Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
veraport-g3-x64.exe

Overview

General Information

Sample name:veraport-g3-x64.exe
Analysis ID:1544106
MD5:c9207ccbdef51cada0bc0402c6f1623c
SHA1:28f3530f6fa7cf504f126b2270c40be3bcc9eea9
SHA256:7734b2849f3efc85344db57c3c91376601b1f993b3aa18cbcd83473a37d80f17
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Installs new ROOT certificates
Modifies the windows firewall
Overwrites Mozilla Firefox settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Uses netsh to modify the Windows network and firewall settings
Adds / modifies Windows certificates
Changes image file execution options
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: CurrentVersion NT Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • veraport-g3-x64.exe (PID: 320 cmdline: "C:\Users\user\Desktop\veraport-g3-x64.exe" MD5: C9207CCBDEF51CADA0BC0402C6F1623C)
    • veraport-g3-x64.tmp (PID: 3640 cmdline: "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe" MD5: 63B15124BE653DBE589C7981DA9D397C)
      • sc.exe (PID: 5532 cmdline: "C:\Windows\system32\sc.exe" stop WizveraPMSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport20unloader.exe (PID: 2820 cmdline: "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback MD5: D0F24C3902D7B2D7B1B66068B778224A)
        • CheckNetIsolation.exe (PID: 6176 cmdline: "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe MD5: 03CF7163B4837A001BD4667A8880D6CD)
          • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport20unloader.exe (PID: 4564 cmdline: "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link MD5: D0F24C3902D7B2D7B1B66068B778224A)
        • taskkill.exe (PID: 4996 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3560 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraport.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3292 cmdline: "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 728 cmdline: "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
          • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • regsvr32.exe (PID: 1784 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • wizveraregsvr.exe (PID: 4760 cmdline: "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll MD5: AA4EF1C182A79F24B519167C41FAB32E)
        • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wizcertutil.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport MD5: 0FFE29C5EFF5BD3E25142A388FBEDB5A)
        • certutil.exe (PID: 768 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3032 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 4024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5084 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 4208 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3784 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 2568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3876 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5880 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 6816 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 3576 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5620 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5796 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 5876 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 6396 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • certutil.exe (PID: 572 cmdline: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\ MD5: F8DA06687FB47CA2C355C38CA2766262)
          • conhost.exe (PID: 1016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wpmsvcsetup.exe (PID: 4068 cmdline: "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT MD5: EA18C971818F833249090BB8B11F72C3)
        • wpmsvcsetup.tmp (PID: 4436 cmdline: "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT MD5: 63B15124BE653DBE589C7981DA9D397C)
          • sc.exe (PID: 3720 cmdline: "C:\Windows\system32\sc.exe" stop WizveraPMSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 2020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WizSvcUtil.exe (PID: 3288 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add MD5: 50E4842EA92F74B2C82426FF562E2CCD)
            • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 6460 cmdline: "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 4072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wpmsvc.exe (PID: 1848 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i MD5: 3C126066F71E9A97F6D8E6383D4BA9B0)
            • conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • sc.exe (PID: 1132 cmdline: "C:\Windows\system32\sc.exe" start WizveraPMSvc MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
            • conhost.exe (PID: 1128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • veraport-x64.exe (PID: 2752 cmdline: "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/ MD5: 9DCEECDFF4DA4C0F08C55A6D945F86B4)
      • netsh.exe (PID: 2312 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)" MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 2812 cmdline: "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
        • conhost.exe (PID: 5240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 5344 cmdline: "C:\Windows\system32\sc.exe" start WizveraPMSvc MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • veraport-x64.exe (PID: 4028 cmdline: "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/ MD5: 9DCEECDFF4DA4C0F08C55A6D945F86B4)
  • wpmsvc.exe (PID: 3348 cmdline: "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" MD5: 3C126066F71E9A97F6D8E6383D4BA9B0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\, CommandLine: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport, ParentImage: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe, ParentProcessId: 7064, ParentProcessName: wizcertutil.exe, ProcessCommandLine: "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\, ProcessId: 768, ProcessName: certutil.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp, ProcessId: 3640, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wizvera-veraport-x64
Sigma detected: CurrentVersion NT Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: -1, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp, ProcessId: 3640, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe\CWDIllegalInDllSearch
Sigma detected: Modification of IE Registry Settings
Source: Registry Key setAuthor: frack113: Data: Details: 127.0.0.1:16105;127.0.0.1:16106;, EventID: 13, EventType: SetValue, Image: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe, ProcessId: 4028, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)ReversingLabs: Detection: 25%
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmpReversingLabs: Detection: 25%
Source: veraport-g3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txtJump to behavior
Source: veraport-g3-x64.exeStatic PE information: certificate valid
Source: Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3276165588.0000000000960000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://help.wizvera.com/help/faq/killprocess.html
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://help.wizvera.com/help/faq/killprocess.htmlInvalid
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274551640.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.gl9j
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0A
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocspcnnicroot.cnnic.cn0;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globa
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://veraport.wizvera.com/agreement.html
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vp.wizvera.com/vp-policy/
Source: regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://vp.wizvera.com/vp-policy/origin
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cnnic.cn/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cnnic.cn/download/cert/CNNICROOT.cer0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.innosetup.com/
Source: veraport-g3-x64.exe, 00000000.00000000.2089525757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 0000002E.00000002.3361348979.000000006F913000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3266301327.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001A.00000002.3276943131.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001C.00000002.3282538212.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000001E.00000002.3298134524.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000020.00000002.3303948438.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000022.00000002.3308224650.000000006F8EF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000024.00000002.3313056413.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000026.00000002.3326618235.000000006F82F000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 00000028.00000002.3332521951.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002A.00000002.3341706577.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002C.00000002.3349349962.000000006C5AF000.00000002.00000001.01000000.00000013.sdmp, certutil.exe, 0000002E.00000002.3360748655.000000006F8CF000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://www.mozilla.org/MPL/NSPR_FD_CACHE_SIZE_LOWNSPR_FD_CACHE_SIZE_HIGH;
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
Source: wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)Digital
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/intermediate.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/policy.pdf0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.startssl.com/policy.pdf04
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: veraport-g3-x64.tmp, 00000001.00000003.2092405915.00000000031A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.com
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.com1
Source: veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3506929488.0000000002311000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.wizvera.comq
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
Source: certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
Source: veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp, wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://://80:http://https://.?
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/projects/nspr
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/projects/nss
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
Source: veraport-g3-x64.tmp, 00000001.00000002.3512222948.000000000018C000.00000004.00000010.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.3299193402.00000000013A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E23B090 GetKeyState,GetKeyState,GetKeyState,SendMessageW,19_2_00007FF69E23B090

System Summary

barindex
PE file contains section with special chars
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24CFA019_2_00007FF69E24CFA0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E2497C819_2_00007FF69E2497C8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24C07019_2_00007FF69E24C070
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24D85819_2_00007FF69E24D858
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24506019_2_00007FF69E245060
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E23D08419_2_00007FF69E23D084
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24FDB019_2_00007FF69E24FDB0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E245D8419_2_00007FF69E245D84
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E250E7819_2_00007FF69E250E78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24F4B419_2_00007FF69E24F4B4
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E24895C19_2_00007FF69E24895C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E249B2C19_2_00007FF69E249B2C
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy) 1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp 89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3
Source: veraport-g3-x64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: veraport-g3-x64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-HRCVV.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-HRCVV.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: wpmsvcsetup.tmp.52.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: wpmsvcsetup.tmp.52.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-RGLV1.tmp.53.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-RGLV1.tmp.53.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002474000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FE40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs veraport-g3-x64.exe
Source: veraport-g3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 0.9985067851681957
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 0.9925608915441176
Source: veraport20unloader.exe.1.drStatic PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-E859V.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9933246906841339
Source: is-E859V.tmp.1.drStatic PE information: Section: ZLIB complexity 1.002685546875
Source: is-3MSD8.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9923944887907609
Source: is-3MSD8.tmp.1.drStatic PE information: Section: ZLIB complexity 0.990234375
Source: is-N4BK0.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9985067851681957
Source: is-N4BK0.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9925608915441176
Source: is-N4BK0.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9947706653225806
Source: is-08M60.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0002991272522523
Source: is-08M60.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9984319982394366
Source: is-08M60.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0030691964285714
Source: is-08M60.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9918981481481481
Source: is-G2UQK.tmp.1.drStatic PE information: Section: ZLIB complexity 1.0000887273576768
Source: is-G2UQK.tmp.1.drStatic PE information: Section: ZLIB complexity 0.9914315562707641
Source: is-G2UQK.tmp.1.drStatic PE information: Section: ZLIB complexity 1.000244140625
Source: certutil.exe, 0000001A.00000003.3273962927.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273515690.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273021020.000000000056B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274084000.000000000056D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .VbP.Vb
Source: classification engineClassification label: mal52.phis.spyw.evad.winEXE@106/99@0/0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E231760 LoadResource,LockResource,SizeofResource,19_2_00007FF69E231760
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1128:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5404:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeMutant created: \Sessions\1\BaseNamedObjects\{24D4C5E4-B2DA-43BC-99D8-8D4F9E6A3E1E}_x64
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1016:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1436:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5240:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmpJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport-x64.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraport.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "veraportmain20.exe")
Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "verainagent.exe")
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a3 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536359 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a82 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322233485.0000000000800000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320180392.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);
Source: certutil.exe, 0000001E.00000003.3291539929.000000000189B000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294882023.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297627456.000000000189C000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a81=$DATA1 AND a82=$DATA2;
Source: certutil.exe, 00000026.00000003.3318509911.00000000007F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,a80,a0,a101,a81,a1,a2,a82,a102,a3,a170,a11) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10);FW
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a102 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295340077.00000000015B3000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297378533.00000000015B4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292755948.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288320877.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318509911.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a0=$DATA0 AND a3=$DATA1;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);f
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.00000000015B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294192222.00000000015B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295031712.00000000015B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPrivate WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a11 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace5363b4 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace53635b FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);N
Source: certutil.exe, 0000001E.00000002.3296931904.0000000001508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData LIMIT 0;
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,a0,a1,a2,a3,a81,a82,a170,ace536358,ace536359,ace53635a,ace53635b,ace536360,ace5363b4,ace5363b5) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT ALL * FROM %s;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: certutil.exe, 00000026.00000002.3322067152.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO nssPublic (id,ace536360,a0,ace53635a,ace5363b4,a81,a1,ace53635b,ace5363b5,a2,a82,a3,a170,ace536358,ace536359) VALUES($ID,$VALUE0,$VALUE1,$VALUE2,$VALUE3,$VALUE4,$VALUE5,$VALUE6,$VALUE7,$VALUE8,$VALUE9,$VALUE10,$VALUE11,$VALUE12,$VALUE13);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace53635a FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319321678.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319955219.00000000007A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a0 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a101 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536360 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: certutil.exe, 00000026.00000002.3321760567.0000000000758000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic LIMIT 0;
Source: certutil.exe, 0000001E.00000003.3294705759.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3293943793.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000002.3297266923.0000000001557000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3295910054.0000000001556000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3355441278.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3356240335.0000000000907000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358406468.0000000000907000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a1 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: certutil.exe, 0000001A.00000003.3271492811.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.000000000058E000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274228580.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274115248.000000000058F000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319707603.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319236929.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318822915.00000000007D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1 AND a81=$DATA2 AND a82=$DATA3;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3260336618.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000020.00000002.3303280040.000000006C458000.00000002.00000001.01000000.00000017.sdmp, certutil.exe, 00000022.00000002.3307468270.000000006C488000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a81 FROM nssPublic WHERE id=$ID;
Source: veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmp, certutil.exe, 00000018.00000002.3263294247.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000020.00000002.3303566126.000000006C494000.00000002.00000001.01000000.00000016.sdmp, certutil.exe, 00000022.00000002.3307607502.000000006C4C4000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: certutil.exe, 0000001A.00000003.3274228580.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273899009.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273215219.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272200065.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273834349.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273660874.00000000005A1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275441111.00000000005A2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a1=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 00000026.00000003.3320725032.0000000000807000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000002.3322292077.0000000000808000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3319013052.0000000000802000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3318774813.00000000007EF000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320795318.0000000000808000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM nssPublic WHERE a102=$DATA0 AND a0=$DATA1;
Source: certutil.exe, 0000002E.00000002.3358919904.00000000008B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL ace536358 FROM nssPublic WHERE id=$ID;
Source: certutil.exe, 0000001A.00000002.3275366078.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272601571.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3274415890.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271492811.0000000000547000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345385863.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347980937.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346198949.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348667787.0000000000CF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT ALL a80 FROM nssPublic WHERE id=$ID;
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile read: C:\Users\user\Desktop\veraport-g3-x64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\veraport-g3-x64.exe "C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
Source: C:\Windows\System32\CheckNetIsolation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
Source: C:\Windows\System32\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp "C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopbackJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /linkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe "C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraportJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe "C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allowJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvcJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbweJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exeProcess created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp "C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe "C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\system32\sc.exe" start WizveraPMSvc
Source: C:\Users\user\Desktop\veraport-g3-x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\veraport-g3-x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\CheckNetIsolation.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\regsvr32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: veraport20.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: samcli.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: plds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: msvcr120.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\WizveraJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDirectory created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2D992E01-604B-472C-A883-1DDA105A24D5}_is1Jump to behavior
Source: veraport-g3-x64.exeStatic PE information: certificate valid
Source: veraport-g3-x64.exeStatic file information: File size 30041304 > 1048576
Source: Binary string: C:\Users\wizvera\Desktop\WizveraRegsvr\x64\Release\WizveraRegsvr.pdb source: wizveraregsvr.exe, 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp, wizveraregsvr.exe, 00000013.00000000.2363487958.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: msvcr120.i386.pdb source: certutil.exe, 00000018.00000002.3263802690.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001A.00000002.3276531657.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001C.00000002.3282095622.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000001E.00000002.3297710179.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000020.00000002.3303674504.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000022.00000002.3307695415.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000024.00000002.3312291213.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000026.00000002.3324453102.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 00000028.00000002.3332121105.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002A.00000002.3341341268.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002C.00000002.3349057425.000000006C4A1000.00000020.00000001.01000000.00000014.sdmp, certutil.exe, 0000002E.00000002.3360358812.000000006C4D1000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: veraport20unloader.exe, 00000005.00000002.2179119142.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000000.2160538623.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000002.2278176560.0000000140411000.00000080.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000000.2179765616.00000001403FD000.00000080.00000001.01000000.00000007.sdmp, veraport-x64.exe, 00000015.00000000.2470887094.00007FF70FA6B000.00000080.00000001.01000000.0000000C.sdmp, veraport-x64.exe, 00000015.00000002.4582647553.00007FF70FAC2000.00000080.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\project\veraport20-trunk\x64\Release\veraport-x64.pdb source: veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: D:\project\veraport20-trunk\Release\wizcertutil.pdb source: wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,19_2_00007FF69E23A800
Source: initial sampleStatic PE information: section where entry point is pointing to: .themida
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name:
Source: veraport20unloader.exe.1.drStatic PE information: section name: .themida
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name:
Source: is-E859V.tmp.1.drStatic PE information: section name: .themida
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name:
Source: is-3MSD8.tmp.1.drStatic PE information: section name: .themida
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name:
Source: is-N4BK0.tmp.1.drStatic PE information: section name: .themida
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name:
Source: is-08M60.tmp.1.drStatic PE information: section name: .themida
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name:
Source: is-G2UQK.tmp.1.drStatic PE information: section name: .themida
Source: is-LNJSQ.tmp.53.drStatic PE information: section name: .themida
Source: is-E4U10.tmp.53.drStatic PE information: section name: .themida
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00D11A12 pushfd ; ret 18_2_00D11A13
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CFCD92 pushfd ; ret 18_2_00CFCD93
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00D08B63 push es; iretd 18_2_00D08BE2
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00D0E928 pushfd ; iretd 18_2_00D0E96A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CED6C8 push es; iretd 18_2_00CED6DA
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF16D0 push ds; iretd 18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CEEA89 push es; iretd 18_2_00CEEA8A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CEEA81 push es; iretd 18_2_00CEEA82
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF1699 push ds; iretd 18_2_00CF16FA
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CEF499 push cs; iretd 18_2_00CEF49A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CEFEB8 push es; iretd 18_2_00CEFEE2
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF1E4C push ss; iretd 18_2_00CF1E72
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF2C70 push ss; iretd 18_2_00CF2C72
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF3010 push ss; iretd 18_2_00CF303A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CED422 push es; ret 18_2_00CED58C
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF1E21 push ss; iretd 18_2_00CF1E22
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF1D80 push ss; iretd 18_2_00CF1D82
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF2910 push ss; iretd 18_2_00CF293A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CF1729 push ds; iretd 18_2_00CF172A
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CE0150 push eax; retf 18_2_00CE0151
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CE3098 push eax; retf 18_2_00CE30A9
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CE7510 pushad ; ret 18_2_00CE7511
Source: C:\Windows\System32\regsvr32.exeCode function: 18_2_00CE0323 push eax; retf 18_2_00CE0341
Source: veraport20unloader.exe.1.drStatic PE information: section name: entropy: 7.980357022482312
Source: is-N4BK0.tmp.1.drStatic PE information: section name: entropy: 7.980357022482312
Source: is-08M60.tmp.1.drStatic PE information: section name: entropy: 7.986876970457978
Source: is-G2UQK.tmp.1.drStatic PE information: section name: entropy: 7.985969831962771
Source: is-L93U9.tmp.1.drStatic PE information: section name: .text entropy: 6.95576372950548

