE01A24F0470646EA546F21989537D23526FA8B4BF104638CC8EC3396CEBEF44A8A31
                                                                    Function 00007FF6C2D9F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2D9F895
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2D9F89B
                                                                      • Part of subcall function 00007FF6C2DA3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6C2DB0811), ref: 00007FF6C2DA3EFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                    • String ID:
                                                                    • API String ID: 3587649625-0
                                                                    • Opcode ID: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
                                                                    • Instruction ID: 971eee51ab1e0656013a458ef38eb9029f11bc276c6e7fda2f79322c1b3de279
                                                                    • Opcode Fuzzy Hash: 31de71ccb13629eb4e8ff473cf0e989b9a8a473b909947ada8621b483159802c
                                                                    • Instruction Fuzzy Hash: 9C91B072A1878194EB10EF24D4542AD6361FBA4B9DF904231FE8C87BE9DFB8E555C310
                                                                    Function 00007FF6C2D93904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                    • Instruction ID: 88010d7c3107dff32c9a6b491efc3cfca11ac110c6bb4b56cf97c3d79cb8b94d
                                                                    • Opcode Fuzzy Hash: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                    • Instruction Fuzzy Hash: B241C322F1865184FB00EFB1D4503AD2321AF64B9DF185335EE9DA7BD9DEB8E4928310
                                                                    Function 00007FF6C2DA2778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6C2DA274D), ref: 00007FF6C2DA28A9
                                                                    • GetLastError.KERNEL32(?,00007FF6C2DA274D), ref: 00007FF6C2DA28B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastPointer
                                                                    • String ID:
                                                                    • API String ID: 2976181284-0
                                                                    • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                    • Instruction ID: 6069f28b01c3f450844a89438560e07e71f48d2c5aa3e92f2029594bf6a989f1
                                                                    • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                    • Instruction Fuzzy Hash: 5F31E722B19A52C2EB614F3BD544A752351AF24BDAF140331EE9EC7790DEBCF4828760
                                                                    Function 00007FF6C2D922BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1746051919-0
                                                                    • Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                    • Instruction ID: 78933ba13d83df0525e4efd11c57ad8c5a725a97306548086039fdb66977a12a
                                                                    • Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                    • Instruction Fuzzy Hash: E431D222A1878582EA10AF15E4593AEB360EBA4B99F404335EFDD47BD5DFBCF1508710
                                                                    Function 00007FF6C2DA2AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File$BuffersFlushTime
                                                                    • String ID:
                                                                    • API String ID: 1392018926-0
                                                                    • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                    • Instruction ID: 86673b1c9d338d1a84e7c5f12620304da346318adee5c9705c68b99c2b7821cf
                                                                    • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                    • Instruction Fuzzy Hash: DD21EA22E0E742D6EB618E22D409BB55790AF1179EF144231DECD42399EE7CF546C310
                                                                    Function 00007FF6C2DAAAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString
                                                                    • String ID:
                                                                    • API String ID: 2948472770-0
                                                                    • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                    • Instruction ID: 613f34a6d4fd73dfe2f12b4ad8cbc2d24fb716003df2d7a1808888f2dcd557b9
                                                                    • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                    • Instruction Fuzzy Hash: 74119071B0970185EB008F16A84046AB7A1BBA8FCAF544635CE8DD3724EFFCF5518758
                                                                    Function 00007FF6C2DA2BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastPointer
                                                                    • String ID:
                                                                    • API String ID: 2976181284-0
                                                                    • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                    • Instruction ID: a7f35c85154dace88a00b13a08e7de61732b868c8cd2cdaac7b29a323956d316
                                                                    • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                    • Instruction Fuzzy Hash: DE11A521A18641C1EB608F26E8446796260FB647BEF540331DEBE823D4DFBCF692C310
                                                                    Function 00007FF6C2D9255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ItemRectTextWindow$Clientswprintf
                                                                    • String ID:
                                                                    • API String ID: 3322643685-0
                                                                    • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                    • Instruction ID: 57f686a5c4f159223d1107480531918c5f8aaa3e878d754503b9912344600466
                                                                    • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                    • Instruction Fuzzy Hash: 24015220A0D28A41FF956F51A47827A53515F6575EF084334ECCE86799EEECF494C324
                                                                    Function 00007FF6C2DAEB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6C2DAEBAD,?,?,?,?,00007FF6C2DA5752,?,?,?,00007FF6C2DA56DE), ref: 00007FF6C2DAEB5C
                                                                    • GetProcessAffinityMask.KERNEL32 ref: 00007FF6C2DAEB6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Process$AffinityCurrentMask
                                                                    • String ID:
                                                                    • API String ID: 1231390398-0
                                                                    • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                    • Instruction ID: 9da65a9402dbb2a7d7d0e5b7547c9272f63cccc4f89be31bd0a88362bf80363b
                                                                    • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                    • Instruction Fuzzy Hash: 02E02B61F1494782DF098F55C4449E973D2BFD8B45F848235DA4BC3714DE2CF1498B10
                                                                    Function 00007FF6C2DC21D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                    • String ID:
                                                                    • API String ID: 1173176844-0
                                                                    • Opcode ID: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
                                                                    • Instruction ID: cd006bb52c47ed4c536ada8e93ca586ef9a1001d9abb94d9d98c4b46f11cf3ec
                                                                    • Opcode Fuzzy Hash: ac554a43d54612151bc7e480101717375080be3004ee5b366f50feb51e7139dd
                                                                    • Instruction Fuzzy Hash: C1E0EC51E0920B41FD183E66182D1B403904F39F7AE185730EEFF847C6AEACF5918130
                                                                    Function 00007FF6C2DCD90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 485612231-0
                                                                    • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                    • Instruction ID: 580e618bdf2afea32577e2adf6ad03ef98b2c48573cedcf7bb094f95a6461c6a
                                                                    • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                    • Instruction Fuzzy Hash: 8EE04668E4964346FF09BFB29C051B823915FB4B5AF080634CD8DC6352EEACB4828630
                                                                    Function 00007FF6C2D933E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                    • Instruction ID: 5bcf309f364e62631cd6a309f18ccb070da2dc6258faa05478d5587ee4cd7070
                                                                    • Opcode Fuzzy Hash: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                    • Instruction Fuzzy Hash: AAD1EC72B086C152EBA8AF2585542B877A1FB25B8DF080235DF9D877A1CF78F4718720
                                                                    Function 00007FF6C2DA5294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1017591355-0
                                                                    • Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                    • Instruction ID: 1fb30cec21ec7ab77ed2cfd078a0fbd643baa096dd41a4b1a8945dbd89af85e7
                                                                    • Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                    • Instruction Fuzzy Hash: 0D61E112E2C647C1FB64AE254414A7A5291AFA5BDEF144331EECE96BC5EEECF4408230
                                                                    Function 00007FF6C2DB1870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DAE948: ReleaseSemaphore.KERNEL32 ref: 00007FF6C2DAE974
                                                                      • Part of subcall function 00007FF6C2DAE948: CloseHandle.KERNELBASE ref: 00007FF6C2DAE993
                                                                      • Part of subcall function 00007FF6C2DAE948: DeleteCriticalSection.KERNEL32 ref: 00007FF6C2DAE9AA
                                                                      • Part of subcall function 00007FF6C2DAE948: CloseHandle.KERNEL32 ref: 00007FF6C2DAE9B7
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DB1ACB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 904680172-0
                                                                    • Opcode ID: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                    • Instruction ID: 6836c709bcd9945e672d88cae249b7b7e668c758676ec5ddcba24a192dff292f