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4FA4E633B56F1C7DF4738ECC9C5317CEF39A4E51 Blob
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nss3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-O9SHM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-3H75G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssutil3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\Desktop\veraport-g3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plds4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\smime3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-JP5T3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plc4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\msvcr120.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-E859V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nspr4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\sqlite3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-BDARG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exeFile created: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txtJump to behavior

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\veraport.exe CWDIllegalInDllSearchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpmsvc.exe CWDIllegalInDllSearch
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop WizveraPMSvc
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E237A88 IsIconic,GetWindowPlacement,GetWindowRect,19_2_00007FF69E237A88
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\veraport-g3-x64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\regsvr32.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeSystem information queried: FirmwareTableInformation
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeSystem information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Windows\System32\regsvr32.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeWindow / User API: threadDelayed 493
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\is-E859V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpDropped PE file which has not been started: C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)Jump to dropped file
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_19-14373
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeAPI coverage: 9.4 %
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380Thread sleep count: 493 > 30
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe TID: 1380Thread sleep time: -49300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: regsvr32.exe, regsvr32.exe, 00000012.00000003.2362533034.0000000000D31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000012.00000002.2362719761.0000000000D31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: veraport-x64.exe, 00000015.00000002.4552524219.0000000001394000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: certutil.exe, 00000018.00000002.3259458534.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000018.00000003.3258739238.00000000006EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx|Y
Source: certutil.exe, 0000002C.00000002.3348480178.0000000000CA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: certutil.exe, 0000001A.00000002.3275098873.00000000004F8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001C.00000003.3280811049.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3296019426.0000000001514000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000020.00000003.3302243288.00000000008E4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000022.00000003.3306417207.00000000011C4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000003.3311221966.0000000001293000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000024.00000002.3311755879.0000000001296000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000026.00000003.3320858550.0000000000764000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000028.00000003.3330114679.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002A.00000003.3338134198.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002E.00000003.3358378404.00000000008C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeAPI call chain: ExitProcess graph end nodegraph_19-14374
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeSystem information queried: ModuleInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\System32\regsvr32.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeThread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeThread information set: HideFromDebugger
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeThread information set: HideFromDebugger
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeThread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeOpen window title or class name: gbdyllo
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeOpen window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exeProcess queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugObjectHandle
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugPort
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeProcess queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPort
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugObjectHandle
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeProcess queried: DebugPort
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF69E245B78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E23A800 GetModuleHandleW,LoadLibraryW,GetProcAddress,19_2_00007FF69E23A800
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E245D6C SetUnhandledExceptionFilter,19_2_00007FF69E245D6C
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E245B78 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF69E245B78
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E2494F8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,19_2_00007FF69E2494F8
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E242150 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,19_2_00007FF69E242150

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtSetInformationThread: Indirect: 0x1808751A3Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtSetInformationThread: Indirect: 0x7FF70FCA4570
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeNtSetInformationThread: Indirect: 0x1405A89F6Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeNtQueryInformationProcess: Indirect: 0x1405CAC1BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeNtQueryInformationProcess: Indirect: 0x1405BAD04Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtQueryInformationProcess: Indirect: 0x18085CE79Jump to behavior
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtQueryInformationProcess: Indirect: 0x7FF70FC93633
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeNtQueryInformationProcess: Indirect: 0x7FF70FC93F45
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeNtQueryInformationProcess: Indirect: 0x18086FED2Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\CheckNetIsolation.exe "C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbweJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeProcess created: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe "c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraport.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exeProcess created: C:\Windows\System32\taskkill.exe "C:\Windows\System32\taskkill.exe" /f /im verainagent.exeJump to behavior
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: GetLocaleInfoA,19_2_00007FF69E250918
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: GetLocaleInfoW,_errno,_errno,_snwprintf_s,_errno,_errno,_errno,PathFindFileNameW,GetModuleHandleW,GetProcAddress,LoadLibraryExW,19_2_00007FF69E231900
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeQueries volume information: C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E2469C0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,19_2_00007FF69E2469C0
Source: C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exeCode function: 19_2_00007FF69E237844 GetVersionExA,19_2_00007FF69E237844
Source: C:\Program Files\Wizvera\Veraport20\veraport-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmpProcess created: C:\Windows\System32\netsh.exe "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
Source: C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		22
Disable or Modify Tools		1
OS Credential Dumping		1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
Image File Execution Options Injection		1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Input Capture		1
File and Directory Discovery		Remote Desktop Protocol1
Browser Session Hijacking		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		2
Windows Service		1
Image File Execution Options Injection		2
Obfuscated Files or Information		Security Account Manager36
System Information Discovery		SMB/Windows Admin Shares1
Data from Local System		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron21
Registry Run Keys / Startup Folder		2
Windows Service		1
Install Root Certificate		NTDS1
Query Registry		Distributed Component Object Model1
Input Capture		Protocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Process Injection		2
Software Packing		LSA Secrets531
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Cached Domain Credentials33
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
Masquerading		DCSync1
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Modify Registry		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt33
Virtualization/Sandbox Evasion		/etc/passwd and /etc/shadow2
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Regsvr32		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544106 Sample: veraport-g3-x64.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 52 121 Multi AV Scanner detection for dropped file 2->121 123 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->123 125 PE file contains section with special chars 2->125 127 Sigma detected: System File Execution Location Anomaly 2->127 10 veraport-g3-x64.exe 2 2->10         started        13 wpmsvc.exe 2->13         started        16 veraport-x64.exe 1 4 2->16         started        process3 file4 107 C:\Users\user\AppData\...\veraport-g3-x64.tmp, PE32 10->107 dropped 18 veraport-g3-x64.tmp 35 51 10->18         started        149 Query firmware table information (likely to detect VMs) 13->149 151 Installs new ROOT certificates 13->151 153 Hides threads from debuggers 13->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->155 signatures5 process6 file7 97 C:\Users\user\...\wpmsvcsetup.exe (copy), PE32 18->97 dropped 99 C:\Users\user\...\wizcertutil.exe (copy), PE32 18->99 dropped 101 C:\Users\user\...\veraport20unloader.exe, PE32+ 18->101 dropped 103 48 other files (44 malicious) 18->103 dropped 129 Creates an undocumented autostart registry key 18->129 131 Creates autostart registry keys with suspicious names 18->131 133 Uses netsh to modify the Windows network and firewall settings 18->133 135 Modifies the windows firewall 18->135 22 wizcertutil.exe 18->22         started        25 wpmsvcsetup.exe 18->25         started        28 veraport20unloader.exe 1 18->28         started        30 8 other processes 18->30 signatures8 process9 file10 137 Installs new ROOT certificates 22->137 139 Tries to harvest and steal browser information (history, passwords, etc) 22->139 32 certutil.exe 22->32         started        36 certutil.exe 22->36         started        38 certutil.exe 22->38         started        46 11 other processes 22->46 105 C:\Users\user\AppData\...\wpmsvcsetup.tmp, PE32 25->105 dropped 40 wpmsvcsetup.tmp 25->40         started        141 Query firmware table information (likely to detect VMs) 28->141 143 Hides threads from debuggers 28->143 145 Found direct / indirect Syscall (likely to bypass EDR) 28->145 42 taskkill.exe 1 28->42         started        44 taskkill.exe 1 28->44         started        48 2 other processes 28->48 147 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->147 50 6 other processes 30->50 signatures11 process12 file13 87 6 other malicious files 32->87 dropped 115 Overwrites Mozilla Firefox settings 32->115 117 Tries to harvest and steal browser information (history, passwords, etc) 32->117 52 conhost.exe 32->52         started        89 6 other malicious files 36->89 dropped 54 conhost.exe 36->54         started        91 3 other malicious files 38->91 dropped 56 conhost.exe 38->56         started        79 C:\Program Files (x86)\...\wpmsvc.exe (copy), PE32 40->79 dropped 81 C:\...\unins000.exe (copy), PE32 40->81 dropped 83 C:\Program Files (x86)\...\is-RGLV1.tmp, PE32 40->83 dropped 93 5 other files (3 malicious) 40->93 dropped 119 Creates an undocumented autostart registry key 40->119 64 5 other processes 40->64 58 conhost.exe 42->58         started        60 conhost.exe 44->60         started        85 C:\Users\user\AppData\Roaming\...\secmod.db, Berkeley 46->85 dropped 95 2 other malicious files 46->95 dropped 67 11 other processes 46->67 69 2 other processes 48->69 62 conhost.exe 50->62         started        signatures14 process15 signatures16 109 Query firmware table information (likely to detect VMs) 64->109 111 Hides threads from debuggers 64->111 113 Tries to detect sandboxes / dynamic malware analysis system (registry check) 64->113 71 conhost.exe 64->71         started        73 conhost.exe 64->73         started        75 conhost.exe 64->75         started        77 2 other processes 64->77 process17

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
veraport-g3-x64.exe8%ReversingLabs

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)25%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp0%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp25%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp3%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)3%ReversingLabs
C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-E859V.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp3%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)3%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)0%ReversingLabs
C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp5%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-BDARG.tmp17%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-JP5T3.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-O9SHM.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\msvcr120.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nspr4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nss3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssutil3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plc4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plds4.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\smime3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\sqlite3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe (copy)17%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp5%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ocsp.entrust.net030%URL Reputationsafe
http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.firmaprofesional.com/cps00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://repository.swisssign.com/00%URL Reputationsafe
http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
http://www.openssl.org/support/faq.html0%URL Reputationsafe
http://www.quovadisglobal.com/cps00%URL Reputationsafe
http://x1.c.lencr.org/00%URL Reputationsafe
http://x1.i.lencr.org/00%URL Reputationsafe
https://ocsp.quovadisoffshore.com00%URL Reputationsafe
http://ocsp.entrust.net0D0%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
http://crl.entrust.net/server1.crl00%URL Reputationsafe
http://ocsp.accv.es00%URL Reputationsafe
http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
http://crt.rootca1.amazontrust.com/rootca1.cer0?0%URL Reputationsafe
http://www.quovadis.bm00%URL Reputationsafe
http://www.accv.es000%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
https://secure.comodo.com/CPS00%URL Reputationsafe
http://crl.entrust.net/2048ca.crl00%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://secure.globaveraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmpfalse
    		unknown
    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
      		unknown
      http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
        		unknown
        http://fedir.comsign.co.il/crl/ComSignCA.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
          		unknown
          http://crl.chambersign.org/chambersroot.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
            		unknown
            http://www.cnnic.cn/cps/0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
              		unknown
              http://ocsp.entrust.net03veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUveraport-g3-x64.exe, 00000000.00000000.2089525757.0000000000401000.00000020.00000001.01000000.00000003.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown
                http://www.startssl.com/policy.pdf04veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                  		unknown
                  http://cps.chambersign.org/cps/chambersroot.html0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.chambersign.org1veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.firmaprofesional.com/cps0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.diginotar.nl/cps/pkioverheid0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.pkioverheid.nl/policies/root-policy0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://repository.swisssign.com/0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.securetrust.com/SGCA.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.phreedom.org/md5)Digitalveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                        		unknown
                        http://crl.securetrust.com/STCA.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.openssl.org/support/faq.htmlwpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.suscerte.gob.ve/dpc0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://veraport.wizvera.com/agreement.htmlwizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.wizvera.com1veraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.certplus.com/CRL/class2.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.disig.sk/ca/crl/ca_disig.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.e-szigno.hu/RootCA.crt0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.quovadisglobal.com/cps0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://x1.c.lencr.org/0certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://x1.i.lencr.org/0certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D75000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.cnnic.cn/download/cert/CNNICROOT.cer0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://help.wizvera.com/help/faq/killprocess.htmlInvalidveraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.startssl.com/policy.pdf0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://www.sk.ee/cps/0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.e-szigno.hu/SZSZ/0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://ocsp.quovadisoffshore.com0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ocsp.entrust.net0Dveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl0#veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://cps.chambersign.org/cps/chambersignroot.html0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://policy.camerfirma.com0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.innosetup.com/veraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://ocsp.pki.gva.es0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://www.phreedom.org/md5)veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://crl.entrust.net/server1.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.accv.es/legislacion_c.htm0Uveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://hg.mozilla.org/projects/nssveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.certicamara.com/dpc/0Zveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://crl.pki.wellsfargo.com/wsprca.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://ocsp.accv.es0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://rca.e-szigno.hu/ocsp0-veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.netlock.hu/docs/veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://vp.wizvera.com/vp-policy/regsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://ocsp.rootca1.amazontrust.com0:certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://ocspcnnicroot.cnnic.cn0;veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://hg.mozilla.org/projects/nsprveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://://80:http://https://.?veraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000003.2477875967.0000000002E60000.00000004.00001000.00020000.00000000.sdmp, veraport-x64.exe, 00000015.00000002.4555379773.00007FF70F696000.00000002.00000001.01000000.0000000C.sdmp, wizcertutil.exe, 00000017.00000002.3386364551.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmp, wizcertutil.exe, 00000017.00000000.3228728729.0000000000FB6000.00000002.00000001.01000000.0000000D.sdmpfalse
                                                                                    		unknown
                                                                                    http://acedicom.edicomgroup.com/doc0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.wizvera.comveraport-g3-x64.tmp, 00000001.00000003.2092405915.00000000031A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.wizvera.comqveraport-g3-x64.exe, 00000000.00000003.3515462350.0000000000A11000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000003.3506929488.0000000002311000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://www.catcert.net/verarrelveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.disig.sk/ca0fveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.e-szigno.hu/RootCA.crlveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://help.wizvera.com/help/faq/killprocess.htmlveraport20unloader.exe, 00000005.00000002.2173701332.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000005.00000003.2169692250.0000000000400000.00000004.00001000.00020000.00000000.sdmp, veraport20unloader.exe, 00000008.00000002.2261276328.000000014005E000.00000002.00000001.01000000.00000007.sdmp, veraport20unloader.exe, 00000008.00000003.2185887432.0000000001F80000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.openssl.org/support/faq.html....................wpmsvc.exe, 0000003C.00000002.3439396785.000000000063A000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://www.sk.ee/juur/crl/0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://crl.chambersign.org/chambersignroot.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://crl.xrampsecurity.com/XGCA.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?certutil.exe, 0000001A.00000003.3270938700.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3270515225.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275475964.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3271967040.00000000005B1000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272939018.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000002.3275665055.00000000005C7000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3273436316.00000000005C6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001A.00000003.3272171784.00000000005AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3287221783.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288065099.00000000018A8000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3292274225.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3288196458.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3289333438.00000000018AD000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3294249931.0000000001899000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000001E.00000003.3286781773.00000000018A6000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348783935.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346293912.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3347860326.0000000000D63000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3346382673.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000002.3348813860.0000000000D75000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 0000002C.00000003.3345267624.0000000000D60000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://vp.wizvera.com/vp-policy/originregsvr32.exe, 00000012.00000003.2361385463.00000000029B0000.00000004.00001000.00020000.00000000.sdmp, wizveraregsvr.exe, 00000013.00000003.2370896442.00000000030F0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://www.catcert.net/verarrel05veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.quovadis.bm0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.startssl.com/intermediate.pdf0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://ocsp.suscerte.gob.ve0Averaport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.trustdst.com/certificates/policy/ACES-index.html0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.accv.es00veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.pki.gva.es/cps0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.remobjects.com/psveraport-g3-x64.exe, 00000000.00000003.2090423362.0000000002360000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.exe, 00000000.00000003.2090897797.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, veraport-g3-x64.tmp, 00000001.00000000.2091498271.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://www.pki.gva.es/cps0%veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.pkioverheid.nl/policies/root-policy-G20veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://secure.comodo.com/CPS0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://www.netlock.net/docsveraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.phreedom.org/md5)0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://crl.entrust.net/2048ca.crl0veraport-g3-x64.tmp, 00000001.00000003.3501490818.0000000005A20000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://ocsp.gl9jveraport-x64.exe, 00000015.00000002.4553402827.0000000002E55000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown

                                                                                                                                    World Map of Contacted IPs

                                                                                                                                    No contacted IP infos

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                                                                    Analysis ID:1544106
                                                                                                                                    Start date and time:2024-10-28 20:27:35 +01:00
                                                                                                                                    Joe Sandbox product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 13m 30s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                    Number of analysed new started processes analysed:72
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Sample name:veraport-g3-x64.exe
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal52.phis.spyw.evad.winEXE@106/99@0/0
                                                                                                                                    EGA Information:
                                                                                                                                    • Successful, ratio: 20%
                                                                                                                                    HCA Information:Failed
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Found application associated with file extension: .exe
                                                                                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                    Warnings

                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                    • Execution Graph export aborted for target regsvr32.exe, PID 1784 because there are no executed function
                                                                                                                                    • Execution Graph export aborted for target veraport-x64.exe, PID 4028 because there are no executed function
                                                                                                                                    • Execution Graph export aborted for target veraport20unloader.exe, PID 2820 because there are no executed function
                                                                                                                                    • Execution Graph export aborted for target veraport20unloader.exe, PID 4564 because there are no executed function
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                    • VT rate limit hit for: veraport-g3-x64.exe

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    15:31:58API Interceptor194x Sleep call for process: wpmsvc.exe modified
                                                                                                                                    20:29:00AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run wizvera-veraport-x64 "C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    No context

                                                                                                                                    Domains

                                                                                                                                    No context

                                                                                                                                    ASNs

                                                                                                                                    No context

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    No context

                                                                                                                                    Dropped Files

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)https://bizbank.shinhan.com/sw/wizvera/veraport/install20/install_eng.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                      sass.zipGet hashmaliciousUnknownBrowse
                                                                                                                                        veraport-g3s-x64-sha2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmphttps://bizbank.shinhan.com/sw/wizvera/veraport/install20/install_eng.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                            sass.zipGet hashmaliciousUnknownBrowse
                                                                                                                                              veraport-g3s-x64-sha2.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4758688
                                                                                                                                                Entropy (8bit):6.245945172384072
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:4xvLijESMeeBXm5CK5s89n0X1nFRWX4rsht6FtFJOaKFeH:4xTLveeBXmMK5syn0Fn/WRht6FtOaKUH
                                                                                                                                                MD5:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                SHA1:77791214B5DD1E05606895983E086AEF6CB56E37
                                                                                                                                                SHA-256:1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
                                                                                                                                                SHA-512:A8514B907721E2B55EF5EBFEE37C9551A313951E95B5AFB8576FB3D4EF9E5F35AC94BBEAB69FE7A4BEE4704CCC7C8657AA5FE02FF21E2B64B60B826184474DDB
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                • Filename: sass.zip, Detection: malicious, Browse
                                                                                                                                                • Filename: veraport-g3s-x64-sha2.exe, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S...........0M.....0M........,....]......K......L......L......B......\......Y....Rich...................PE..L.....e.................N...0......)........`....@...........................H.....J3I...@..........................................P..............PpH.P,......................................................................@....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data...._......."..................@....rsrc........P......................@..@.reloc...y...`...z..................@..B.idata..............................@....themida..D.......D.................`...................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-E4U10.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5647008
                                                                                                                                                Entropy (8bit):6.337662956974294
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:Wq4jd67cvZUPTsYof+yJw6nWWkG82uNWFZEGve:ad5Kwg7GTuNEaWe
                                                                                                                                                MD5:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                SHA1:FCB11C73896ECF7529AEFD0D1D9E018FF033F01E
                                                                                                                                                SHA-256:89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3
                                                                                                                                                SHA-512:57FC93E1BBE9B2D5B56E18F5181A551CE5329C336CA214ECBD3A911B22BB418CC573F3EA719B2F7D77E6E7DA47F50E2C25C6A0CD1E9CB192B7D5DDC5C1A33DC6
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Joe Sandbox View:
                                                                                                                                                • Filename: , Detection: malicious, Browse
                                                                                                                                                • Filename: sass.zip, Detection: malicious, Browse
                                                                                                                                                • Filename: veraport-g3s-x64-sha2.exe, Detection: malicious, Browse
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....wF..wF..wF!q.F..wF!q.F..wF..vFy.wF...F#.wF...F+.wF...F..wF...F..wF...F'.wF...F..wF...F..wFRich..wF........PE..L.....e..........................................@..........................pV......pV...@.................................a...L.... ..............P.U.P,......................................................................@....................text.............................. ..`.rdata..............................@..@.data...x....@...v..."..............@....rsrc........ ......................@..@.reloc..0o...0...p..................@..B.idata..............................@....themida..D.......D.................`...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-LNJSQ.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):4758688
                                                                                                                                                Entropy (8bit):6.245945172384072
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:4xvLijESMeeBXm5CK5s89n0X1nFRWX4rsht6FtFJOaKFeH:4xTLveeBXmMK5syn0Fn/WRht6FtOaKUH
                                                                                                                                                MD5:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                SHA1:77791214B5DD1E05606895983E086AEF6CB56E37
                                                                                                                                                SHA-256:1D30213F461B5A48B7B230C926F8D83455B0EDC4AB636140170F7B86C2EDB3CC
                                                                                                                                                SHA-512:A8514B907721E2B55EF5EBFEE37C9551A313951E95B5AFB8576FB3D4EF9E5F35AC94BBEAB69FE7A4BEE4704CCC7C8657AA5FE02FF21E2B64B60B826184474DDB
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S...........0M.....0M........,....]......K......L......L......B......\......Y....Rich...................PE..L.....e.................N...0......)........`....@...........................H.....J3I...@..........................................P..............PpH.P,......................................................................@....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data...._......."..................@....rsrc........P......................@..@.reloc...y...`...z..................@..B.idata..............................@....themida..D.......D.................`...................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\is-RGLV1.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1193161
                                                                                                                                                Entropy (8bit):6.371245482388537
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxg:9T90guMXEdqwHkUjr
                                                                                                                                                MD5:AAFDCB24246D5018716BA7FE24488125
                                                                                                                                                SHA1:FE84A2480A9561A63A9DABC5C1C3A2C3EE082BC7
                                                                                                                                                SHA-256:4AEB5405CCF74214098229712CDF6157A4783B51FC42086408A5D0D9169DE41E
                                                                                                                                                SHA-512:74C053460B769FAB296D5EC96F4EBC6B042ECBD44EAA6718BAB9BE460BB3227B15E9F5109973B318C8A59EAA645BC42CD0769FF7A8EC2C18612494E10715570F
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:InnoSetup Log WIZVERA Process Manager {8941A397-4065-4F41-92CE-0EB610846EED}, version 0x418, 5475 bytes, 888683\37\user\37, C:\Program Files (x86)\Wizvera\Common\wpms
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5475
                                                                                                                                                Entropy (8bit):4.02702987428183
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:96:WloZZ4XyHynQy6ayGyG+4wC1TkTIfc1AGlEDA4MZAe2LI/zPtLT9e/hVHHhS:WlSNSN6jfG+9If7fDSmwt4VHY
                                                                                                                                                MD5:5AD52129A5C90732587CCAE60D326029
                                                                                                                                                SHA1:433CB8963658BAEB8D0C69E6BB14CCAFF46A6828
                                                                                                                                                SHA-256:41DFEE03A519E11EB6BAAB5E9A4D75666843405616C8F40530880BD0BCCA36BE
                                                                                                                                                SHA-512:ECF8E56D4CC4DCF51DE6124C5A56C6DFCA54C728806770F908A2DB3B08523B0D9AB54AD66C8B8887F0EA9C329C2F00A9918BFEE2B1E337DF245C386B6EDD00EA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Inno Setup Uninstall Log (b)....................................{8941A397-4065-4F41-92CE-0EB610846EED}..........................................................................................WIZVERA Process Manager.................................................................................................................c...5...............................................................................................................(Y..........kYA................8.8.8.6.8.3......a.l.f.o.n.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.W.i.z.v.e.r.a.\.C.o.m.m.o.n.\.w.p.m.s.v.c..................).... ..............IFPS.... ...............................................................................................................................................................BOOLEAN..............TEXECWAIT.........TUNINSTALLSTEP.........TSETUPSTEP.....$...........!MAIN....-1.%...........UPDATECHECK....27.2...........SVC_DELETE....-1..EXPANDCONSTANT........EXEC...........