                                                                    • Opcode Fuzzy Hash: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                    • Instruction Fuzzy Hash: CD61C162B1968591EE08DF69D5640BCB364FB50F89B544332DBAD87BC5CFA8F4A18310
                                                                    Function 00007FF6C2D9EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                    • Instruction ID: 77c956ba09bb476b68651574b70ca434a3b68c915b4842490b8ed87957f4aa18
                                                                    • Opcode Fuzzy Hash: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                    • Instruction Fuzzy Hash: B451D362A0868290FA14AF25D4543B96751FBA5BCEF440236EECD87396CFBDF495C320
                                                                    Function 00007FF6C2D9E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DA3EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6C2DB0811), ref: 00007FF6C2DA3EFD
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2D9E993
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1011579015-0
                                                                    • Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                    • Instruction ID: 047a7c57ccaf839776118e36a941052801518fdd740ca7ff905c819d4aa57c5f
                                                                    • Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                    • Instruction Fuzzy Hash: 3D518F22A0868681FB60AF65D45536D2361FBA4B89F440336EECD877A9DFACF451C360
                                                                    Function 00007FF6C2DA1794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                    • Instruction ID: 1e71d9339e976e21fcd813bc480c21d092245a928dd98edfc1bb655ddfbcf766
                                                                    • Opcode Fuzzy Hash: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                    • Instruction Fuzzy Hash: 04411962B18B8182EB149E27E604379A351FB54FC5F448635EE9D87F4ADFBCE4918300
                                                                    Function 00007FF6C2DA2F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                    • Instruction ID: fb368d50b86b5dc05dc440f30b3d6cdc355a080ffab4f5c80ea35e2c2a79f146
                                                                    • Opcode Fuzzy Hash: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                    • Instruction Fuzzy Hash: 9041DF22A08B41C1EF509F29E5467796362EBA4BDDF140234EE8D877D9CFBCF4408664
                                                                    Function 00007FF6C2DCBDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                                    • String ID:
                                                                    • API String ID: 3947729631-0
                                                                    • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                    • Instruction ID: f11283c8c7925a0c903b41a1777968ba0e770b03dbe18c02397847c4a3198d7c
                                                                    • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                    • Instruction Fuzzy Hash: 5A41EF22B18B4286FB24AF1198402796361AF74F4AF404236DE8DC77E1CFBDF8818760
                                                                    Function 00007FF6C2D9129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                    • String ID:
                                                                    • API String ID: 680105476-0
                                                                    • Opcode ID: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                    • Instruction ID: 6e087e364d7a409f675d9fb2565307346b0d0b3edc54ee2f99cb788998d0908f
                                                                    • Opcode Fuzzy Hash: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                    • Instruction Fuzzy Hash: 8521A322A0825185EE14AE95A4102796360BB24BF5F680730EEFE87BC1DEBCF0618310
                                                                    Function 00007FF6C2DD124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 3215553584-0
                                                                    • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                    • Instruction ID: 3a3e04066f9e655590284e08118ccadc76bea55ce9991cf2d8c9b37fd5ff45c1
                                                                    • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                    • Instruction Fuzzy Hash: E7117C32E0CA8286F7109F54A44127966A4FB60389F548235EECDC7796DFADF4008F34
                                                                    Function 00007FF6C2DBFC68 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DBF0A4: GetDlgItem.USER32 ref: 00007FF6C2DBF0E3
                                                                      • Part of subcall function 00007FF6C2DBF0A4: ShowWindow.USER32 ref: 00007FF6C2DBF109
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF11E
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF136
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF157
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF173
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF1B6
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF1D4
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF1E8
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF212
                                                                      • Part of subcall function 00007FF6C2DBF0A4: SendMessageW.USER32 ref: 00007FF6C2DBF22A
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DBFD03
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1587882848-0
                                                                    • Opcode ID: 98356bcfc0f9eb0b54ad4562f3e8dfcdedede25df190cb48db04b7e24fbe0ebe
                                                                    • Instruction ID: 7dfa567006bf268f200ebab471979ac715e98bf168f58e8470d632e61e64f5fb
                                                                    • Opcode Fuzzy Hash: 98356bcfc0f9eb0b54ad4562f3e8dfcdedede25df190cb48db04b7e24fbe0ebe
                                                                    • Instruction Fuzzy Hash: F401C862A1468541F914AB24D45637D6311EFADB99F500331FEED867D6DEACF0808614
                                                                    Function 00007FF6C2D93AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                    • Instruction ID: cb6f3c887b3f77446301a122d130d1cf9e2b0f425d3e9d069a3232feb81dd130
                                                                    • Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                    • Instruction Fuzzy Hash: 0A010462E18B8541EA11BF28E4452297361FBE8B9DF404331EEDC47BA5DFACF0408714
                                                                    Function 00007FF6C2DC1558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DC1604: GetModuleHandleW.KERNEL32(?,?,?,00007FF6C2DC1573,?,?,?,00007FF6C2DC192A), ref: 00007FF6C2DC162B
                                                                    • DloadProtectSection.DELAYIMP ref: 00007FF6C2DC15C9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: DloadHandleModuleProtectSection
                                                                    • String ID:
                                                                    • API String ID: 2883838935-0
                                                                    • Opcode ID: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
                                                                    • Instruction ID: 2e3602c05b79f73fa6904a5174973228a539475ae92e6e09156a6b0d90e22c90
                                                                    • Opcode Fuzzy Hash: 902d746097657f35995c40355b3f554eba39218e3fb79a70aefbb70b68ceb6fd
                                                                    • Instruction Fuzzy Hash: A211A870E1865782FB61AF09A8503712362AF3474FF140635DD8DC63A1EEACB5DA8639
                                                                    Function 00007FF6C2DA3EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DA40BC: FindFirstFileW.KERNELBASE ref: 00007FF6C2DA410B
                                                                      • Part of subcall function 00007FF6C2DA40BC: FindFirstFileW.KERNELBASE ref: 00007FF6C2DA415E
                                                                      • Part of subcall function 00007FF6C2DA40BC: GetLastError.KERNEL32 ref: 00007FF6C2DA41AF
                                                                    • FindClose.KERNELBASE(?,?,00000000,00007FF6C2DB0811), ref: 00007FF6C2DA3EFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1464966427-0
                                                                    • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                    • Instruction ID: 1152a8b8b4f32a27bc4b8c22e97af1edb2c19867e34bd211c8b5161cceb02832
                                                                    • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                    • Instruction Fuzzy Hash: BAF0F46290C281C5EB509FB0A0005783361DB65BB9F145334EEBD473C7CEA8E4848765
                                                                    Function 00007FF6C2D91FA0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                    • Instruction ID: 0f5563849835c5d265e37efe6bcc6711770a3de49cf35b0271d85b1545e47f5e
                                                                    • Opcode Fuzzy Hash: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                    • Instruction Fuzzy Hash: 7BF0BEA2B1068980EE18AF69C08836C2362EB18F8DF504431DB8C8BB95DFACE490C310
                                                                    Function 00007FF6C2DA273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File
                                                                    • String ID:
                                                                    • API String ID: 749574446-0
                                                                    • Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                    • Instruction ID: 636df0143e007a8eb733bc40df2831a58a0b5de08ab207734f751a2d553bcb2d
                                                                    • Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                    • Instruction Fuzzy Hash: 40E0CD11B10915C1EF209F37C8455341321EF5CF8AF445130CE4D87721CF68E4C18A20
                                                                    Function 00007FF6C2DA2490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileType
                                                                    • String ID:
                                                                    • API String ID: 3081899298-0
                                                                    • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                    • Instruction ID: c4019ad7ab0f1a7b034328c4345f83e6e38d48c34db2e11f5a0ec372b8dd38a8
                                                                    • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                    • Instruction Fuzzy Hash: 60D0C912D09841C2DA109A369C5543C2250AFB273AFA40720DA7EC17E1CE9DA496A621
                                                                    Function 00007FF6C2DA7FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory
                                                                    • String ID:
                                                                    • API String ID: 1611563598-0
                                                                    • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                    • Instruction ID: a6a95647a878e68128347f7338f1ef9bcba79cfc0450faf21b700bd04f3d6091
                                                                    • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                    • Instruction Fuzzy Hash: 71C08C21F05902C1EB085F26C8C902813A4BB60B0EFB04234C94CC1260CE2CE5EE9769
                                                                    Function 00007FF6C2DCFA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 4292702814-0
                                                                    • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                    • Instruction ID: 7a7eff5da3a517f4fef503bb78bcdc01407c80834f12a68230c7a2eb6113cea6
                                                                    • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                    • Instruction Fuzzy Hash: 0FF08C50B0D30789FE186EA199102F483905F64F4AF081632CD8DC63A1ED9CF5814131
                                                                    Function 00007FF6C2DCD94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AllocHeap
                                                                    • String ID:
                                                                    • API String ID: 4292702814-0
                                                                    • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                    • Instruction ID: 531a716422d334528ff2914062fa81ec9c7bb06f8b24b4de867243811c71d0ac
                                                                    • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                    • Instruction Fuzzy Hash: 71F03418B0925644FF587EA16C002B513905FA4BAAF081B30DDEEC63C5DEACB4828230
                                                                    Function 00007FF6C2DA20D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                    • Instruction ID: adc2c4abd494ac79f6c1bec0dd7ede9db0817f1fcff48e2e63ec872f684eb0c8
                                                                    • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                    • Instruction Fuzzy Hash: 9AF0A422A0868285FB248F21E4457792661EB34B7EF594334DFBD812D4DFA8E8958720

                                                                    Non-executed Functions

                                                                    Function 00007FF6C2D9C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                    • API String ID: 2659423929-3508440684
                                                                    • Opcode ID: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                    • Instruction ID: 9f869f13dcd00764cb8648a1a1a33c2fe2f04198d96f5979424b36ff666a54be
                                                                    • Opcode Fuzzy Hash: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                    • Instruction Fuzzy Hash: 1062A162F0874285FB00AF74D4542AD2361ABA97A9F504331EEAD93BD9DFB8F195C310
                                                                    Function 00007FF6C2DAF180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                    • String ID: %ls$%s: %s
                                                                    • API String ID: 2539828978-2259941744
                                                                    • Opcode ID: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                    • Instruction ID: cf2825b7542bb33e3a40351db55ad7c992117037bd62059344029cfb3bb7e704
                                                                    • Opcode Fuzzy Hash: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                    • Instruction Fuzzy Hash: 75B2FC62A1868281EA10AF25D4545BE6311FFE979AF104336EEDD837E6DFACF540C720
                                                                    Function 00007FF6C2DD2550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfomemcpy_s
                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                    • API String ID: 1759834784-2761157908
                                                                    • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                    • Instruction ID: c5fdaaee479a441b0aaacaf8af2222b2e0549e4b2c24dd48ad40bba2291f2d62
                                                                    • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                    • Instruction Fuzzy Hash: FDB20672A086828BE7658F29D4447FD27A1FB6478DF105235DE4A97B85CFB8F5048F20
                                                                    Function 00007FF6C2DA1A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                    • String ID: rtmp
                                                                    • API String ID: 3587137053-870060881
                                                                    • Opcode ID: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                    • Instruction ID: 4c69859b065e87c5ce37878dca89827ec5ba6780ec816e53c08707d0d1a1d289
                                                                    • Opcode Fuzzy Hash: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                    • Instruction Fuzzy Hash: A4F1C123B08A8281EB10DF69D4805BD6761EBA5789F501231EE8D83BE9DFBCE585C750
                                                                    Function 00007FF6C2DA5B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 1693479884-0
                                                                    • Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                    • Instruction ID: 4a678fa6a38499c89945f7d5cf7cb8afc6aec3b38b05ccc8904b65272e06bb75
                                                                    • Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                    • Instruction Fuzzy Hash: 19A1A362F25B5284FF009F7998445BD2321AB69BE9B144335DEAD97BC9DEBCF0818210
                                                                    Function 00007FF6C2DC3170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 3140674995-0
                                                                    • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                    • Instruction ID: 7bd93aa8f9bcdc658dbfb2e38f26cb211a8e6272f78c448fec6c925f40019c80
                                                                    • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                    • Instruction Fuzzy Hash: 16314D72608B818AEB609F60E8503ED7360FB94B49F444539DE8D87B98DF78E549CB20
                                                                    Function 00007FF6C2DC76D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                    • String ID:
                                                                    • API String ID: 1239891234-0
                                                                    • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                    • Instruction ID: c514e56c8416c36f68066525181a55456c99a1b5838fd640a5bcd1b3e2c679ae
                                                                    • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                    • Instruction Fuzzy Hash: 46318432608F8186E7609F25E8402AE73A4FB94B59F540235EECD83B95DF7CE155CB10
                                                                    Function 00007FF6C2D91AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3668304517-0
                                                                    • Opcode ID: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                    • Instruction ID: 5f5cac5bca3202a74d0bae202dc6fd56fc08a57920786e90f819b5e883046646
                                                                    • Opcode Fuzzy Hash: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                    • Instruction Fuzzy Hash: 6DB1E022B1468685EB10AF69D8542ED2361FBA9789F404331EE9D87BD9EFBCF544C310
                                                                    Function 00007FF6C2DCFA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2DCFAC4
                                                                      • Part of subcall function 00007FF6C2DC7934: GetCurrentProcess.KERNEL32(00007FF6C2DD0CCD), ref: 00007FF6C2DC7961
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                    • String ID: *?$.
                                                                    • API String ID: 2518042432-3972193922
                                                                    • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                    • Instruction ID: 7e1b14d2625347672e4d812f3e3b515b8c8bb91add8b31eb103bfa78622d3bd6
                                                                    • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                    • Instruction Fuzzy Hash: B651F466B14B9545EB10EFA2D9400F863A5FB68FDDB444632DE9D87B88DF7CE0428321
                                                                    Function 00007FF6C2DD2080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1502251526-0
                                                                    • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                    • Instruction ID: 28b49648418f73211a5a4ef9aa2dfb6f9eac213508dcddd985044f3f81edf67f
                                                                    • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                    • Instruction Fuzzy Hash: 59D1B432B1868687D724CF15E18866AB791F7A8749F148234DF8E93B45DE7CF841CB20
                                                                    Function 00007FF6C2D9B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatFreeLastLocalMessage
                                                                    • String ID:
                                                                    • API String ID: 1365068426-0
                                                                    • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                    • Instruction ID: ba8d3afac4563356083ae26e740b51b5530a19f2df409357bf09bf201e1d58fc
                                                                    • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                    • Instruction Fuzzy Hash: BF01FF7161CB8282E7109F22B85017A6396FB99BC6F584234EECEC7B49CF7CE5558B10
                                                                    Function 00007FF6C2DCFCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: .