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\unins000.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1193161
                                                                                                                                                Entropy (8bit):6.371245482388537
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxg:9T90guMXEdqwHkUjr
                                                                                                                                                MD5:AAFDCB24246D5018716BA7FE24488125
                                                                                                                                                SHA1:FE84A2480A9561A63A9DABC5C1C3A2C3EE082BC7
                                                                                                                                                SHA-256:4AEB5405CCF74214098229712CDF6157A4783B51FC42086408A5D0D9169DE41E
                                                                                                                                                SHA-512:74C053460B769FAB296D5EC96F4EBC6B042ECBD44EAA6718BAB9BE460BB3227B15E9F5109973B318C8A59EAA645BC42CD0769FF7A8EC2C18612494E10715570F
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5647008
                                                                                                                                                Entropy (8bit):6.337662956974294
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:Wq4jd67cvZUPTsYof+yJw6nWWkG82uNWFZEGve:ad5Kwg7GTuNEaWe
                                                                                                                                                MD5:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                SHA1:FCB11C73896ECF7529AEFD0D1D9E018FF033F01E
                                                                                                                                                SHA-256:89F20D64BB5F74375334BED6C6D97EB6A691EA2FA6F5B62138D91DD6E064C3F3
                                                                                                                                                SHA-512:57FC93E1BBE9B2D5B56E18F5181A551CE5329C336CA214ECBD3A911B22BB418CC573F3EA719B2F7D77E6E7DA47F50E2C25C6A0CD1E9CB192B7D5DDC5C1A33DC6
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.....wF..wF..wF!q.F..wF!q.F..wF..vFy.wF...F#.wF...F+.wF...F..wF...F..wF...F'.wF...F..wF...F..wFRich..wF........PE..L.....e..........................................@..........................pV......pV...@.................................a...L.... ..............P.U.P,......................................................................@....................text.............................. ..`.rdata..............................@..@.data...x....@...v..."..............@....rsrc........ ......................@..@.reloc..0o...0...p..................@..B.idata..............................@....themida..D.......D.................`...........................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-3H75G.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):235240
                                                                                                                                                Entropy (8bit):6.053292853230514
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:etvjHwoQlaxnvqSzAZZkmvqztQ+i5QJ1005CQ6RJdbk5t5i8Gnlo80:o7Hwz2nvtAZQztQVQJt516rdQC8G8
                                                                                                                                                MD5:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                SHA1:D87210DEBD30250C8D9C3091D2A7ED1A3C662D1B
                                                                                                                                                SHA-256:5F196219171FB668B4022ACBE3E1D58A90D202D0622D6EBCD67D224AD9ED58DB
                                                                                                                                                SHA-512:2EA4A65126B44A1DBD467297D0D769F6AAFD7E9D084B79AF8BC967F0AC382A766B0F6940D5DF15101F585EE2C07E75A40D87D6A0B1C987C863FB6DF50A933C07
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.#Cq.M.q.M.q.M.V. .v.M.V.6.d.M.q.L.p.M.x.....M.x...{.M.x.....M.o...r.M.x...s.M.o...p.M.x...p.M.Richq.M.................PE..d.....V.........."..........@.......%.........@....................................,J....@.............................................................l.......L&...b...4...........8...............................................0..........@....................text............................... ..`.rdata.......0......."..............@..@.data...p........*..................@....pdata..L&.......(..................@..@.rsrc...l............6..............@..@.reloc..0%.......&...<..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-3MSD8.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8286912
                                                                                                                                                Entropy (8bit):6.694841811884697
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:ZeWgSwjF6bCCEuY3rG8Q/cZivycQZsYj9XMXXzNTMJ:X9wjF6bKuY3y8Q/nbQZTxXMXXpT0
                                                                                                                                                MD5:DB10BB6F8262E58341E6A3E527E743BF
                                                                                                                                                SHA1:EB6AF6CC52B63E009701A5B589FB056829E615BD
                                                                                                                                                SHA-256:44FE85FC5CABAC7B087B47E57DE0C8A3C01D73B12C02A4C8DAE0C5C314D609E4
                                                                                                                                                SHA-512:A119444BDBEC3D37F096600B66514353CCB4215DB043D9527E4345BC7A0218941AB8E271990AF3C7CE4F833AA3238B606FE16286DDF87AC61416C58C872F59E4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>f.Vz...z...z...].G.{...]...t...]...Y...z........HQ.x...s.D.w...s.R.j...s.C.....dUC.r...s.M.....dUS.{...s.V.{...Richz...........................PE..d...{|.f..........#.......(..:Y.....`..........@.............................p......k.~......................................................A.......P......(P..|...`I~.`)....................................................................7.@................... ..(......|.................. ..` .....0(.....................@..@ .{....8..*...@..............@... d.....9......j..............@..@ ..E..`<.....................@..@.idata.......@......................@....rsrc........P......................@..@.themida..d..p....d.. ..............`...................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-E859V.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8258240
                                                                                                                                                Entropy (8bit):6.729887710908361
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:6nEdpRe1wkjLl6qI0IQmFrn6wltIIN+uhOXh:8ET0SkNk0PwtI6+uC
                                                                                                                                                MD5:B967B594C844405B0B812F138CAA0387
                                                                                                                                                SHA1:4C4032109E782620C56398FF03FADE1F3C68081A
                                                                                                                                                SHA-256:F382F0065A661338E5F08F9E5071268E7074D43FA454C84ED9D12653F290B39A
                                                                                                                                                SHA-512:5AAA7DD243E55F44BC901F2B148DFE759E84B71E9B1E6320075FABF5141D288DA175F03C0E812342532BD2FE1495F16387C498305F7A3CAC14608783B7200B75
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M..EM..EM..Ej>rEL..Ej>.E]..Ej>.El..EM..E...E.dEO..ED.gE]..ES.vEJ..ED.xE ..ED.vE...ED.qEC..ED.`EL..ES.fEL..ED.cEL..ERichM..E................PE..d..._|.f.........." ......#..4........9......................................@......9.~...............................................6.......6.\.....7.F...l....m..`.}.`)....................................................................1.@................... X.#......T.................. ..` ."....#..^...X..............@..@ Hv....2..,..................@... .m....3..T..................@..@ `&....5......6..............@..@ 6.... 6..$...F..............@..B.edata........6......j..............@..@.idata........6......l..............@....rsrc.........7......r..............@..@.themida. g.. 7.. g.................`...................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-G2UQK.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7876288
                                                                                                                                                Entropy (8bit):6.665125070561091
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:196608:GjhKIhDehTMVeqDk3mnXbhaTjy8p575uQLxV:ulhD+geqQEhaX75ugV
                                                                                                                                                MD5:9DCEECDFF4DA4C0F08C55A6D945F86B4
                                                                                                                                                SHA1:8904EBB92695CD80DF58D86C9EADAC4C659B9FDD
                                                                                                                                                SHA-256:F542BB6A136F6B0B2314AF75C605D4B11B8557013DD1ECE29EDCBBE0F39C6744
                                                                                                                                                SHA-512:627B0C839A4E80FFADCECA9463B15C3C43AAE3AC1F09E36C44A45E88CC12C4989BFB234A11018BCA93F5FF7AFFB5BD274B3FC5607D6E07B25ED321BF70084CD2
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]q..]q..]q..z...Wq..z..~q..]q...s...>..Tq..T...Kr..T...Pq..T....q..C#..Uq..T...~q..C#..\q..T...\q..Rich]q..........................PE..d....|.f.........."......L...h......?>0........@......................................x...@..................................................-.\.....-.....<3......`.x.`)..................................................................`.).@................... (J.......................... ..` .....`......................@..@ 86...P)..$...N..............@... ......*......r..............@..@ d_...p,.. ...x..............@..@ x.....,..$..................@..B.idata........-.....................@....rsrc.........-.....................@..@.themida..d...-...d.................`...................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-HRCVV.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1193161
                                                                                                                                                Entropy (8bit):6.371244980836957
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxn:9T90guMXEdqwHkUjI
                                                                                                                                                MD5:34B4DB985D127B4D8115B12846163275
                                                                                                                                                SHA1:0829771AA115EAD898EB9000663A378F367EFA41
                                                                                                                                                SHA-256:397F36BC5D09D70FF2AFDCAD887694C496CC2CFA1754D15F724A9E91E49CC555
                                                                                                                                                SHA-512:9CB1A334F05E40CF6532F5F1A844C18BF41B5BE40281C9DB2DC1919188698C6806F1C572E1A70270821B39AEAF57F27309B80CFD2CB5114DAE60723D90649263
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-MPA4S.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):279904
                                                                                                                                                Entropy (8bit):6.156045966593659
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:inljFG84mL/HNHQBFTQxUSF5L7rhFvs15DLR+mVz7B0FA:iljFL/uBFYUS37rhxs15J+/u
                                                                                                                                                MD5:69C1B4D6A90EB292C9239AECBBF85331
                                                                                                                                                SHA1:F66B04990EE8A556D979D7EC0DE77A6C06057F2B
                                                                                                                                                SHA-256:28ADCEC0FA02CE2DEAE1B11F520547C4C790EB75182E1792B371EC19F2BDEC2B
                                                                                                                                                SHA-512:65D6171415507CF7A74DFD823C4DED345EA539792A03525EF79149E418F606669E2CD57D067848DA6EE417CF525062677AAADE103B23D587FC1EC599B41D0858
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{<.^.R.^.R.^.R..U..].R.Wb.. .R.Wb..T.R.@H..Z.R.Wb....R.y.?.V.R.y.).O.R.^.S...R.Wb..S.R.Wb.._.R.@H.._.R.Wb.._.R.Rich^.R.........PE..d....|.f.........." .........X..............................................p...................................................... .......(........P....... ...+......`)...`..@.......................................................0............................text............................... ..`.rdata..............................@..@.data....R..........................@....pdata...+... ...,..................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\is-N4BK0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6840000
                                                                                                                                                Entropy (8bit):6.2837212843053045
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:SjnZwWd78sI5AVU+rmfe/x/BRrhGw6k/I35:SjZwE74AVUSmmZZFEhQy
                                                                                                                                                MD5:D0F24C3902D7B2D7B1B66068B778224A
                                                                                                                                                SHA1:D729966B95948B007F330088CF56F83EA7001589
                                                                                                                                                SHA-256:2C3DD7C3CDE5B860BC4F1DB474DEFEA508BB94DBE3495EF372E3D525B0B12840
                                                                                                                                                SHA-512:70B36CA826BCB85FAA20594E93D17F629BDC01D616253705B901BBB56D48BF939D5E377039C60205880EBE66A42C153C0896F91A6635F0CBA6E65C2D67B66FDF
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..............................|!.....|7....|&.....V&....|(....V6....|3....Rich............................PE..d...R|.f..........#..........4.......OE........@..............................n.......h.....................................................e............_...=l.pt..`5h.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...*..............@..@ .........>...j..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..d.......d.................`...................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\npveraport20.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):279904
                                                                                                                                                Entropy (8bit):6.156045966593659
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:inljFG84mL/HNHQBFTQxUSF5L7rhFvs15DLR+mVz7B0FA:iljFL/uBFYUS37rhxs15J+/u
                                                                                                                                                MD5:69C1B4D6A90EB292C9239AECBBF85331
                                                                                                                                                SHA1:F66B04990EE8A556D979D7EC0DE77A6C06057F2B
                                                                                                                                                SHA-256:28ADCEC0FA02CE2DEAE1B11F520547C4C790EB75182E1792B371EC19F2BDEC2B
                                                                                                                                                SHA-512:65D6171415507CF7A74DFD823C4DED345EA539792A03525EF79149E418F606669E2CD57D067848DA6EE417CF525062677AAADE103B23D587FC1EC599B41D0858
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{<.^.R.^.R.^.R..U..].R.Wb.. .R.Wb..T.R.@H..Z.R.Wb....R.y.?.V.R.y.).O.R.^.S...R.Wb..S.R.Wb.._.R.@H.._.R.Wb.._.R.Rich^.R.........PE..d....|.f.........." .........X..............................................p...................................................... .......(........P....... ...+......`)...`..@.......................................................0............................text............................... ..`.rdata..............................@..@.data....R..........................@....pdata...+... ...,..................@..@.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\unins000.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:InnoSetup Log 64-bit Veraport-x64 {2D992E01-604B-472C-A883-1DDA105A24D5}, version 0x418, 8654 bytes, 888683\37\user\37, C:\Program Files\Wizvera\Veraport20\376\37
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8654
                                                                                                                                                Entropy (8bit):3.981643945703711
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:Ywb+4d61lqs8UJ4QvHQhz+f7fQ4uZWYYYYAXgXlXLZHC:lb+4d61lqs8UJ4Zsf7DAWYYYYAwVNHC
                                                                                                                                                MD5:E5BBC5FAA35EE5B2233696C8B16446A5
                                                                                                                                                SHA1:BE83527E06166EA7FF4BC5D02D9A1F82B820E9E1
                                                                                                                                                SHA-256:CC9F8A9CAB39D8B1262BA0CDA2AEF0966BBA99DD62840744B3F11646BB48EF48
                                                                                                                                                SHA-512:06E8630C74C4091B80CB541D1A897ADA9520F5B9BF050115FAB8E33A1A34C04A902CC0BD083EE019E57EE57E2B79C8070B54B4F0689C0A494367DB55E1BA9163
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Inno Setup Uninstall Log (b) 64-bit.............................{2D992E01-604B-472C-A883-1DDA105A24D5}..........................................................................................Veraport-x64........................................................................................................................$....!..%................................................................................................................ih...........Yh...............8.8.8.6.8.3......a.l.f.o.n.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.z.v.e.r.a.\.V.e.r.a.p.o.r.t.2.0..................1.i.. .....B....J...IFPS.... ...............................................................................................................................................................BOOLEAN..............TEXECWAIT.........TSETUPSTEP.........TUNINSTALLSTEP.....$...........!MAIN....-1.%...........SVC_START....-1..EXPANDCONSTANT........EXEC........................SVC_STOP....-1.............CURSTEPCH

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\unins000.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1193161
                                                                                                                                                Entropy (8bit):6.371244980836957
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:Y4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyxn:9T90guMXEdqwHkUjI
                                                                                                                                                MD5:34B4DB985D127B4D8115B12846163275
                                                                                                                                                SHA1:0829771AA115EAD898EB9000663A378F367EFA41
                                                                                                                                                SHA-256:397F36BC5D09D70FF2AFDCAD887694C496CC2CFA1754D15F724A9E91E49CC555
                                                                                                                                                SHA-512:9CB1A334F05E40CF6532F5F1A844C18BF41B5BE40281C9DB2DC1919188698C6806F1C572E1A70270821B39AEAF57F27309B80CFD2CB5114DAE60723D90649263
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\veraport-x64.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7876288
                                                                                                                                                Entropy (8bit):6.665125070561091
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:196608:GjhKIhDehTMVeqDk3mnXbhaTjy8p575uQLxV:ulhD+geqQEhaX75ugV
                                                                                                                                                MD5:9DCEECDFF4DA4C0F08C55A6D945F86B4
                                                                                                                                                SHA1:8904EBB92695CD80DF58D86C9EADAC4C659B9FDD
                                                                                                                                                SHA-256:F542BB6A136F6B0B2314AF75C605D4B11B8557013DD1ECE29EDCBBE0F39C6744
                                                                                                                                                SHA-512:627B0C839A4E80FFADCECA9463B15C3C43AAE3AC1F09E36C44A45E88CC12C4989BFB234A11018BCA93F5FF7AFFB5BD274B3FC5607D6E07B25ED321BF70084CD2
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]q..]q..]q..z...Wq..z..~q..]q...s...>..Tq..T...Kr..T...Pq..T....q..C#..Uq..T...~q..C#..\q..T...\q..Rich]q..........................PE..d....|.f.........."......L...h......?>0........@......................................x...@..................................................-.\.....-.....<3......`.x.`)..................................................................`.).@................... (J.......................... ..` .....`......................@..@ 86...P)..$...N..............@... ......*......r..............@..@ d_...p,.. ...x..............@..@ x.....,..$..................@..B.idata........-.....................@....rsrc.........-.....................@..@.themida..d...-...d.................`...................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\veraport20.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8258240
                                                                                                                                                Entropy (8bit):6.729887710908361
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:6nEdpRe1wkjLl6qI0IQmFrn6wltIIN+uhOXh:8ET0SkNk0PwtI6+uC
                                                                                                                                                MD5:B967B594C844405B0B812F138CAA0387
                                                                                                                                                SHA1:4C4032109E782620C56398FF03FADE1F3C68081A
                                                                                                                                                SHA-256:F382F0065A661338E5F08F9E5071268E7074D43FA454C84ED9D12653F290B39A
                                                                                                                                                SHA-512:5AAA7DD243E55F44BC901F2B148DFE759E84B71E9B1E6320075FABF5141D288DA175F03C0E812342532BD2FE1495F16387C498305F7A3CAC14608783B7200B75
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M..EM..EM..Ej>rEL..Ej>.E]..Ej>.El..EM..E...E.dEO..ED.gE]..ES.vEJ..ED.xE ..ED.vE...ED.qEC..ED.`EL..ES.fEL..ED.cEL..ERichM..E................PE..d..._|.f.........." ......#..4........9......................................@......9.~...............................................6.......6.\.....7.F...l....m..`.}.`)....................................................................1.@................... X.#......T.................. ..` ."....#..^...X..............@..@ Hv....2..,..................@... .m....3..T..................@..@ `&....5......6..............@..@ 6.... 6..$...F..............@..B.edata........6......j..............@..@.idata........6......l..............@....rsrc.........7......r..............@..@.themida. g.. 7.. g.................`...................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\veraport20unloader.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6840000
                                                                                                                                                Entropy (8bit):6.2837212843053045
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:SjnZwWd78sI5AVU+rmfe/x/BRrhGw6k/I35:SjZwE74AVUSmmZZFEhQy
                                                                                                                                                MD5:D0F24C3902D7B2D7B1B66068B778224A
                                                                                                                                                SHA1:D729966B95948B007F330088CF56F83EA7001589
                                                                                                                                                SHA-256:2C3DD7C3CDE5B860BC4F1DB474DEFEA508BB94DBE3495EF372E3D525B0B12840
                                                                                                                                                SHA-512:70B36CA826BCB85FAA20594E93D17F629BDC01D616253705B901BBB56D48BF939D5E377039C60205880EBE66A42C153C0896F91A6635F0CBA6E65C2D67B66FDF
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..............................|!.....|7....|&.....V&....|(....V6....|3....Rich............................PE..d...R|.f..........#..........4.......OE........@..............................n.......h.....................................................e............_...=l.pt..`5h.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...*..............@..@ .........>...j..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..d.......d.................`...................................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\veraportmain20.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):8286912
                                                                                                                                                Entropy (8bit):6.694841811884697
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:ZeWgSwjF6bCCEuY3rG8Q/cZivycQZsYj9XMXXzNTMJ:X9wjF6bKuY3y8Q/nbQZTxXMXXpT0
                                                                                                                                                MD5:DB10BB6F8262E58341E6A3E527E743BF
                                                                                                                                                SHA1:EB6AF6CC52B63E009701A5B589FB056829E615BD
                                                                                                                                                SHA-256:44FE85FC5CABAC7B087B47E57DE0C8A3C01D73B12C02A4C8DAE0C5C314D609E4
                                                                                                                                                SHA-512:A119444BDBEC3D37F096600B66514353CCB4215DB043D9527E4345BC7A0218941AB8E271990AF3C7CE4F833AA3238B606FE16286DDF87AC61416C58C872F59E4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>f.Vz...z...z...].G.{...]...t...]...Y...z........HQ.x...s.D.w...s.R.j...s.C.....dUC.r...s.M.....dUS.{...s.V.{...Richz...........................PE..d...{|.f..........#.......(..:Y.....`..........@.............................p......k.~......................................................A.......P......(P..|...`I~.`)....................................................................7.@................... ..(......|.................. ..` .....0(.....................@..@ .{....8..*...@..............@... d.....9......j..............@..@ ..E..`<.....................@..@.idata.......@......................@....rsrc........P......................@..@.themida..d..p....d.. ..............`...................................................................................................................................................