                                                                    • API String ID: 0-248832578
                                                                    • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                    • Instruction ID: eae9d8829293c971c38147ac9a0980c2d5128df90b00cf4898eb0805f8ca0b85
                                                                    • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                    • Instruction Fuzzy Hash: EC31EA62B0869149F760AE26D8057E96B95EB64FE9F148335EE9C87BC5CE7CE5018300
                                                                    Function 00007FF6C2DD5AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionRaise_clrfp
                                                                    • String ID:
                                                                    • API String ID: 15204871-0
                                                                    • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                    • Instruction ID: b7bae2755269229b8f2a0025c7313da1222553192a923de4cd258807c92b8a95
                                                                    • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                    • Instruction Fuzzy Hash: 89B15B73610B858BEB15CF29C8463683BA0F744B4DF198A21DE9D877A8CF79E451CB20
                                                                    Function 00007FF6C2DB8DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectRelease$CapsDevice
                                                                    • String ID:
                                                                    • API String ID: 1061551593-0
                                                                    • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                    • Instruction ID: 843aac7caafcc221b2536fc18895adc0a40124db311d9cce6da14c9142db0420
                                                                    • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                    • Instruction Fuzzy Hash: 36815A36B08A0586EB20CF6AD4506AD7371FB98B8EF104232DE8D97B24DF79E145C760
                                                                    Function 00007FF6C2DBA2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FormatInfoLocaleNumber
                                                                    • String ID:
                                                                    • API String ID: 2169056816-0
                                                                    • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                    • Instruction ID: a6125f0e55910dedcced31c4d6ecfaf010f8e3545e4fcb950d9d2be6d18247b9
                                                                    • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                    • Instruction Fuzzy Hash: 54118C22A08B8195E3628F51E8007EA7360FF98B49F844235DE8D837A4DF7CF159CB54
                                                                    Function 00007FF6C2DA126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DA24C0: CreateFileW.KERNELBASE ref: 00007FF6C2DA259B
                                                                      • Part of subcall function 00007FF6C2DA24C0: GetLastError.KERNEL32 ref: 00007FF6C2DA25AE
                                                                      • Part of subcall function 00007FF6C2DA24C0: CreateFileW.KERNEL32 ref: 00007FF6C2DA260E
                                                                      • Part of subcall function 00007FF6C2DA24C0: GetLastError.KERNEL32 ref: 00007FF6C2DA2617
                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C2DA15D0
                                                                      • Part of subcall function 00007FF6C2DA3980: MoveFileW.KERNEL32 ref: 00007FF6C2DA39BD
                                                                      • Part of subcall function 00007FF6C2DA3980: MoveFileW.KERNEL32 ref: 00007FF6C2DA3A34
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 34527147-0
                                                                    • Opcode ID: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                    • Instruction ID: 2d039d360d05b4291a08422acb78bb5271f1cde5c401e14b0a9b561bf0c72932
                                                                    • Opcode Fuzzy Hash: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                    • Instruction Fuzzy Hash: 9C91D222B18642C2EF10DF6AD444AAD6361FB64BC9F404232EE8E87B95DFBCE545C710
                                                                    Function 00007FF6C2DA51A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Version
                                                                    • String ID:
                                                                    • API String ID: 1889659487-0
                                                                    • Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                    • Instruction ID: 517b2bd29c21abf2c9fe74974e1e0b90e5a1d3eb8f9d18e294aaf46ded11be54
                                                                    • Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                    • Instruction Fuzzy Hash: 81010571D186828AE7248F00E84077A72A1BBA831BF500334D99D82794DEBCB5058A20
                                                                    Function 00007FF6C2DC8C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID: 0
                                                                    • API String ID: 3215553584-4108050209
                                                                    • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                    • Instruction ID: b4f7451dd0a9c9f3a8e5df8384c0ef71861ffeea49c64cbb08e5058ad4b5f5e3
                                                                    • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                    • Instruction Fuzzy Hash: A581E721A182424AEAAAAE158140ABD23A0EF71F4EF541731DD89C7795CFBDF885C760
                                                                    Function 00007FF6C2DC89A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID: 0
                                                                    • API String ID: 3215553584-4108050209
                                                                    • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                    • Instruction ID: e01f63bfb9977970eb2183e16166520dfefb61e810454aa7bafd43ff46fc2ccf
                                                                    • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                    • Instruction Fuzzy Hash: E9712831A0C28246FB6AAE158040ABE23919F61F4EF141731DDC9C77C6CEADF8C68761
                                                                    Function 00007FF6C2DAC96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: gj
                                                                    • API String ID: 0-4203073231
                                                                    • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                    • Instruction ID: 897ebb948edece39f67dab0b6ef34a9bca49989752f564c3e4877b360d3718da
                                                                    • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                    • Instruction Fuzzy Hash: E95191377286908BD714CF25E404A9AB3A5F388758F445126EF8A93B05CF3DE945CF40
                                                                    Function 00007FF6C2DCC838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: @
                                                                    • API String ID: 0-2766056989
                                                                    • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                    • Instruction ID: 9367c5d4fc5d8fc8e99356e751436b339ed2217c63ea954d4ec98845ef4e40a8
                                                                    • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                    • Instruction Fuzzy Hash: 8A41BF22714B5486EA08DF2AE8142A9B3A1F768FD8B499236DF4D87794DE7CE045C350
                                                                    Function 00007FF6C2DD0D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                    • Instruction ID: 091842033ff58620ca64740cb1ef570f9935d18d109f3a3bd4ae14b05adf1176
                                                                    • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                    • Instruction Fuzzy Hash: 15B09220E17B02C2EA096F116C8229422A4BF68706F988138C98CC1330DE6C30E64B20
                                                                    Function 00007FF6C2DB3964 Relevance: .9, Instructions: 931COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                    • Instruction ID: 2251018798b68e007ea3234d42ed1a02a2bde7e88f9806fa136881eb8e449b67
                                                                    • Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                    • Instruction Fuzzy Hash: 6E820573A096C186D745CF28D4642BC7BA1E765B8DF19823ACE8E87385DEBCE445D320
                                                                    Function 00007FF6C2D976C0 Relevance: .9, Instructions: 893COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                    • Instruction ID: 1a15c0f76d2dc69871335c6c518b64ef096d3ca11de438100e88d6f80dd2ff7b
                                                                    • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                    • Instruction Fuzzy Hash: 7F627E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                    Function 00007FF6C2DB53F0 Relevance: .9, Instructions: 891COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                    • Instruction ID: 5fc0635cba2916bb58d9c519c50c30523d34503775c56b0019c13ed59d63a9ca
                                                                    • Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                    • Instruction Fuzzy Hash: 5E8210B2A196C18ADB24CF28C4646FC7BA1F765B4DF088236CE8D87785DE78E445C720
                                                                    Function 00007FF6C2DABB90 Relevance: .6, Instructions: 587COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                    • Instruction ID: e3763d94121652fc65279e77c8b308a99d18ce08017c6996083f13f77b592c99
                                                                    • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                    • Instruction Fuzzy Hash: 5122F473B246508BD728CF25C89AE5E3766F798748B4B8228DF4ACB785DB38D505CB40
                                                                    Function 00007FF6C2DB4B98 Relevance: .6, Instructions: 578COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                    • Instruction ID: 3bc151565bdda5c42fcfae7205c0e686be63b8f0c771394099d8ce3abd40b3d5
                                                                    • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                    • Instruction Fuzzy Hash: CC32CF72A141918BE718CF24D564ABC37A1F764B4AF058239DE8A87B88DF7CB861C750
                                                                    Function 00007FF6C2D97288 Relevance: .3, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                    • Instruction ID: 6a360a833db30e606a6bf1cd167c7a838e7e064d353c51de4807d488a4acce17
                                                                    • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                    • Instruction Fuzzy Hash: 24C19DB7B281908FE350CF7AE400A9D3BB1F39878CB519125EF59A7B09D639E645CB40
                                                                    Function 00007FF6C2DB2D58 Relevance: .3, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                    • Instruction ID: 009b8d5a4bcbf9e20f074bf7496b9d9b9a2fcbd86b74670ac3760ec9234c9ffd
                                                                    • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                    • Instruction Fuzzy Hash: 54A13573E0818286EB15DE25D4687B92691EBB478EF154735DECA87785CEBCF841C320
                                                                    Function 00007FF6C2DAAF18 Relevance: .2, Instructions: 244COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                    • Instruction ID: 47e043fa4220ced4dd96ed6d05eb2cb7fbfae5bb43dc52a9c60a8d44604e7ab4
                                                                    • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                    • Instruction Fuzzy Hash: 7BC1D677A292E08DE302CBB5A4248FD3FB1E71E34DB464252EFD656B4AD5285201DF70
                                                                    Function 00007FF6C2D9A310 Relevance: .2, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc
                                                                    • String ID:
                                                                    • API String ID: 190572456-0
                                                                    • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                    • Instruction ID: 69fb24b6d9a383d2601ca8042fc8ab50970ea5537e5e11cb1357731dfe14864f
                                                                    • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                    • Instruction Fuzzy Hash: D5912E63B1868196EB11EF29D4106ED2720FFA5B8DF441231EF8E87749EE78E646C310
                                                                    Function 00007FF6C2DAB534 Relevance: .2, Instructions: 181COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                    • Instruction ID: 31c7d923d133a6fcdd44d15362a258f38f5f4629b9c2fd7d3ef1828b52867ed9
                                                                    • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                    • Instruction Fuzzy Hash: F9610622B182D189EB11CF7585108FD7FA1A739789B494132CEDA97746CEBCF506CB20
                                                                    Function 00007FF6C2DB21D0 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                    • Instruction ID: 27ff0ee447f1b9a13818fb59b765d15e1df8c8830f3acf727197e0d7f0f410f8
                                                                    • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                    • Instruction Fuzzy Hash: 6D510173B181514BE7298F28D028BAD3761FBA4B49F448234DF8A87789DE7DE541CB10
                                                                    Function 00007FF6C2DB2AB0 Relevance: .1, Instructions: 112COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                    • Instruction ID: e57d79f59dad1bf217fac4bcc9f233570457f853ab26f19949aebf14daa22bbe
                                                                    • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                    • Instruction Fuzzy Hash: 9A31E3B2A186818BE708DE26E6A067E7790F75534AF048239DF8AC3B41DEBCF045C710
                                                                    Function 00007FF6C2DD58E0 Relevance: .0, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                    • Instruction ID: 1b1fd800f21c79a5de26e1d1a870cc555e3dfa0c9e5afe32ff714abbdea94ebb
                                                                    • Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                    • Instruction Fuzzy Hash: ABF09C71B187558BDBA4CF2DA442A6A77D0F7183C5F548539D9CDC3B04DA7CA4508F18
                                                                    Function 00007FF6C2DC3354 Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                    • Instruction ID: 4963cc2fff3adec4ca861137c70d8475f516cd2c63f02e722d94cd03ede8e003
                                                                    • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                    • Instruction Fuzzy Hash: 1EA0026190CC42D1E6859F10E9600B02330FBB170AF500231F8CDC22A4DFBCB442CB30
                                                                    Function 00007FF6C2D9D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                    • API String ID: 3668304517-727060406
                                                                    • Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                    • Instruction ID: fcc2cf76d6e5c0ecd6134df9a54eb913edcccbe7f7f44a7e5a4dfa0e4ee46e09
                                                                    • Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                    • Instruction Fuzzy Hash: B841F836B06F01D9EB01AF65D4503E833B9EB28799F400636DE8C83759EEB8E165C760
                                                                    Function 00007FF6C2DC2A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                    • API String ID: 2565136772-3242537097
                                                                    • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                    • Instruction ID: a9eb3f5900c80d8b40693ea42cf8009b4785aefb53a48171d4126427b9f72088
                                                                    • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                    • Instruction Fuzzy Hash: BA21ED64A1DF0382FA55AF51E85917523A0AF74B8EF440235CDCEC27A0DEBCB48A8631
                                                                    Function 00007FF6C2DA6A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                    • String ID: DXGIDebug.dll$UNC$\\?\
                                                                    • API String ID: 4097890229-4048004291
                                                                    • Opcode ID: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                    • Instruction ID: 14e3b9a39f322f7c5791dc44ce80cc7a45513139028c852cec77f29cc676c330
                                                                    • Opcode Fuzzy Hash: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                    • Instruction Fuzzy Hash: A512AB22B08A42C0EF10DF64D4545AD6371EBA5B89F504231EE9D87BE9DFBCE549C3A0
                                                                    Function 00007FF6C2DBA440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                    • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                    • API String ID: 431506467-1315819833
                                                                    • Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                    • Instruction ID: 7cd09d0c7f66deda760b7ba6097a80429f5044072efba05b4dde45313c76f3a2
                                                                    • Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                    • Instruction Fuzzy Hash: B3B1DF62F08B8285FB009FA4D4542AC2372AB65799F404335DE9CA6BD9DFBCF046C360
                                                                    Function 00007FF6C2DB6E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                    • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                    • API String ID: 2868844859-1533471033
                                                                    • Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                    • Instruction ID: a6c654978c116cb235f36b5d1c97a017cf97aef53a1800a3025214887b7427bc
                                                                    • Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                    • Instruction Fuzzy Hash: 6881AE62B08A0285FB00EFB5D4502ED2371AB68B8DF405235DE9D977D9DEB8E50AC360
                                                                    Function 00007FF6C2DCE650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                    • API String ID: 3215553584-2617248754
                                                                    • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                    • Instruction ID: 2898e494c411bfdd73add234a65a17ca7de9679ad4c9d616805d852e6ded4eb4
                                                                    • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                    • Instruction Fuzzy Hash: B741CE72A09B4589FB04DF25E8417AD33A4EB28799F504636EE9C83B94DE7CE025C354
                                                                    Function 00007FF6C2DBF390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                    • String ID: STATIC
                                                                    • API String ID: 2845197485-1882779555
                                                                    • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                    • Instruction ID: aa00349384c5775ef95d9f5a74a139a95c1e00b1873e3611ced0b5f9b3d81be3
                                                                    • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                    • Instruction Fuzzy Hash: EC31C821B0864346FA609F11E5647BA6392BFA9BCAF004230DDCD87B56DEBCF4458760
                                                                    Function 00007FF6C2DBAE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextWindow
                                                                    • String ID: LICENSEDLG
                                                                    • API String ID: 2478532303-2177901306
                                                                    • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                    • Instruction ID: 308304b21c297ba080e858c58b0db3d7f5dcea50d8f433cf748d052f9ecd741f
                                                                    • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                    • Instruction Fuzzy Hash: 96418125F08A5682F7548F11A82477E23A1AFA5B8AF544235DDCE83B94CFBCF5468324
                                                                    Function 00007FF6C2DAB9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                    • API String ID: 2915667086-2207617598
                                                                    • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                    • Instruction ID: 9a9dfbcdd117d3277434e82d277f65836751e7491c3bf8cb266975ff26892b3c
                                                                    • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                    • Instruction Fuzzy Hash: 5B314624A0DB4280FB158F52A8505B623A1AF75B9AF084335DC9EC33A4DEFCF5828324
                                                                    Function 00007FF6C2DB87D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: $
                                                                    • API String ID: 3668304517-227171996
                                                                    • Opcode ID: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                    • Instruction ID: bdd125eb2de7f9ac3cc90fedac6dd9c66d30a179267b1db7735d1dc5e8613195
                                                                    • Opcode Fuzzy Hash: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                    • Instruction Fuzzy Hash: AAF1AC62F15A4684EE00AF65D4681BC2361AB64BAEF505731CEAD937D9DFB8F0C08360
                                                                    Function 00007FF6C2DC57EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                    • String ID: csm$csm$csm
                                                                    • API String ID: 2940173790-393685449
                                                                    • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                    • Instruction ID: 73559654d6018047ffc364ca2ba78bd54a41fe379a51e8bb5c5bdf73d592610b
                                                                    • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                    • Instruction Fuzzy Hash: DCE19E729286828AE710AF24D4803AD7BA0FB65B5EF144235DECDA7796CF78F485C710
                                                                    Function 00007FF6C2DA4F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AllocClearStringVariant
                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                    • API String ID: 1959693985-3505469590
                                                                    • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                    • Instruction ID: d39faa63bc091537898c07ccd93769ad357bffd02dfe88c12e74043bb4f7f020
                                                                    • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                    • Instruction Fuzzy Hash: F2711A36A14A05C5EB20CF25D8805A977B1FBA8B9EF445232DE8E83B64CF7CE545C720
                                                                    Function 00007FF6C2DC72EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C2DC74F3,?,?,?,00007FF6C2DC525E,?,?,?,00007FF6C2DC5219), ref: 00007FF6C2DC7371