                                                                                                                                                C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):235240
                                                                                                                                                Entropy (8bit):6.053292853230514
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:etvjHwoQlaxnvqSzAZZkmvqztQ+i5QJ1005CQ6RJdbk5t5i8Gnlo80:o7Hwz2nvtAZQztQVQJt516rdQC8G8
                                                                                                                                                MD5:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                SHA1:D87210DEBD30250C8D9C3091D2A7ED1A3C662D1B
                                                                                                                                                SHA-256:5F196219171FB668B4022ACBE3E1D58A90D202D0622D6EBCD67D224AD9ED58DB
                                                                                                                                                SHA-512:2EA4A65126B44A1DBD467297D0D769F6AAFD7E9D084B79AF8BC967F0AC382A766B0F6940D5DF15101F585EE2C07E75A40D87D6A0B1C987C863FB6DF50A933C07
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.#Cq.M.q.M.q.M.V. .v.M.V.6.d.M.q.L.p.M.x.....M.x...{.M.x.....M.o...r.M.x...s.M.o...p.M.x...p.M.Richq.M.................PE..d.....V.........."..........@.......%.........@....................................,J....@.............................................................l.......L&...b...4...........8...............................................0..........@....................text............................... ..`.rdata.......0......."..............@..@.data...p........*..................@....pdata..L&.......(..................@..@.rsrc...l............6..............@..@.reloc..0%.......&...<..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                C:\ProgramData\Wizvera\Veraport20\veraport.dat

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):3152
                                                                                                                                                Entropy (8bit):7.941463077053905
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:MvdQhOKwMkr969ZbZ+xZgPbR9h4irwbZukYzG6bWO/0efMFHZKRSEywwqtCg:Mvde/8yr+UTnrwNuk4qS3e5Khyw35
                                                                                                                                                MD5:1B073E3572A1899068573ED39C5885EC
                                                                                                                                                SHA1:5D8AD5BB986E4BCD5471D35CD5E410D69A92831B
                                                                                                                                                SHA-256:A496156D508FB7568D9AF43C3D40401616A3C8CA6BE113A68C58A76616DEF7E2
                                                                                                                                                SHA-512:BECC63A13F8741560BCD44E10A8BF36319B01674D3FE4626B1EE68096D91D6C2327F4600C9FBF59BE812F3DE9C761FAF574972522E7AFFE6DE1B70204C935FA5
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.gu..n"Do.>..hAE..q..<dB@...ui....`..cv@.`e /[..MC%...f......g.>UV..!...9F.-.D..C./.p57.H.[..@....K.g.Y|.#....-..q....{m..S.*X.li."..A..F3l......{..12..P.'......./;Oc.n....6<.;.pe.$..6..#..PG<....E._k.z..S.7.9.o.8.Tx.J>..?P..I..Z...kE.%u=....py..,...j....x..~.n.6.......4b..iHq...sF...x.~.O.!3.q.z....5.E.#$.....&F.....9SJuw....)....u.Z"......;.. .....W.).mX..t/*J01. c-...q.......z.Z.+9x".8...2.&..1l..b..nE.rQ....]....#......F.B2.zY.}*.r.O.S..]..F..&..J....<......b;../..z.......X6..$}+.Y.F._h2.k....i^C*.v..V.9m..V(Ep.'..<T...I...l'..E.........u.TK.+G...(gdT.7(..=T....>k.bx...P..C...x>r@..o.z .......l..*.X.Ts:.L.Z.0aY8a.6...Q..$......a._..<.!...S..E....u...Ib..-.......ce1.`>.Oe..4...dS'..YZ...E...MO/<.....1.....]N#n..6...e.fI.A........w...[K.q.F.........N..z.U.P....ol....,+.n..Y.....!J_6.z.1}.y'.I2..O...3,.."[4..~#....F.....S.fuP].A..$x.....p(..!#...]..Q..S.a.i....@.I....:.....$..g..%...E.H'....(..o.O}G..y..b...Z.d.B.....w3....m..TS.F.q-u.Y....

                                                                                                                                                C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1164
                                                                                                                                                Entropy (8bit):5.90583797087048
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcCCTUXTHQL4176XTHQtE0k3CW6Ypf9WmffJ506fn/CcWf+/2nJ:LrcCCgXE01GXELk3hJ6OJ5fP/C1J
                                                                                                                                                MD5:CCBF8E0739605E81657712AD8CD18883
                                                                                                                                                SHA1:44A857969839B4B3FC754BF5544CA3844D7D0C65
                                                                                                                                                SHA-256:C67910EA49853FED6FF4A1ECA48F29ED540893D54F6A3A028097B3783BAD7B8A
                                                                                                                                                SHA-512:EA16E35B461C265D5FEDB23E9FB47553A357A413F4AB19C0BDE4CA8C429292B3F6F834232E22175CACB729CB8F8E63F0538DB027AB1A2F528C0A36BAD015389A
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDLzCCAhegAwIBAgIJAKyBUEyF97Q2MA0GCSqGSIb3DQEBCwUAMDUxCzAJBgNV.BAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRQwEgYDVQQDDAtWZXJhcG9ydC1DQTAe.Fw0yNDEwMjgxOTMwMjRaFw00NDEwMjQxOTMwMjRaMDUxCzAJBgNVBAYTAktSMRAw.DgYDVQQKDAdXSVpWRVJBMRQwEgYDVQQDDAtWZXJhcG9ydC1DQTCCASIwDQYJKoZI.hvcNAQEBBQADggEPADCCAQoCggEBAJ5FxuzvmyjqYCiV4pWntYXk/61geZcSEnb2.Jr2EB3/iKR7OESe+5mp8M1PZXfhLBwe6PxagGK5fFu5WYyV1uR6EHSCa/NwPV5Tz.8z/bWhbDN9kvkkE6QWWs1qw2MdrNmtbjbAdjOjJSnrPjFFtdGyqxVx+LEJqNBvQt.er3msiwDrYM5ReR4GdCo565/UH6eFzHqYcEUNHdrUMIs8aabM7oojbwaSSOccRuu.+869Ho9+XL3fMpN0wk13/0Ayez2W6Oo1vTxg0rxCgU07OSCX+Aq+WgWJiSe0GPqI.abecCytw/7QAEa6X1Qzxh0u+J7qxaA+1Ykxj3E3PH58ANKgdZpcCAwEAAaNCMEAw.DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFOdMNhCY.2lj4xuqePeI6xvAtu85dMA0GCSqGSIb3DQEBCwUAA4IBAQAlvAKj50Ow1oWqEfPb.41ZRXu5GgdkTtuBeXfNpmoZ+tN25uL0psy01a2pKzfolYYYl6x8aM54V/2vsQ0iB.+jpq2ltZYi6RxM9sEBeZSLb+G/N/2d1sG3sF5JFIugPKMP6UGZRAtNE6qh5/Gquu.d0axROFmhNRA2Jz8HYLQr36O21NL5y/ZZK6pT4ES9kPUG1tY1nlGoUPrSikS6+

                                                                                                                                                C:\Users\user\AppData\Local\Temp\Setup Log 2024-10-28 #001.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):15996
                                                                                                                                                Entropy (8bit):5.074747599571795
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:B0N9fwMx+ypppSpitxlItv84cW9PGzTwZT7lkd93b:yLfwMx+ypg92B
                                                                                                                                                MD5:2E4E01C9F5195FEDE1418B583CEF6088
                                                                                                                                                SHA1:6E0F66DACA041E212CBA5F4C276732860161E49F
                                                                                                                                                SHA-256:A188EC029EE44EABCCE8865260D1E3A23F29B517FBDD75015D7A72909A64B132
                                                                                                                                                SHA-512:0E70547640879467FA00EC2A9D17BB70BE256E870FD812CEC17DD91F7B57BE611ACEFCEB39125D69576C2CCB3D33C975FCF823212D7FEB0AC00BD8701767AB95
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:.2024-10-28 15:28:30.992 Log opened. (Time zone: UTC-04:00)..2024-10-28 15:28:30.992 Setup version: Inno Setup version 5.5.3 (u)..2024-10-28 15:28:30.992 Original Setup EXE: C:\Users\user\Desktop\veraport-g3-x64.exe..2024-10-28 15:28:30.992 Setup command line: /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe" ..2024-10-28 15:28:30.992 Windows version: 6.2.9200 (NT platform: Yes)..2024-10-28 15:28:30.992 64-bit Windows: Yes..2024-10-28 15:28:30.992 Processor architecture: x64..2024-10-28 15:28:30.992 User privileges: Administrative..2024-10-28 15:28:31.039 64-bit install mode: Yes..2024-10-28 15:28:31.054 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp..2024-10-28 15:28:36.117 Extracting temporary file: C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe..2024-10-28 15:28:49.617 Starting the installation process...2024-10-28 15:28:49.632 Creating directory: C:\Program Files\Wizvera..20

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\Desktop\veraport-g3-x64.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1170432
                                                                                                                                                Entropy (8bit):6.39928428004553
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:w4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyx:VT90guMXEdqwHkUj
                                                                                                                                                MD5:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                SHA1:AF8874BDF2AD726F5420E8132C10BECC2BBCD93C
                                                                                                                                                SHA-256:61674B90891CA099D5FEE62BF063A948A80863530AB6A31E7F9E06F0E5BC7599
                                                                                                                                                SHA-512:339B284B5DD7386DCFA86C8FDCF239A0E97CC168229EA9A66FC0C6B26771401FA7F27C2C6A435A836A43EA9C7E634A3E47EC77E0D27985794BBB4416DFC97AC8
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_setup64.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6144
                                                                                                                                                Entropy (8bit):4.289297026665552
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-EQ13T.tmp\_isetup\_shfoldr.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23312
                                                                                                                                                Entropy (8bit):4.596242908851566
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_setup64.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6144
                                                                                                                                                Entropy (8bit):4.289297026665552
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                                                                MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                                                                SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                                                                SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                                                                SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\_isetup\_shfoldr.dll

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):23312
                                                                                                                                                Entropy (8bit):4.596242908851566
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                                MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                                SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                                SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                                SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-08M60.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6637760
                                                                                                                                                Entropy (8bit):6.3146226107988985
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:cFgr4vACstNSEaGsBvz/XP4SU4wUkfLRLV:cFWCstNSEnCgWwUk3
                                                                                                                                                MD5:EEE308EC29EFC11BE2B9902E7D398F2E
                                                                                                                                                SHA1:C8FB317AC2786C71136A49F892B75E0B0088B285
                                                                                                                                                SHA-256:BCDDCDF843530430E4EA958F77C2C6F27FA7E52181B327B4D7ABD7E65F865D6C
                                                                                                                                                SHA-512:A420D2BC95CD260275FB91650B6459C692EB487B1286B7F7F162042E767A5F7011C3B51616242E025199223A0D18F7649AE658CC1174889341BB698D37EC846E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............[..[..[...[..[...[..[..[...[y.8[..[..-[w..[..;[..[..*[p..[..*[..[..$[..[..:[..[..?[..[Rich..[........PE..d...S|.f..........#.................n<)........@..............................k......`e......................................................A.......P..X\....i.t|..`.e.`)......................................................................@................... ............................ ..` .....0......................@..@ .....0.......,..............@... \|.......D...:..............@..@ T....P...6...~..............@..@.idata.......@......................@....rsrc....^...P...^..................@..@.themida..`.......`.................`...........................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-BDARG.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5848896
                                                                                                                                                Entropy (8bit):7.994878119676408
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:98304:2u33UC7GOvq8jDuqywJBcm+d4wiysY1JBW99qu1EQd71YUfxt1adDJYGBo:2ufGOv5jDVywjcLrBsY13GEUyUf0ZbS
                                                                                                                                                MD5:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                SHA1:9F1F166751452A2F9286DA2EC79092F031029617
                                                                                                                                                SHA-256:D2B17C8815A7E2E5F96C5A8DE96E949EDF4F4009EB9941A0B8A472D6A59A62EF
                                                                                                                                                SHA-512:A8D5DDE31BC4431ECF94D02891F3993AC4C10F60D4B5EA7FEEBB35C0CEA0E2A6D8A9D9E54B4EE1506B1C0A2B1A2DFC2C2CB4D67835F76FD0C444FCF95D67E7FA
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..................................... ....@..........................p.......SY..........@....................................................Y.P,...........................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@.............p......................@..@........................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-JP5T3.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2172216
                                                                                                                                                Entropy (8bit):6.709878039513874
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:LkUFbvVrZuxV5fzo+y+9gjhYhptvwdRezosg:LpbvVrZud7o+yV2dvwn
                                                                                                                                                MD5:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                SHA1:23869F53B974BD0AB6EB08C90F48E900AD7BEBD6
                                                                                                                                                SHA-256:4C2D7F9ED2F8E2A55C2D6E34F1BBAC74DC3606168010E798C3249A43EB4E9B98
                                                                                                                                                SHA-512:8A3E613B9ED7AFD698E5AF3B676FE8ED147992D80B8748D68CA4C380CE6C3D6EADFFE410C31438EE13FC2C31C4844D5A610FA9E3AEFB6A8C68537C7EC852DE36
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..~X..~X..~X.W1..~X..5..~X..#..~X..~Y.\|X.....~X.....|X...._~X..,..~X.....~X..,..~X.....~X.Rich.~X.........................PE..L...[{.f.................D..................`....@...........................!......0!...@.....................................@........C............ .8).... .h....h...............................#..@............`..........@....................text....B.......D.................. ..`.rdata...t...`...v...H..............@..@.data............j..................@....rsrc....C.......D...(..............@..@.reloc........ ......l..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-TSQ4M.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.916479117884784
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYw2/a2YVdQ/UX0lVzngeJu3W/Jkek2LN7SP4StSfn6vBdKZLEeaaF9gZ+cdQJ:LrcYitqMX0Xn3u3Wpx7Q4rP6vB8+eaaR
                                                                                                                                                MD5:7A65B4226F7B4F594BB4800E3B0996C6
                                                                                                                                                SHA1:5008A17A4426675A5781980151F0F2D06F31CC77
                                                                                                                                                SHA-256:905C65B5D8E5436932FE9EE5781EBC26E26B9E302790689058E48BDA376DDFA5
                                                                                                                                                SHA-512:09FA5AB2EA077DC2A27C2E421A0AECD525EC0BBE27E6442177CA48C753AE74811F8C1851CAB376BDD09E616C318D09CDDCB4A79861FC716FC2CA37123ACFD3CA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUILvrdIUnrqol+zgZJt6NwgcQK3EwDQYJKoZIhvcNAQEL.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMjAeFw0xOTEwMjMwMzA0MDhaFw00MDA1MDUwMzA0MDhaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz2gYPOFaP.Wm2V8uuiVs9M27qX/WYE5zrvyJkYfC3Y0fHA+o+MT8aaBa/m5LeWT2HDtnt29dL/.c/nXoBPKuRYKlOZELxTNeeiuIIKIdFwPYygMdW3PI9OButbubBf8BO9RMlFt1ydB.Mrh9r7UZ4WM4qv/d2iCEhDDuzi9M57h38Wc4QE24bPKx3e3tCDiPkOZQcmG48HZp.sX/itfeXFBGtBwF1QepTpOb9KL+CLkpmhVr7h8BwuNHuH/kN7BSqRi/ttbF0Ocp6.m5AiHtVMZvTY4hestoaz9fAwZTjorOhIGFzK4vgoONf6NYE959Mq9CCp9UDhZF3n.lcmLd9uMb0JnAgMBAAGjUzBRMB0GA1UdDgQWBBRV6Uh2vggtl8ZWWlULp7QQSxT2.ojAfBgNVHSMEGDAWgBRV6Uh2vggtl8ZWWlULp7QQSxT2ojAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCIDg1a0Ke17EVx1xsbrFjYsD2+XR9dy5O.Sy7CPWHBdQvwtYIQtgBhmPBmlQWHGl8EB4w6NfkKr8TTkmY42FicLEE7lEhGlHxJ.k1AimQsGMfNzVkm/yoJTvFhYspgyD+KqNj1r6fh4+Iij5BahOr+1fVTZOS5Od4

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\is-UBD2F.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.904728962463118
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\mozillafinder.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6637760
                                                                                                                                                Entropy (8bit):6.3146226107988985
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:cFgr4vACstNSEaGsBvz/XP4SU4wUkfLRLV:cFWCstNSEnCgWwUk3
                                                                                                                                                MD5:EEE308EC29EFC11BE2B9902E7D398F2E
                                                                                                                                                SHA1:C8FB317AC2786C71136A49F892B75E0B0088B285
                                                                                                                                                SHA-256:BCDDCDF843530430E4EA958F77C2C6F27FA7E52181B327B4D7ABD7E65F865D6C
                                                                                                                                                SHA-512:A420D2BC95CD260275FB91650B6459C692EB487B1286B7F7F162042E767A5F7011C3B51616242E025199223A0D18F7649AE658CC1174889341BB698D37EC846E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............[..[..[...[..[...[..[..[...[y.8[..[..-[w..[..;[..[..*[p..[..*[..[..$[..[..:[..[..?[..[Rich..[........PE..d...S|.f..........#.................n<)........@..............................k......`e......................................................A.......P..X\....i.t|..`.e.`)......................................................................@................... ............................ ..` .....0......................@..@ .....0.......,..............@... \|.......D...:..............@..@ T....P...6...~..............@..@.idata.......@......................@....rsrc....^...P...^..................@..@.themida..`.......`.................`...........................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\COPYING (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18503
                                                                                                                                                Entropy (8bit):4.602916384645227
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:Vj1U6LjK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBt:V1UAmjRd5XZFFUuj4cCg9kc2Poz
                                                                                                                                                MD5:BDDEDB773E17C5704ACA39EAC9F71FA4
                                                                                                                                                SHA1:0C3529CB8DA338AB8BABC78B039F1F7D841F6EF8
                                                                                                                                                SHA-256:8D795AEAC957C8B6556B2ACA5E0A5A8B0B3254365D488BC62E280CB3255D441A
                                                                                                                                                SHA-512:E8FAC311334B505886E65CF2804223D1304C0A5E72F5E1BF8A09F9E76221B597696E762E613438D0286EA45FF57B22A29944E3BDA6198996EC4F1215B505FC14
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:NSS is available under the Mozilla Public License, version 2, a copy of which..is below.....Note on GPL Compatibility..-------------------------....The MPL 2, section 3.3, permits you to combine NSS with code under the GNU..General Public License (GPL) version 2, or any later version of that..license, to make a Larger Work, and distribute the result under the GPL...The only condition is that you must also make NSS, and any changes you..have made to it, available to recipients under the terms of the MPL 2 also.....Anyone who receives the combined code from you does not have to continue..to dual licence in this way, and may, if they wish, distribute under the..terms of either of the two licences - either the MPL alone or the GPL..alone. However, we discourage people from distributing copies of NSS under..the GPL alone, because it means that any improvements they make cannot be..reincorporated into the main version of NSS. There is never a need to do..this for license compatibility reason