                                                                    • GetLastError.KERNEL32(?,?,00000000,00007FF6C2DC74F3,?,?,?,00007FF6C2DC525E,?,?,?,00007FF6C2DC5219), ref: 00007FF6C2DC737F
                                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C2DC74F3,?,?,?,00007FF6C2DC525E,?,?,?,00007FF6C2DC5219), ref: 00007FF6C2DC73A9
                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF6C2DC74F3,?,?,?,00007FF6C2DC525E,?,?,?,00007FF6C2DC5219), ref: 00007FF6C2DC73EF
                                                                    • GetProcAddress.KERNEL32(?,?,00000000,00007FF6C2DC74F3,?,?,?,00007FF6C2DC525E,?,?,?,00007FF6C2DC5219), ref: 00007FF6C2DC73FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                    • String ID: api-ms-
                                                                    • API String ID: 2559590344-2084034818
                                                                    • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                    • Instruction ID: 161fa0f913d87a14800a07aa432b9a22d289c5cafeaa4e48764c587ae4a2fcb0
                                                                    • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                    • Instruction Fuzzy Hash: C831B221A1AA4281FE12AF16A8005752399FF64FAAF594735DDADC7390DFBCF0458730
                                                                    Function 00007FF6C2DC1604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(?,?,?,00007FF6C2DC1573,?,?,?,00007FF6C2DC192A), ref: 00007FF6C2DC162B
                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C2DC1573,?,?,?,00007FF6C2DC192A), ref: 00007FF6C2DC1648
                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C2DC1573,?,?,?,00007FF6C2DC192A), ref: 00007FF6C2DC1664
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule
                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                    • API String ID: 667068680-1718035505
                                                                    • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                    • Instruction ID: 5d0730cc2468fce25beff57f9909cfc526d883da454eb4a87324e6fbab421e75
                                                                    • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                    • Instruction Fuzzy Hash: 53113C30A49B9382FE55AF04A94027553956F28B9EF9C4735CC9DCA350EEBCF4858A30
                                                                    Function 00007FF6C2DAED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00007FF6C2DA51A4: GetVersionExW.KERNEL32 ref: 00007FF6C2DA51D5
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAED8C
                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAED98
                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAEDA8
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAEDB6
                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAEDC4
                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C2D95AB4), ref: 00007FF6C2DAEE05
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                    • String ID:
                                                                    • API String ID: 2092733347-0
                                                                    • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                    • Instruction ID: 21f55b76dfcc3eeeda27fb7facf12c1e1360acfa2374b7bc98b53d525b67d6da
                                                                    • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                    • Instruction Fuzzy Hash: 7B518BB2B00A52CAEB04CFA9D4405AC77B1F758B8DB60813ADE4D97B58DF78E542CB50
                                                                    Function 00007FF6C2DAF010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                    • String ID:
                                                                    • API String ID: 2092733347-0
                                                                    • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                    • Instruction ID: 5f618ea1e43b5aa3d4870a4989fea0c11597b3a8587f75bf26c838398c41af14
                                                                    • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                    • Instruction Fuzzy Hash: AD311862B10A51CDEB00CFB5D8802AC7770FB1875DB54512AEE4ED7B58EE78E896C720
                                                                    Function 00007FF6C2DA7918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: .rar$exe$rar$sfx
                                                                    • API String ID: 3668304517-630704357
                                                                    • Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                    • Instruction ID: 9138eb4fac0d6f6f955755bb7d2e4e41de2cd6c1f8a3df6aba171dff53eaeabc
                                                                    • Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                    • Instruction Fuzzy Hash: 89A1BE22A18A0680FB04AF25D8556BC2361AB64B9DF040331DD9E877E9DFBCF596C360
                                                                    Function 00007FF6C2DC5CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                    • String ID: MOC$RCC
                                                                    • API String ID: 2889003569-2084237596
                                                                    • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                    • Instruction ID: a6356b8661015c1aca0d3b36eb07e5cb675190e19ac389e6a5fa95da8c98eaaf
                                                                    • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                    • Instruction Fuzzy Hash: 1091AF73A18B818AE710DF64E4802AD7BB0FB54B8DF104229EE8C97759DF78E195CB10
                                                                    Function 00007FF6C2DC4F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                    • String ID: csm$f
                                                                    • API String ID: 2395640692-629598281
                                                                    • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                    • Instruction ID: 279b7603b2c3bdbab8f63f4f784904ff9f10cd46be5587fa99c4bb8d04bdb5b7
                                                                    • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                    • Instruction Fuzzy Hash: 3351D831A2560286DB14EF11E444A293B55FB60F9DF508230DD9ED7748DFB8F841D760
                                                                    Function 00007FF6C2D9CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                    • API String ID: 2102711378-639343689
                                                                    • Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                    • Instruction ID: 19b7d187a8429ef90622abfe823c51e78c1b1d3dc37439c46575c4395874a9e8
                                                                    • Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                    • Instruction Fuzzy Hash: A151D366F1874285FB00EF60D8512BD2360AFA57AEF540330EE9D93796DEBCB495C220
                                                                    Function 00007FF6C2DB7B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Rect
                                                                    • String ID: RarHtmlClassName
                                                                    • API String ID: 2396740005-1658105358
                                                                    • Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                    • Instruction ID: 0c2ee7144ebed3ae7e166503177fa99d3989d6ce58697a1a790f27ebebe99458
                                                                    • Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                    • Instruction Fuzzy Hash: 82519522A0874287FA249F26E45437A63A1FBA5B8AF045235DECE87B55DF7CF0458B10
                                                                    Function 00007FF6C2DBFD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                    • String ID: sfxcmd$sfxpar
                                                                    • API String ID: 3540648995-3493335439
                                                                    • Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                    • Instruction ID: 1db258eca3aae8d74bfe54e595ca9ee2f59e6852839ed876f15d5725314b454a
                                                                    • Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                    • Instruction Fuzzy Hash: 7B318132A14B0588EB049F65E4941AC2371FB68B9DF540231DE9D977A9DEB8F082C364
                                                                    Function 00007FF6C2DBFED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                    • API String ID: 0-56093855
                                                                    • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                    • Instruction ID: 0108cc497362b84dc23b94969d596fb15e5cfacca6ebe926fe7e79f5362bdbce
                                                                    • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                    • Instruction Fuzzy Hash: B821192190CB4784FA108F55F8581B523A0AB69B8EF540236EDCDC73A4DEBCF1998369
                                                                    Function 00007FF6C2DCBFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                    • Instruction ID: 4db5b96c15ff8bbda98ce867efea09ea1aea745f1e0f275cdfb40eaded753a3b
                                                                    • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                    • Instruction Fuzzy Hash: 05F0AF21A19F8281EE459F11F4402796360AF98B9AF041235DE8FC2365CEBCF4C98B20
                                                                    Function 00007FF6C2DD45C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID:
                                                                    • API String ID: 3215553584-0
                                                                    • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                    • Instruction ID: 9527312ee706a13529e30f333bcf2ae39691c65c1d3ffbb94b0f489279295a78
                                                                    • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                    • Instruction Fuzzy Hash: B381DD26A18A9295FB109F6598402BD27A4BB65B8FF004331CD8ED3795CFF8B446CB30
                                                                    Function 00007FF6C2DA3AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 2398171386-0
                                                                    • Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                    • Instruction ID: b9ac482d57b4af140c18d07dbc1f0cd92de7695999887b058c81a89d13c856a9
                                                                    • Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                    • Instruction Fuzzy Hash: 9751C122B04B4289FB90DF65E8406BD23B2EB647ADF004735DE9D867D8DF7CA4558320
                                                                    Function 00007FF6C2DD3F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                    • String ID:
                                                                    • API String ID: 3659116390-0
                                                                    • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                    • Instruction ID: 718a718b5aea96633cd50acdbdad50b960eca6f79693e9590e7e6b434349abec
                                                                    • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                    • Instruction Fuzzy Hash: 8D51D432A14A5185E711CF65D4443AC3B71FB64B9EF148235CE8E97798DFB8E146CB20
                                                                    Function 00007FF6C2DC1E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                    • String ID:
                                                                    • API String ID: 262959230-0
                                                                    • Opcode ID: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
                                                                    • Instruction ID: 16f88d34fb1f569995da468b55da19e01bc4643fdbd4619497ff1b8d52c89167
                                                                    • Opcode Fuzzy Hash: 8c2dc27bb1e4af113538b7172bb6dd323e96cb8c94470b0dbd49c9d6f404eed7
                                                                    • Instruction Fuzzy Hash: 3641C372A08A5685EB14AF6994002786395EF24FAEF544734EEADC77D5DFBCF0418320
                                                                    Function 00007FF6C2DCF414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc
                                                                    • String ID:
                                                                    • API String ID: 190572456-0
                                                                    • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                    • Instruction ID: b89e0729e0658de02638bb21d6d0bc49feacc66dfaf0bb1b0cf657f888aba534
                                                                    • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                    • Instruction Fuzzy Hash: 73412B21B1DA4285FA16AF12E8005B56395BF24FD9F094736DE9DCB784EEBCF0418360
                                                                    Function 00007FF6C2DD56D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _set_statfp
                                                                    • String ID:
                                                                    • API String ID: 1156100317-0
                                                                    • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                    • Instruction ID: 4eb3c47865a3f8065ea24a6132fd51c0abf9fd2faf7628aed6acb7ed6fba39dc
                                                                    • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                    • Instruction Fuzzy Hash: 9C11B236E3CE07A1F6741928E58137901416F753AAE684330EEFE867D6CEECB4404A35
                                                                    Function 00007FF6C2DBFE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                    • String ID:
                                                                    • API String ID: 3621893840-0
                                                                    • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                    • Instruction ID: 7ac288548897d49687d086912a50dfcc0b741d45884d00a2a86129fd66c842e4
                                                                    • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                    • Instruction Fuzzy Hash: F9F04F25F2854782F7248F21E464A762211FFB4B0AF441130ED8EC1A949E6CE149CB24
                                                                    Function 00007FF6C2DC625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: __except_validate_context_recordabort
                                                                    • String ID: csm$csm
                                                                    • API String ID: 746414643-3733052814
                                                                    • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                    • Instruction ID: a1873b584ffcdf9ef940cf9fdbe40fd2fd8e05478264bbe92c1f6bab8a4f02f7
                                                                    • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                    • Instruction Fuzzy Hash: 4E71706250C69186DB60AF259050779BBA0EB65F8EF148235EECC87B89CF7CE491C790
                                                                    Function 00007FF6C2DC80F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID: $*
                                                                    • API String ID: 3215553584-3982473090
                                                                    • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                    • Instruction ID: 8080d911b9faea8f64d62fa59b1804ae637778ec4487d69f380f6f743c19e8cd
                                                                    • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                    • Instruction Fuzzy Hash: 5251677290C6428AE766AE24844877877A0EB26F1EF145335CEC9C139DCFB8F8C1C625
                                                                    Function 00007FF6C2DD1758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$StringType
                                                                    • String ID: $%s
                                                                    • API String ID: 3586891840-3791308623
                                                                    • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                    • Instruction ID: bc50c6f12bbed15c688869ea55eaeb980230c69092afd14367107941682add77
                                                                    • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                    • Instruction Fuzzy Hash: E541B232B04B819AEB618F29D8002A82395FB64BADF480331DE9D877C4DFBCF4418760
                                                                    Function 00007FF6C2DC66A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                    • String ID: csm
                                                                    • API String ID: 2466640111-1018135373
                                                                    • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                    • Instruction ID: 705b4967ecb19d7a4fc85f83bf2510d2486095710a3614a7930caf3e41d580c0
                                                                    • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                    • Instruction Fuzzy Hash: 0F517D7262874187E620AF16E04026EB7A4FB98F96F544234EFCD87B96CF78E451CB50
                                                                    Function 00007FF6C2DD4360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                    • String ID: U
                                                                    • API String ID: 2456169464-4171548499
                                                                    • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                    • Instruction ID: b9f3f64d87f016b600c0f7deca4b0fc7d39a25a6a7db72dda9cd51a64a8973d7
                                                                    • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                    • Instruction Fuzzy Hash: 9341A622619A8182DB109F15E4443B97760FB64799F444235EE8DC7754DFBCE445CB60
                                                                    Function 00007FF6C2DB90B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectRelease
                                                                    • String ID:
                                                                    • API String ID: 1429681911-3916222277
                                                                    • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                    • Instruction ID: f3a75e325ed3eea7131dffd0ecc1e163b682bd498fa800ddcb994ea1f7b14457
                                                                    • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                    • Instruction Fuzzy Hash: BD316C3560874286EB048F16B808A2BB7A1F798FD6F104535EE8A83B54CF7CE049CB18
                                                                    Function 00007FF6C2DAE870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6C2DB317F,?,?,00001000,00007FF6C2D9E51D), ref: 00007FF6C2DAE8BB
                                                                    • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6C2DB317F,?,?,00001000,00007FF6C2D9E51D), ref: 00007FF6C2DAE8CB
                                                                    • CreateEventW.KERNEL32(?,?,?,00007FF6C2DB317F,?,?,00001000,00007FF6C2D9E51D), ref: 00007FF6C2DAE8E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                    • String ID: Thread pool initialization failed.
                                                                    • API String ID: 3340455307-2182114853
                                                                    • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                    • Instruction ID: 4a5e1c861f75cc69df4b78bba704bd06ac1839cd896e9472af47810f1d6f9b8a
                                                                    • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                    • Instruction Fuzzy Hash: 2621D832E1564286F7108F24D4547A936A1FBA4B0EF188234CE8D8B395DFBEB455C7A4
                                                                    Function 00007FF6C2DB85E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDeviceRelease
                                                                    • String ID:
                                                                    • API String ID: 127614599-3916222277
                                                                    • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                    • Instruction ID: 22aa862086cfb5d256f1b03f2443e76535cbaec3320dee10195ab8d77bef7a35
                                                                    • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                    • Instruction Fuzzy Hash: A0E0C220B0864282FB085BB6B58953B2261AB4CBD1F198135DE5FC3B94DE3CD4C44314
                                                                    Function 00007FF6C2D9D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                    • String ID:
                                                                    • API String ID: 1137671866-0
                                                                    • Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                    • Instruction ID: 2ebc4a468284a814c88d5bfde4447ca0d9d2a464de92813101039ceb255a9777
                                                                    • Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                    • Instruction Fuzzy Hash: 22A1C222A18A8281EA10EF65D8541AD6361FBA578AF405331EECD83BD9DFBCF554C720
                                                                    Function 00007FF6C2DB0548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1452528299-0
                                                                    • Opcode ID: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                    • Instruction ID: d459ce8b4f6a53ba4cd2356214c2a69c8ff43e077eed6011825984e72d37c02f
                                                                    • Opcode Fuzzy Hash: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                    • Instruction Fuzzy Hash: 9951B372B14A4285FB00AF74D4542EC2321EBA8B9EF404331DE9D97BD9DEA8F145C364
                                                                    Function 00007FF6C2DB9D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                    • String ID:
                                                                    • API String ID: 1077098981-0
                                                                    • Opcode ID: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
                                                                    • Instruction ID: 9274cd9215a82207af7bdec6e56ac808b80d8092c4af8701023e4e0633bf5cf1
                                                                    • Opcode Fuzzy Hash: 5a43cb7f5a8bc2b697eb0b834037522765625dc86c8d5e2913923eaf6a834e49
                                                                    • Instruction Fuzzy Hash: B0518E32A18B8286E700CF61E4543AE7364FB98B89F505235EE8D97B58DF7CE444CB60
                                                                    Function 00007FF6C2DCDB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                    • String ID:
                                                                    • API String ID: 4141327611-0
                                                                    • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                    • Instruction ID: 7b4c8e8436a933e5048a334bc1ca0e34359b0f9e2dc51dd8b730a2c37c7c411e
                                                                    • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                    • Instruction Fuzzy Hash: 0341B73590C65246F765AE10D94037963A0EFA4F9AF144231DEDD86B85CFACF4428720