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\LICENSE (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):17097
                                                                                                                                                Entropy (8bit):4.589469361500095
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:njK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBw:nmjRd5XZFFUuj4cCg9kc2Po6
                                                                                                                                                MD5:17C0970E8C7B6A6BD33E0C66FE6DC514
                                                                                                                                                SHA1:81EF2049ACEC205180DFAA781E2D6257E1901E95
                                                                                                                                                SHA-256:112F7B1A5C192DD892F2D2092DF46109185AD9F5EB729EAC9770F48C352887DF
                                                                                                                                                SHA-512:A7D438DC4BF1E80431651D07213CDCB568AEF6024BE85D38C29C22B16A04C99C761E1B70A7EE025E43F61FCB18C4B4D552FCF2E08ED39E48FBBBB85496952BA6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Mozilla Public License Version 2.0..==================================....1. Definitions..--------------....1.1. "Contributor".. means each individual or legal entity that creates, contributes to.. the creation of, or owns Covered Software.....1.2. "Contributor Version".. means the combination of the Contributions of others (if any) used.. by a Contributor and that particular Contributor's Contribution.....1.3. "Contribution".. means Covered Software of a particular Contributor.....1.4. "Covered Software".. means Source Code Form to which the initial Contributor has attached.. the notice in Exhibit A, the Executable Form of such Source Code.. Form, and Modifications of such Source Code Form, in each case.. including portions thereof.....1.5. "Incompatible With Secondary Licenses".. means.... (a) that the initial Contributor has attached the notice described.. in Exhibit B to the Covered Software; or.... (b) that the Covered Software was made a

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\README.md (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):411
                                                                                                                                                Entropy (8bit):5.208888321720358
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:vfcoG8zO9X0TAzO6Tg7SWHMj8GaDHdKTU:XE8z6PzEMPaj3
                                                                                                                                                MD5:3A8245C6346BF3698246EA4528245A43
                                                                                                                                                SHA1:1C302DF7CC15EA32688A9BD457FE3E1B279D629B
                                                                                                                                                SHA-256:CD8190312D3F8683312213D2A1204CAB5E1222AB46ADDACDA0D3F81B35161376
                                                                                                                                                SHA-512:817D164FAEBF8EA7B672674FFFC40A4845FC11C70D24B2E92629ABF4BC60C27622CE0F4A1B7CE8273600FAC9437F579C74558BAD9AA1F25C21D19CC4D1A4B350
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Mozilla NSS certutil.exe and dependencies..===========....sources obtained from:..-------------..https://hg.mozilla.org/projects/nspr (revision 4646) - [Mozilla Public License, version 2](LICENSE)..https://hg.mozilla.org/projects/nss (release 3.20) - [Mozilla Public License, version 2](LICENSE)....requires vcredist 2013/12.0 32bit:..-------------..http://www.microsoft.com/en-us/download/details.aspx?id=40784

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):114688
                                                                                                                                                Entropy (8bit):6.498550775653996
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:vLHYLWUjUOh73h/NvurB+mLBdQPUjRqv0hp:IWUjUO+XBdQPwAv0X
                                                                                                                                                MD5:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                SHA1:4B6BC2776A07CEF559E2D9260EE7E3873D2B25D9
                                                                                                                                                SHA-256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C
                                                                                                                                                SHA-512:128605C51FD15599D69A2713F461605F069A71387CE176BD5AFCC65C04A4CA240056B4C1E63846B7E02C29ECD2D163F7CA3B502D881C319203E2110C6FC05862
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.[.x.5.x.5.x.5..B..z.5....{.5.>..z.5.>..y.5.>..k.5.>..z.5.u..u.5.x.4.^.5.u..p.5.u..y.5.Richx.5.................PE..L...@..U............................e.............@.......................................@.................................D...........................................................................@...............x............................text............................... ..`.rdata..............................@..@.data...x...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\freebl3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):322048
                                                                                                                                                Entropy (8bit):6.69079609843791
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:rYq6WFCT7yIFyGre4gqvkeZEcoE9OhFPs3ivxVu0yUzHjp9AkVliqqDL687PXGHe:r5i7JlgqvkeZEcocOADUflHXqn6sIWB
                                                                                                                                                MD5:F474DD91BB12F230209EC3163CE7E6C4
                                                                                                                                                SHA1:04FF682E527A1C132F73BD836B7880DFA1128528
                                                                                                                                                SHA-256:F63B2CAB4B77AC63A1BECA66872A991E1F8233F2C513D42460DBF28C733B138C
                                                                                                                                                SHA-512:01F1FEAACDA301B013F5E097FA5816B0075B7389EE0522E8FE350802093F6CDFE6ADE24FF2A0350896B333E44A77901BBCEAD85F8CF98BFA91FB110C18ADBFEE
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.G.1.).1.).1.)....0.).w..3.).w...7.).w..<.).w..3.)..B.5.).<..4.).1.(.`.).<....).<...3.).<...0.).<..0.).<...0.).Rich1.).........................PE..L......U...........!.........b......G........................................`............@.............................O...`...x....0.. ....................@......................................P...@...............T............................text...r........................... ..`.rdata..............................@..@.data...0I..........................@....rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-0R719.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):322048
                                                                                                                                                Entropy (8bit):6.69079609843791
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:rYq6WFCT7yIFyGre4gqvkeZEcoE9OhFPs3ivxVu0yUzHjp9AkVliqqDL687PXGHe:r5i7JlgqvkeZEcocOADUflHXqn6sIWB
                                                                                                                                                MD5:F474DD91BB12F230209EC3163CE7E6C4
                                                                                                                                                SHA1:04FF682E527A1C132F73BD836B7880DFA1128528
                                                                                                                                                SHA-256:F63B2CAB4B77AC63A1BECA66872A991E1F8233F2C513D42460DBF28C733B138C
                                                                                                                                                SHA-512:01F1FEAACDA301B013F5E097FA5816B0075B7389EE0522E8FE350802093F6CDFE6ADE24FF2A0350896B333E44A77901BBCEAD85F8CF98BFA91FB110C18ADBFEE
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.G.1.).1.).1.)....0.).w..3.).w...7.).w..<.).w..3.)..B.5.).<..4.).1.(.`.).<....).<...3.).<...0.).<..0.).<...0.).Rich1.).........................PE..L......U...........!.........b......G........................................`............@.............................O...`...x....0.. ....................@......................................P...@...............T............................text...r........................... ..`.rdata..............................@..@.data...0I..........................@....rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-1OEHN.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):807424
                                                                                                                                                Entropy (8bit):6.373676348059312
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:fE0i/L+PiYRCYeqF54WhJAqSoOzut7EtYiaUMes5+99SFP4MSKE:sexRT8RMS/
                                                                                                                                                MD5:54F3932864EED803BD1CB82DF43F0C76
                                                                                                                                                SHA1:675960ACFED6DF22AE0A41973B08494554B37F1A
                                                                                                                                                SHA-256:96E068E6162A98D212B57C86B14FC539F1BBDCCD363F68EFD8CDFECC90C699D3
                                                                                                                                                SHA-512:3E1ECCB33B8371DBE4801C5C3909130EB4E2A8A9AEC80D2C7B2528B00DD137C5FFE672095963D207B48E10F8E024C34FE841AA7ED22C7B7FA6E058165FCE90B8
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d................x......Tn......Tl......TS......TR......Wn..............WS.\....Wo......Wh......Wm.....Rich............PE..L......U...........!.....T...........^.......p............................................@.........................P....g..\........0.......................@..,Q......................................@............p...............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data... ...........................@....rsrc........0......................@..@.reloc..,Q...@...R..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-41J0E.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):98816
                                                                                                                                                Entropy (8bit):6.174147183797477
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:zmutViJeP5/spfYAYJV+1W26doizknjBNNqG5NFxXy4/H:zmutzP5/spfYAkV+1WpzeNqGG4
                                                                                                                                                MD5:94624BBAB23A92E0A5F90CCE9A5A340D
                                                                                                                                                SHA1:A81D1E0A2C75657F698CEE9346FA85423B9B365F
                                                                                                                                                SHA-256:B0104EA7AAA257B111982BD0763C1C47FFF76BD70249F84DCAD834D50444DF1A
                                                                                                                                                SHA-512:D623E4D271A0DCC0F16E4A2DC4D10422DE42445D6DA60A5FDB149C511B5E5363DE448696592E11DCE118F950EED2E92CFFB78056C80E1A8E3A42D44EC54CB9F3
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T`.5...5...5..^...5...d..5...d..5...d.5...d.5...g..5...5..k5...g.5...g..5...g..5...g..5..Rich.5..................PE..L...&..U...........!.........j......`........0............................................@..........................N.......h.......... .......................L....................................N..@............0...............................text............................... ..`.rdata..vT...0...V..................@..@.data...l............r..............@....rsrc... ............t..............@..@.reloc..L............x..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-6EMT9.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):11776
                                                                                                                                                Entropy (8bit):5.727800685529315
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:PMf3jwDmDS5J3HcLK9gRIcsumHu4BGeTNN+b9omw5TYlFQ3XGU0r3zqY:PMkDmS5ZcLK9gufNBdxl9klFwH0r35
                                                                                                                                                MD5:B7ED50495D311CF6E7AD247968DD2079
                                                                                                                                                SHA1:3364725821EA012F8FA99DF102677BEFC5FF929F
                                                                                                                                                SHA-256:20166E281B31AE60672B9D87CB69FCBA0C38CC5E18A8BA081C5601CCFAB7589F
                                                                                                                                                SHA-512:A783F0A00D016A5974F87399637BDDD5A5821E3A79C5ACB2F6B3F097C9BFFEFB8A1DEE7D968C0646FAA2D854A105C57988D244D9C47FB9C189D8383C00A8D2FE
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.m.}.m.}.m..2....m.;.....m.;...|.m.;...q.m.;.....m.p...~.m.}.l.^.m.p...~.m.p...|.m.p...|.m.p...|.m.Rich}.m.........PE..L...5..U...........!.................!.......0...............................p............@.........................`2..)....5..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-8LM1T.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):18503
                                                                                                                                                Entropy (8bit):4.602916384645227
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:Vj1U6LjK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBt:V1UAmjRd5XZFFUuj4cCg9kc2Poz
                                                                                                                                                MD5:BDDEDB773E17C5704ACA39EAC9F71FA4
                                                                                                                                                SHA1:0C3529CB8DA338AB8BABC78B039F1F7D841F6EF8
                                                                                                                                                SHA-256:8D795AEAC957C8B6556B2ACA5E0A5A8B0B3254365D488BC62E280CB3255D441A
                                                                                                                                                SHA-512:E8FAC311334B505886E65CF2804223D1304C0A5E72F5E1BF8A09F9E76221B597696E762E613438D0286EA45FF57B22A29944E3BDA6198996EC4F1215B505FC14
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:NSS is available under the Mozilla Public License, version 2, a copy of which..is below.....Note on GPL Compatibility..-------------------------....The MPL 2, section 3.3, permits you to combine NSS with code under the GNU..General Public License (GPL) version 2, or any later version of that..license, to make a Larger Work, and distribute the result under the GPL...The only condition is that you must also make NSS, and any changes you..have made to it, available to recipients under the terms of the MPL 2 also.....Anyone who receives the combined code from you does not have to continue..to dual licence in this way, and may, if they wish, distribute under the..terms of either of the two licences - either the MPL alone or the GPL..alone. However, we discourage people from distributing copies of NSS under..the GPL alone, because it means that any improvements they make cannot be..reincorporated into the main version of NSS. There is never a need to do..this for license compatibility reason

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-97UAB.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):478208
                                                                                                                                                Entropy (8bit):6.657367656177312
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:rF2tNYpFGB/zPDxB9+lfwskvdkuuNRcsUBm+6dwczL:wYpABLclfokbAsUBP+
                                                                                                                                                MD5:3A58690AFF7051BB18EA9D764A450551
                                                                                                                                                SHA1:5CE859B3229DA70925FFA25564CB6D7C84DD6C36
                                                                                                                                                SHA-256:D2D0B729837574D2EB6ADAC4F819BC4F8534AC9A43B17663942B2401A02DB02A
                                                                                                                                                SHA-512:299634094A624EE8AD2898D3F2BDF8FEE23F234C160992E68D087AF828A16FF18E3D1FB1CA5755E82F592D6E3E335C63A9C8DAD04EF003D2127BBFCDBEC649D4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b.v.b.v.b.v..p..`.v.b.w.?.v.$..a.v.$..o.v.$..o.v.$..`.v.o..c.v.o..c.v.o..c.v.Richb.v.................PE..L......U...........!.....p..........#w.......................................p............@.....................................<............................@..(*..................................H...@...............|............................text....o.......p.................. ..`.rdata...............t..............@..@.data........ ......................@....reloc..(*...@...,... ..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-CU9VR.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):233984
                                                                                                                                                Entropy (8bit):6.639915060449015
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:OCIWfHHSPufQePpFEXiO1BwOD1NUGvRf8+7wNTBhg:OpWfHHSPudfOD1H8QwNTH
                                                                                                                                                MD5:55FC1EB1359AFDA427CF8CF7FC840CF2
                                                                                                                                                SHA1:F854CD1A0217AC9EB82220D87B43EC1C17B71A86
                                                                                                                                                SHA-256:77E642601D600B8DDA1FC64E4CC8D556FC53217DF933122C487EC43C1F60E2DE
                                                                                                                                                SHA-512:D7728CC9969A9BC7FC7B70884E86478A96ED33796B078D47170A0A894E8EEC982B61A0D3094867FF976FF3E97AD15A638A06C138A418FB952E76AE4FE79B9CB4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.;...h...h...h.u;h...hL.-h...hL./h...hL..h...hL..h...h..-h...h...h...h...h...h..,h...h..+h...h...h...hRich...h................PE..L......U...........!................N.....................................................@..........................].......h......................................................................8\..@...............(............................text.............................. ..`.rdata..............................@..@.data................p..............@....rsrc................r..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-DO0BJ.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):411
                                                                                                                                                Entropy (8bit):5.208888321720358
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:vfcoG8zO9X0TAzO6Tg7SWHMj8GaDHdKTU:XE8z6PzEMPaj3
                                                                                                                                                MD5:3A8245C6346BF3698246EA4528245A43
                                                                                                                                                SHA1:1C302DF7CC15EA32688A9BD457FE3E1B279D629B
                                                                                                                                                SHA-256:CD8190312D3F8683312213D2A1204CAB5E1222AB46ADDACDA0D3F81B35161376
                                                                                                                                                SHA-512:817D164FAEBF8EA7B672674FFFC40A4845FC11C70D24B2E92629ABF4BC60C27622CE0F4A1B7CE8273600FAC9437F579C74558BAD9AA1F25C21D19CC4D1A4B350
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Mozilla NSS certutil.exe and dependencies..===========....sources obtained from:..-------------..https://hg.mozilla.org/projects/nspr (revision 4646) - [Mozilla Public License, version 2](LICENSE)..https://hg.mozilla.org/projects/nss (release 3.20) - [Mozilla Public License, version 2](LICENSE)....requires vcredist 2013/12.0 32bit:..-------------..http://www.microsoft.com/en-us/download/details.aspx?id=40784

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-HE9AS.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):169984
                                                                                                                                                Entropy (8bit):6.398159480656867
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:+dGb9/jT+3ZazHitaf6fc5q/RYmgdwy6jnwU8AF+3eWQAZHbC:+dGb9/+3sLia6u7Ih8AsRhBe
                                                                                                                                                MD5:6832B9A7AB871D81BE42054F117B8299
                                                                                                                                                SHA1:935C0FE7E6CB356A8854E3B7046FD7FC0AA29C61
                                                                                                                                                SHA-256:B1316E04B3BF464906F4E015D3E71B4E06A65CC6E59A20A96984EE1E862DCB0E
                                                                                                                                                SHA-512:E6579F7DF7B3C43219E47630A6B51A576D2FFA9902DDB0F309F5CCB210242DD16EBEC75439B2BAC22E5CB0B62984386CB6EB4190B2914827B79E3E4AFBBDEE9C
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..O~...~...~.....u.|...._y.....8.c.|...8.a.|...8.^.r...8._.|...s.c.u...~.......s.^.m...s.b.....s.e.....s.`.....Rich~...................PE..L......U...........!.....$...t.......,.......@............................................@.........................P...................(............................................................~..@............@..\............................text...@".......$.................. ..`.rdata...N...@...P...(..............@..@.data................x..............@....rsrc...(............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-IOCFQ.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):159232
                                                                                                                                                Entropy (8bit):6.628891949059009
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:5XEjwQq1VzTiey++hdm0mCeZrkAhniYUwl5VFTF0Rda914+2FTTf4oLkPEb:dEMfieU8A2ijMTF0RdE14P5LkP
                                                                                                                                                MD5:BD0E897DBC2DCC0CF1287FFD7C734CF0
                                                                                                                                                SHA1:5C9C6C6082127D106520FF2E88D4CD4B665D134F
                                                                                                                                                SHA-256:2D2096447B366D6640F2670EDB474AB208D8D85B5650DB5E80CC985D1189F911
                                                                                                                                                SHA-512:DB21B151B9877C9B5A5DC2EDA3AFA6A75A827CE1F340032427B7DE1D9F9803767AECC582862B58885F456C78FC75EE529581089B725975600E45C6AF785280A9
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.o...<...<...<..V<...<.ML<...<.MN<...<.Mq<...<.Mp<...<I.Z<...<...<-..<.Nq<...<.NM<...<.NJ<...<.NO<...<Rich...<........................PE..L...3..U...........!......................................................................@..........................&...,...R..x...............................<....................................%..@............................................text............................... ..`.rdata..Pp.......r..................@..@.data........p.......H..............@....rsrc................P..............@..@.reloc..<............T..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-J9TPL.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):13824
                                                                                                                                                Entropy (8bit):5.9228411202071864
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:gw+B2CXVETJWuHXzJqjtWoFyR5h+cBCyvqGnnnLGjV0BYpa3XGU0ki:oBH2VWu3Vqj8oFOjGsGjVAYIH0ki
                                                                                                                                                MD5:88B4DF8D7D536A195F866B70C48ED534
                                                                                                                                                SHA1:A385BCD411C3DFAD1C08CF56977C1BA45ECBF2F9
                                                                                                                                                SHA-256:09F01488A002915B8472A4E82ADB7A3E8CB43BD77DB347B0178EAE614F846A0A
                                                                                                                                                SHA-512:B8291CC96A40391D69A75DD348204083F2E21A752A8AF3339FD524F8DBB9947575C33EB8ECF77FC177CF2E3568777B2DE267CF63301034B28ADCFEF40AB821C1
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M}.M}.M}..-.O}..,;.O}..,9.L}..,..A}..,..O}.@/;.N}.M}.d}.@/..C}.@/:.L}.@/=.L}.@/8.L}.RichM}.........PE..L...9..U...........!.................%.......0...............................p............@..........................3.......7..P....P.......................`.......................................3..@............0...............................text............................... ..`.rdata..r....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-JREV0.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):102400
                                                                                                                                                Entropy (8bit):6.425621973332139
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:rHLNCxyxOuseQadJYO3bc3Vjo0ZQNf1v1ErPjH3XK:rrdrdJYOLt0ZG1gPjXX
                                                                                                                                                MD5:8CC6A31974A175A65D6C090FEED39F42
                                                                                                                                                SHA1:30DFEDDC8A4A59AEB7198D8CC9C712F3248A1E51
                                                                                                                                                SHA-256:F64111FAA9966D7B7859C6467BEDBD64559284B049F55FFADC54DFC50A3A4264
                                                                                                                                                SHA-512:597B2FB5BA96FE656E2C81D3D411ADFC4E693510F130872E16C9CC70355B41FCCFC0B9DBC16171AF76E2CAA7945FDF2519CEA40B9EF1A161ED967346DF595D5E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..e7mb67mb67mb6.65mb6..6?mb6q<.65mb6q<.66mb6q<.6;mb6q<.65mb6:?.60mb67mc6.mb6:?.6"mb6:?.66mb6:?.66mb6:?.66mb6Rich7mb6................PE..L......U...........!.....`..........9h.......p............................................@.........................`|......h}..x.......(............................................................{..@............p..H............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...............................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-L93U9.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):970912
                                                                                                                                                Entropy (8bit):6.9649735952029515
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-O9SHM.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):114688
                                                                                                                                                Entropy (8bit):6.498550775653996
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:vLHYLWUjUOh73h/NvurB+mLBdQPUjRqv0hp:IWUjUO+XBdQPwAv0X
                                                                                                                                                MD5:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                SHA1:4B6BC2776A07CEF559E2D9260EE7E3873D2B25D9
                                                                                                                                                SHA-256:64AD18F4D9BEF01B86E39CA1E774DFA37DB46BC8267453C418DD7F723D6D014C
                                                                                                                                                SHA-512:128605C51FD15599D69A2713F461605F069A71387CE176BD5AFCC65C04A4CA240056B4C1E63846B7E02C29ECD2D163F7CA3B502D881C319203E2110C6FC05862
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.[.x.5.x.5.x.5..B..z.5....{.5.>..z.5.>..y.5.>..k.5.>..z.5.u..u.5.x.4.^.5.u..p.5.u..y.5.Richx.5.................PE..L...@..U............................e.............@.......................................@.................................D...........................................................................@...............x............................text............................... ..`.rdata..............................@..@.data...x...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-SDLEI.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):436224
                                                                                                                                                Entropy (8bit):6.90975258770428
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:t2HwxiNQVRjpfTOIf4EUo4pVQ6i+8a9CftgcWGzGgI4oW:t2HwxiWV/7OIfh4pVb2/WGzGgI4oW
                                                                                                                                                MD5:40483977B63FF6382BA0E4FB03198C8B
                                                                                                                                                SHA1:D6C291BE675E45A2D270E77BBC8F73D8FA51D8AD
                                                                                                                                                SHA-256:BFA1DE077F19AFC7B21FEB41891B4200A40B4DDA114F483D4EB92FF7A375926D
                                                                                                                                                SHA-512:EBA65F2F39F0E0FA317D5AEA13F945A3A72DA72CC31C0A0631B070AB3A914CC19250FC794C1294F4195657B6D79AC56E50190F3ED3745FCB37F4EBD833F16862
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.S.v.=.v.=.v.=..B..t.=.0..t.=.0..w.=.0..z.=.0..t.=.{..q.=.v.<.E.=.{..k.=.{..w.=.{..w.=.{..w.=.Richv.=.........PE..L...4..U...........!......................................................................@.............................P.......x...............................`4......................................@............................................text...Z........................... ..`.rdata...&.......(..................@..@.data...Te... ...b..................@....rsrc................n..............@..@.reloc..`4.......6...r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-T1R5D.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):17097
                                                                                                                                                Entropy (8bit):4.589469361500095
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:njK80R6O5Xgao4Oy4ji4GNdUrw9j4cCg9kcjKPoBw:nmjRd5XZFFUuj4cCg9kc2Po6
                                                                                                                                                MD5:17C0970E8C7B6A6BD33E0C66FE6DC514
                                                                                                                                                SHA1:81EF2049ACEC205180DFAA781E2D6257E1901E95
                                                                                                                                                SHA-256:112F7B1A5C192DD892F2D2092DF46109185AD9F5EB729EAC9770F48C352887DF
                                                                                                                                                SHA-512:A7D438DC4BF1E80431651D07213CDCB568AEF6024BE85D38C29C22B16A04C99C761E1B70A7EE025E43F61FCB18C4B4D552FCF2E08ED39E48FBBBB85496952BA6
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Mozilla Public License Version 2.0..==================================....1. Definitions..--------------....1.1. "Contributor".. means each individual or legal entity that creates, contributes to.. the creation of, or owns Covered Software.....1.2. "Contributor Version".. means the combination of the Contributions of others (if any) used.. by a Contributor and that particular Contributor's Contribution.....1.3. "Contribution".. means Covered Software of a particular Contributor.....1.4. "Covered Software".. means Source Code Form to which the initial Contributor has attached.. the notice in Exhibit A, the Executable Form of such Source Code.. Form, and Modifications of such Source Code Form, in each case.. including portions thereof.....1.5. "Incompatible With Secondary Licenses".. means.... (a) that the initial Contributor has attached the notice described.. in Exhibit B to the Covered Software; or.... (b) that the Covered Software was made a