                                                                    Function 00007FF6C2DA3980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                    • String ID:
                                                                    • API String ID: 3823481717-0
                                                                    • Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                    • Instruction ID: 397d365b7237fe6fc8bf144fbcde550150d38473b003fb20ab0cec45df5e5194
                                                                    • Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                    • Instruction Fuzzy Hash: C141AF62F14B6184FB00CFA5D8445AC2372FB54B99B105331DE9E96B99DFB8E081C260
                                                                    Function 00007FF6C2DD0B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C2DCC45B), ref: 00007FF6C2DD0B91
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C2DCC45B), ref: 00007FF6C2DD0BF3
                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C2DCC45B), ref: 00007FF6C2DD0C2D
                                                                    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C2DCC45B), ref: 00007FF6C2DD0C57
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                    • String ID:
                                                                    • API String ID: 1557788787-0
                                                                    • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                    • Instruction ID: 1d9dbd374b215049d947e28c1a6f389c4a845259d359097ad9733dc3dd7748f4
                                                                    • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                    • Instruction Fuzzy Hash: 38216431F18F5181E6249F16644002976A8FBA4BD6F484634DECEA3BA4DF7CF4528B24
                                                                    Function 00007FF6C2DCD440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$abort
                                                                    • String ID:
                                                                    • API String ID: 1447195878-0
                                                                    • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                    • Instruction ID: ae121f80bc5bdb7bb8e2d0e4c165fe644701bfe795e8e372afe595d68fddf171
                                                                    • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                    • Instruction Fuzzy Hash: 0301C018B0C74202FA1C7F61694517853615F74F9AF104738DE9EC27D6DDBCB8414630
                                                                    Function 00007FF6C2DB8590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                    • Instruction ID: ca21edd5e99a98ac198fd2921e27aabb51dff9bf52393831dba187722c92596b
                                                                    • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                    • Instruction Fuzzy Hash: 4CE01260E0970382FF085FB168595372191AF6874BF188639CC5FC6750ED7CB095C728
                                                                    Function 00007FF6C2D9E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                    • String ID: DXGIDebug.dll
                                                                    • API String ID: 3668304517-540382549
                                                                    • Opcode ID: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                    • Instruction ID: 926a1fd7478237d63678ea7528d83250d7ce8cf4b403e061f5504636a72d6b4a
                                                                    • Opcode Fuzzy Hash: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                    • Instruction Fuzzy Hash: 53719172A14B8186EB14DF25E4443ADB3A4FB64B98F444236DFAD47B99DFB8E061C310
                                                                    Function 00007FF6C2DCE1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo
                                                                    • String ID: e+000$gfff
                                                                    • API String ID: 3215553584-3030954782
                                                                    • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                    • Instruction ID: ba75bf4c8a06bd23bb24efc0df472e5cbf4b0fa738a660e7c8820ef3beda478b
                                                                    • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                    • Instruction Fuzzy Hash: 5F5125A2B187C246E7259F359841369AB91ABA0F95F189331CADCC7BDACF6CF444C710
                                                                    Function 00007FF6C2DA9408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                    • String ID: SIZE
                                                                    • API String ID: 449872665-3243624926
                                                                    • Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                    • Instruction ID: ea4909f92422add8f97ea94be66ea2937fa8ddfe28a1bbc87786e7331722d322
                                                                    • Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                    • Instruction Fuzzy Hash: 7A41B062A1864281EA10EF18E4467F96360EBA579AF404331EEDD867D6EFBCF540C710
                                                                    Function 00007FF6C2DCC2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileModuleName_invalid_parameter_noinfo
                                                                    • String ID: C:\Users\user\Desktop\0438.pdf.exe
                                                                    • API String ID: 3307058713-792344357
                                                                    • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                    • Instruction ID: da60609527a458ca08a465155a0099af38ecdf49760311588fda6dbf1cddda3f
                                                                    • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                    • Instruction Fuzzy Hash: 9F41BE36A08B9286EB15EF25B8400BD7394EF64B99B544232EECD87B45DEBCF441C724
                                                                    Function 00007FF6C2DB9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ItemText$DialogWindow
                                                                    • String ID: ASKNEXTVOL
                                                                    • API String ID: 445417207-3402441367
                                                                    • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                    • Instruction ID: d14dcda9f32de5e60f4359b0fd53d02f93f09b5c3e0dcfb84c597f568e890cbd
                                                                    • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                    • Instruction Fuzzy Hash: 6741D722A0C682C1FA50DF15D8602FA23A1AFA5BCAF540235DECD87795DFBCF4518760
                                                                    Function 00007FF6C2DA9638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_snwprintf
                                                                    • String ID: $%s$@%s
                                                                    • API String ID: 2650857296-834177443
                                                                    • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                    • Instruction ID: cd819115f0242382302e631cf858fc76be31c648d6e9b2af21ce359b9c99af4d
                                                                    • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                    • Instruction Fuzzy Hash: 1B31C372B18A8685EB10CF66E440AE963A0FB64B8DF401232DE8D47795DE7DF505C760
                                                                    Function 00007FF6C2DCEB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FileHandleType
                                                                    • String ID: @
                                                                    • API String ID: 3000768030-2766056989
                                                                    • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                    • Instruction ID: c957fb7ecc6370b60b52250e3e5c96a07173b72b3971fff83081569438149875
                                                                    • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                    • Instruction Fuzzy Hash: 4C21A772A0868341EB605F2594901392792EB65F79F380335DAEF877D8CE79F881C321
                                                                    Function 00007FF6C2DC4078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C2DC1D3E), ref: 00007FF6C2DC40BC
                                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C2DC1D3E), ref: 00007FF6C2DC4102
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFileHeaderRaise
                                                                    • String ID: csm
                                                                    • API String ID: 2573137834-1018135373
                                                                    • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                    • Instruction ID: 201e93732ecca181c0afb8da30686027ffbcbe11d83d409cc8d290bb44553eda
                                                                    • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                    • Instruction Fuzzy Hash: 0D113D32608B8182EB218F15E44026977E1FB98B99F284231EFCD47754DFBCE555CB10
                                                                    Function 00007FF6C2DAEA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C2DAE95F,?,?,?,00007FF6C2DA463A,?,?,?), ref: 00007FF6C2DAEA63
                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C2DAE95F,?,?,?,00007FF6C2DA463A,?,?,?), ref: 00007FF6C2DAEA6E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastObjectSingleWait
                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                    • API String ID: 1211598281-2248577382
                                                                    • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                    • Instruction ID: af44b61e82844e0618e14d47e6fac2d09f56db4bd346043989ac99eeb096ae14
                                                                    • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                    • Instruction Fuzzy Hash: 87E01A25E19D4281F600AF219C424B922107F7077AF940330DDBEC23E5AEACBA8A8730
                                                                    Function 00007FF6C2DAA43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1699580389.00007FF6C2D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2D90000, based on PE: true
                                                                    • Associated: 00000000.00000002.1699559369.00007FF6C2D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699620299.00007FF6C2DD8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DEB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699653380.00007FF6C2DF4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1699696082.00007FF6C2DFE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff6c2d90000_0438.jbxd
                                                                    Similarity
                                                                    • API ID: FindHandleModuleResource
                                                                    • String ID: RTL
                                                                    • API String ID: 3537982541-834975271
                                                                    • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                    • Instruction ID: 8deccf1d56f7089bf75b3251cc79e43bdb005fedb70c18bc08275d9bb0680fcc
                                                                    • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                    • Instruction Fuzzy Hash: 8FD05B51F09A0281FF1A4F71A44577412505F28B47F444138CC8D86350DEBDF0C9CB70