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\is-UR9ID.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):110592
                                                                                                                                                Entropy (8bit):6.4887902817222995
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:QlEUXeNbfEzPX5FdEsom/cbvczqvooFPrSd8kBlUT1SB:qlybfEbXTd5wbvYqf0d8kBlUT1SB
                                                                                                                                                MD5:C19416E9CF9E571068CA14276C6E0620
                                                                                                                                                SHA1:B5E8EE4659B678FB3B234055B1EEDA920EB20B30
                                                                                                                                                SHA-256:BA9341807B42E90BB0380D51A83D3D6A0DE7D57B6820A8B0CBE5E36E978860FA
                                                                                                                                                SHA-512:5CDE579F66E0677F1419DC11723E1F7B5A7D408B4B3250E26AA0C0863A46B6FD86F17813416769F1EEC89375F3C9C83FED468A17D1EF80F83FF1744927E7DA79
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qY.+58gx58gx58gx..x78gx...x78gxsi.x78gxsi.x48gxsi.x98gxsi.x78gx8j.x28gx58fxP8gx8j.x.8gx8j.x48gx8j.x48gx8j.x48gxRich58gx................PE..L......U...........!......................................................................@.................................D...x...............................|.......................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\msvcr120.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):970912
                                                                                                                                                Entropy (8bit):6.9649735952029515
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                                MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                                SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                                SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                                SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                                Malicious:false
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nspr4.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):159232
                                                                                                                                                Entropy (8bit):6.628891949059009
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:5XEjwQq1VzTiey++hdm0mCeZrkAhniYUwl5VFTF0Rda914+2FTTf4oLkPEb:dEMfieU8A2ijMTF0RdE14P5LkP
                                                                                                                                                MD5:BD0E897DBC2DCC0CF1287FFD7C734CF0
                                                                                                                                                SHA1:5C9C6C6082127D106520FF2E88D4CD4B665D134F
                                                                                                                                                SHA-256:2D2096447B366D6640F2670EDB474AB208D8D85B5650DB5E80CC985D1189F911
                                                                                                                                                SHA-512:DB21B151B9877C9B5A5DC2EDA3AFA6A75A827CE1F340032427B7DE1D9F9803767AECC582862B58885F456C78FC75EE529581089B725975600E45C6AF785280A9
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.o...<...<...<..V<...<.ML<...<.MN<...<.Mq<...<.Mp<...<I.Z<...<...<-..<.Nq<...<.NM<...<.NJ<...<.NO<...<Rich...<........................PE..L...3..U...........!......................................................................@..........................&...,...R..x...............................<....................................%..@............................................text............................... ..`.rdata..Pp.......r..................@..@.data........p.......H..............@....rsrc................P..............@..@.reloc..<............T..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nss3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):807424
                                                                                                                                                Entropy (8bit):6.373676348059312
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:fE0i/L+PiYRCYeqF54WhJAqSoOzut7EtYiaUMes5+99SFP4MSKE:sexRT8RMS/
                                                                                                                                                MD5:54F3932864EED803BD1CB82DF43F0C76
                                                                                                                                                SHA1:675960ACFED6DF22AE0A41973B08494554B37F1A
                                                                                                                                                SHA-256:96E068E6162A98D212B57C86B14FC539F1BBDCCD363F68EFD8CDFECC90C699D3
                                                                                                                                                SHA-512:3E1ECCB33B8371DBE4801C5C3909130EB4E2A8A9AEC80D2C7B2528B00DD137C5FFE672095963D207B48E10F8E024C34FE841AA7ED22C7B7FA6E058165FCE90B8
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d................x......Tn......Tl......TS......TR......Wn..............WS.\....Wo......Wh......Wm.....Rich............PE..L......U...........!.....T...........^.......p............................................@.........................P....g..\........0.......................@..,Q......................................@............p...............................text....S.......T.................. ..`.rdata.......p.......X..............@..@.data... ...........................@....rsrc........0......................@..@.reloc..,Q...@...R..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssckbi.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):436224
                                                                                                                                                Entropy (8bit):6.90975258770428
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:t2HwxiNQVRjpfTOIf4EUo4pVQ6i+8a9CftgcWGzGgI4oW:t2HwxiWV/7OIfh4pVb2/WGzGgI4oW
                                                                                                                                                MD5:40483977B63FF6382BA0E4FB03198C8B
                                                                                                                                                SHA1:D6C291BE675E45A2D270E77BBC8F73D8FA51D8AD
                                                                                                                                                SHA-256:BFA1DE077F19AFC7B21FEB41891B4200A40B4DDA114F483D4EB92FF7A375926D
                                                                                                                                                SHA-512:EBA65F2F39F0E0FA317D5AEA13F945A3A72DA72CC31C0A0631B070AB3A914CC19250FC794C1294F4195657B6D79AC56E50190F3ED3745FCB37F4EBD833F16862
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.S.v.=.v.=.v.=..B..t.=.0..t.=.0..w.=.0..z.=.0..t.=.{..q.=.v.<.E.=.{..k.=.{..w.=.{..w.=.{..w.=.Richv.=.........PE..L...4..U...........!......................................................................@.............................P.......x...............................`4......................................@............................................text...Z........................... ..`.rdata...&.......(..................@..@.data...Te... ...b..................@....rsrc................n..............@..@.reloc..`4.......6...r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssdbm3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):102400
                                                                                                                                                Entropy (8bit):6.425621973332139
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:rHLNCxyxOuseQadJYO3bc3Vjo0ZQNf1v1ErPjH3XK:rrdrdJYOLt0ZG1gPjXX
                                                                                                                                                MD5:8CC6A31974A175A65D6C090FEED39F42
                                                                                                                                                SHA1:30DFEDDC8A4A59AEB7198D8CC9C712F3248A1E51
                                                                                                                                                SHA-256:F64111FAA9966D7B7859C6467BEDBD64559284B049F55FFADC54DFC50A3A4264
                                                                                                                                                SHA-512:597B2FB5BA96FE656E2C81D3D411ADFC4E693510F130872E16C9CC70355B41FCCFC0B9DBC16171AF76E2CAA7945FDF2519CEA40B9EF1A161ED967346DF595D5E
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..e7mb67mb67mb6.65mb6..6?mb6q<.65mb6q<.66mb6q<.6;mb6q<.65mb6:?.60mb67mc6.mb6:?.6"mb6:?.66mb6:?.66mb6:?.66mb6Rich7mb6................PE..L......U...........!.....`..........9h.......p............................................@.........................`|......h}..x.......(............................................................{..@............p..H............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data...............................@....rsrc...(...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\nssutil3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):110592
                                                                                                                                                Entropy (8bit):6.4887902817222995
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:QlEUXeNbfEzPX5FdEsom/cbvczqvooFPrSd8kBlUT1SB:qlybfEbXTd5wbvYqf0d8kBlUT1SB
                                                                                                                                                MD5:C19416E9CF9E571068CA14276C6E0620
                                                                                                                                                SHA1:B5E8EE4659B678FB3B234055B1EEDA920EB20B30
                                                                                                                                                SHA-256:BA9341807B42E90BB0380D51A83D3D6A0DE7D57B6820A8B0CBE5E36E978860FA
                                                                                                                                                SHA-512:5CDE579F66E0677F1419DC11723E1F7B5A7D408B4B3250E26AA0C0863A46B6FD86F17813416769F1EEC89375F3C9C83FED468A17D1EF80F83FF1744927E7DA79
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qY.+58gx58gx58gx..x78gx...x78gxsi.x78gxsi.x48gxsi.x98gxsi.x78gx8j.x28gx58fxP8gx8j.x.8gx8j.x48gx8j.x48gx8j.x48gxRich58gx................PE..L......U...........!......................................................................@.................................D...x...............................|.......................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plc4.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):13824
                                                                                                                                                Entropy (8bit):5.9228411202071864
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:gw+B2CXVETJWuHXzJqjtWoFyR5h+cBCyvqGnnnLGjV0BYpa3XGU0ki:oBH2VWu3Vqj8oFOjGsGjVAYIH0ki
                                                                                                                                                MD5:88B4DF8D7D536A195F866B70C48ED534
                                                                                                                                                SHA1:A385BCD411C3DFAD1C08CF56977C1BA45ECBF2F9
                                                                                                                                                SHA-256:09F01488A002915B8472A4E82ADB7A3E8CB43BD77DB347B0178EAE614F846A0A
                                                                                                                                                SHA-512:B8291CC96A40391D69A75DD348204083F2E21A752A8AF3339FD524F8DBB9947575C33EB8ECF77FC177CF2E3568777B2DE267CF63301034B28ADCFEF40AB821C1
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M}.M}.M}..-.O}..,;.O}..,9.L}..,..A}..,..O}.@/;.N}.M}.d}.@/..C}.@/:.L}.@/=.L}.@/8.L}.RichM}.........PE..L...9..U...........!.................%.......0...............................p............@..........................3.......7..P....P.......................`.......................................3..@............0...............................text............................... ..`.rdata..r....0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\plds4.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):11776
                                                                                                                                                Entropy (8bit):5.727800685529315
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:PMf3jwDmDS5J3HcLK9gRIcsumHu4BGeTNN+b9omw5TYlFQ3XGU0r3zqY:PMkDmS5ZcLK9gufNBdxl9klFwH0r35
                                                                                                                                                MD5:B7ED50495D311CF6E7AD247968DD2079
                                                                                                                                                SHA1:3364725821EA012F8FA99DF102677BEFC5FF929F
                                                                                                                                                SHA-256:20166E281B31AE60672B9D87CB69FCBA0C38CC5E18A8BA081C5601CCFAB7589F
                                                                                                                                                SHA-512:A783F0A00D016A5974F87399637BDDD5A5821E3A79C5ACB2F6B3F097C9BFFEFB8A1DEE7D968C0646FAA2D854A105C57988D244D9C47FB9C189D8383C00A8D2FE
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}.m.}.m.}.m..2....m.;.....m.;...|.m.;...q.m.;.....m.p...~.m.}.l.^.m.p...~.m.p...|.m.p...|.m.p...|.m.Rich}.m.........PE..L...5..U...........!.................!.......0...............................p............@.........................`2..)....5..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\smime3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):98816
                                                                                                                                                Entropy (8bit):6.174147183797477
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:zmutViJeP5/spfYAYJV+1W26doizknjBNNqG5NFxXy4/H:zmutzP5/spfYAkV+1WpzeNqGG4
                                                                                                                                                MD5:94624BBAB23A92E0A5F90CCE9A5A340D
                                                                                                                                                SHA1:A81D1E0A2C75657F698CEE9346FA85423B9B365F
                                                                                                                                                SHA-256:B0104EA7AAA257B111982BD0763C1C47FFF76BD70249F84DCAD834D50444DF1A
                                                                                                                                                SHA-512:D623E4D271A0DCC0F16E4A2DC4D10422DE42445D6DA60A5FDB149C511B5E5363DE448696592E11DCE118F950EED2E92CFFB78056C80E1A8E3A42D44EC54CB9F3
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........T`.5...5...5..^...5...d..5...d..5...d.5...d.5...g..5...5..k5...g.5...g..5...g..5...g..5..Rich.5..................PE..L...&..U...........!.........j......`........0............................................@..........................N.......h.......... .......................L....................................N..@............0...............................text............................... ..`.rdata..vT...0...V..................@..@.data...l............r..............@....rsrc... ............t..............@..@.reloc..L............x..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\softokn3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):169984
                                                                                                                                                Entropy (8bit):6.398159480656867
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:+dGb9/jT+3ZazHitaf6fc5q/RYmgdwy6jnwU8AF+3eWQAZHbC:+dGb9/+3sLia6u7Ih8AsRhBe
                                                                                                                                                MD5:6832B9A7AB871D81BE42054F117B8299
                                                                                                                                                SHA1:935C0FE7E6CB356A8854E3B7046FD7FC0AA29C61
                                                                                                                                                SHA-256:B1316E04B3BF464906F4E015D3E71B4E06A65CC6E59A20A96984EE1E862DCB0E
                                                                                                                                                SHA-512:E6579F7DF7B3C43219E47630A6B51A576D2FFA9902DDB0F309F5CCB210242DD16EBEC75439B2BAC22E5CB0B62984386CB6EB4190B2914827B79E3E4AFBBDEE9C
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..O~...~...~.....u.|...._y.....8.c.|...8.a.|...8.^.r...8._.|...s.c.u...~.......s.^.m...s.b.....s.e.....s.`.....Rich~...................PE..L......U...........!.....$...t.......,.......@............................................@.........................P...................(............................................................~..@............@..\............................text...@".......$.................. ..`.rdata...N...@...P...(..............@..@.data................x..............@....rsrc...(............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\sqlite3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):478208
                                                                                                                                                Entropy (8bit):6.657367656177312
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:rF2tNYpFGB/zPDxB9+lfwskvdkuuNRcsUBm+6dwczL:wYpABLclfokbAsUBP+
                                                                                                                                                MD5:3A58690AFF7051BB18EA9D764A450551
                                                                                                                                                SHA1:5CE859B3229DA70925FFA25564CB6D7C84DD6C36
                                                                                                                                                SHA-256:D2D0B729837574D2EB6ADAC4F819BC4F8534AC9A43B17663942B2401A02DB02A
                                                                                                                                                SHA-512:299634094A624EE8AD2898D3F2BDF8FEE23F234C160992E68D087AF828A16FF18E3D1FB1CA5755E82F592D6E3E335C63A9C8DAD04EF003D2127BBFCDBEC649D4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&...b.v.b.v.b.v..p..`.v.b.w.?.v.$..a.v.$..o.v.$..o.v.$..`.v.o..c.v.o..c.v.o..c.v.Richb.v.................PE..L......U...........!.....p..........#w.......................................p............@.....................................<............................@..(*..................................H...@...............|............................text....o.......p.................. ..`.rdata...............t..............@..@.data........ ......................@....reloc..(*...@...,... ..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\ssl3.dll (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):233984
                                                                                                                                                Entropy (8bit):6.639915060449015
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6144:OCIWfHHSPufQePpFEXiO1BwOD1NUGvRf8+7wNTBhg:OpWfHHSPudfOD1H8QwNTH
                                                                                                                                                MD5:55FC1EB1359AFDA427CF8CF7FC840CF2
                                                                                                                                                SHA1:F854CD1A0217AC9EB82220D87B43EC1C17B71A86
                                                                                                                                                SHA-256:77E642601D600B8DDA1FC64E4CC8D556FC53217DF933122C487EC43C1F60E2DE
                                                                                                                                                SHA-512:D7728CC9969A9BC7FC7B70884E86478A96ED33796B078D47170A0A894E8EEC982B61A0D3094867FF976FF3E97AD15A638A06C138A418FB952E76AE4FE79B9CB4
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.;...h...h...h.u;h...hL.-h...hL./h...hL..h...hL..h...h..-h...h...h...h...h...h..,h...h..+h...h...h...hRich...h................PE..L......U...........!................N.....................................................@..........................].......h......................................................................8\..@...............(............................text.............................. ..`.rdata..............................@..@.data................p..............@....rsrc................r..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\sha1\is-DVVR3.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.904728962463118
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\sha1\wizvera_ca.crt (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.904728962463118
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):6840000
                                                                                                                                                Entropy (8bit):6.2837212843053045
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:98304:SjnZwWd78sI5AVU+rmfe/x/BRrhGw6k/I35:SjZwE74AVUSmmZZFEhQy
                                                                                                                                                MD5:D0F24C3902D7B2D7B1B66068B778224A
                                                                                                                                                SHA1:D729966B95948B007F330088CF56F83EA7001589
                                                                                                                                                SHA-256:2C3DD7C3CDE5B860BC4F1DB474DEFEA508BB94DBE3495EF372E3D525B0B12840
                                                                                                                                                SHA-512:70B36CA826BCB85FAA20594E93D17F629BDC01D616253705B901BBB56D48BF939D5E377039C60205880EBE66A42C153C0896F91A6635F0CBA6E65C2D67B66FDF
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e..............................|!.....|7....|&.....V&....|(....V6....|3....Rich............................PE..d...R|.f..........#..........4.......OE........@..............................n.......h.....................................................e............_...=l.pt..`5h.`)......................................................................@................... ............................ ..` ............................@..@ ............................@... Xt...p...@...*..............@..@ .........>...j..............@..@.idata..............................@....rsrc....`.......`..................@..@.themida..d.......d.................`...................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2172216
                                                                                                                                                Entropy (8bit):6.709878039513874
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:49152:LkUFbvVrZuxV5fzo+y+9gjhYhptvwdRezosg:LpbvVrZud7o+yV2dvwn
                                                                                                                                                MD5:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                SHA1:23869F53B974BD0AB6EB08C90F48E900AD7BEBD6
                                                                                                                                                SHA-256:4C2D7F9ED2F8E2A55C2D6E34F1BBAC74DC3606168010E798C3249A43EB4E9B98
                                                                                                                                                SHA-512:8A3E613B9ED7AFD698E5AF3B676FE8ED147992D80B8748D68CA4C380CE6C3D6EADFFE410C31438EE13FC2C31C4844D5A610FA9E3AEFB6A8C68537C7EC852DE36
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........6..~X..~X..~X.W1..~X..5..~X..#..~X..~Y.\|X.....~X.....|X...._~X..,..~X.....~X..,..~X.....~X.Rich.~X.........................PE..L...[{.f.................D..................`....@...........................!......0!...@.....................................@........C............ .8).... .h....h...............................#..@............`..........@....................text....B.......D.................. ..`.rdata...t...`...v...H..............@..@.data............j..................@....rsrc....C.......D...(..............@..@.reloc........ ......l..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizvera1_ca.crt (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.904728962463118
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYcm2Y6hdQmUX0lVzng6JjgsI0lfhdQhpjxO7zypJ88K6gW28Z5NaPHbw+zsGP:LrcYbCh+X0XnrjgsI0FoHjxbznK6gWva
                                                                                                                                                MD5:37249E5BD6B7D97DFF1E7B7EE3ADE379
                                                                                                                                                SHA1:DBEE49494713937BB2A014097454C469C723B712
                                                                                                                                                SHA-256:88DCD9DEC617218506C92814C2AB22FA7EAABE51CF8282465D3F70382D1D2CEC
                                                                                                                                                SHA-512:F8EBF9EFB7BFBB47DA47B453052B10F059000021989C02FA3CA8DA324AFF4923D3D1777ED86EBB7914980142358B5A3929A0EBE1D581CF4DB52B8A8A1FC8CEA8
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUdLcAnuQ7x4/OaXOt4dqLGMXoclowDQYJKoZIhvcNAQEF.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMTAeFw0xOTEwMjMwMzA1MzNaFw00MDA1MDUwMzA1MzNaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCf+uYpWSz.YKgKqluf5nQWr3mFgoaoLx9hNVsUNd+Q+ab32ocAwxiKcC6siMTqeB1GjDS6QVCH.ewyXXxLWsk+9NrkpZGC7aqjgHZg8nkuv2gbbT+Bd2/Bn+rHMaibJPwCf40eSSgTa.Kj44eAYbVGYDGvzcrlzgQK+yvlmArbYdp1N9+Q610tGAngxfyX1kZWUm6+zhJPqS.eIb8yGU7OiBdY5kUUGwpGPKnOl43hoeoUOVDdpjOctO4gNLie5QS+oS9d6TyIW3c.eVKIMZ7sU0ZRrSOGz4HIGOyuraq/rZccIjxDWsFbo6/04IK+ZaWza+jpMhu6Zxde.5O+dqfCGEiQ/AgMBAAGjUzBRMB0GA1UdDgQWBBQUQfn22EfXupzjOemx7hLsfUKv.ITAfBgNVHSMEGDAWgBQUQfn22EfXupzjOemx7hLsfUKvITAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB6iLNpwtaR0kDl39y/1m1bXyA8LaEDRhqP.0VNTkhB0z9Df3Q7SoEkeNn3Atqnj2zwSo3n6eLX1gw3J67A8B6zZbwxkEPcpml+t.p5s6+2DUEscBp6IufvIeW0d2EA2kWkbrI2X61n66olAqXm6OnblMRtJZ9pRvma

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizvera_ca.crt (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PEM certificate
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1212
                                                                                                                                                Entropy (8bit):5.916479117884784
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:LrcYw2/a2YVdQ/UX0lVzngeJu3W/Jkek2LN7SP4StSfn6vBdKZLEeaaF9gZ+cdQJ:LrcYitqMX0Xn3u3Wpx7Q4rP6vB8+eaaR
                                                                                                                                                MD5:7A65B4226F7B4F594BB4800E3B0996C6
                                                                                                                                                SHA1:5008A17A4426675A5781980151F0F2D06F31CC77
                                                                                                                                                SHA-256:905C65B5D8E5436932FE9EE5781EBC26E26B9E302790689058E48BDA376DDFA5
                                                                                                                                                SHA-512:09FA5AB2EA077DC2A27C2E421A0AECD525EC0BBE27E6442177CA48C753AE74811F8C1851CAB376BDD09E616C318D09CDDCB4A79861FC716FC2CA37123ACFD3CA
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:-----BEGIN CERTIFICATE-----.MIIDUzCCAjugAwIBAgIUILvrdIUnrqol+zgZJt6NwgcQK3EwDQYJKoZIhvcNAQEL.BQAwOTELMAkGA1UEBhMCS1IxEDAOBgNVBAoMB1dJWlZFUkExGDAWBgNVBAMMD1dJ.WlZFUkEtQ0EtU0hBMjAeFw0xOTEwMjMwMzA0MDhaFw00MDA1MDUwMzA0MDhaMDkx.CzAJBgNVBAYTAktSMRAwDgYDVQQKDAdXSVpWRVJBMRgwFgYDVQQDDA9XSVpWRVJB.LUNBLVNIQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz2gYPOFaP.Wm2V8uuiVs9M27qX/WYE5zrvyJkYfC3Y0fHA+o+MT8aaBa/m5LeWT2HDtnt29dL/.c/nXoBPKuRYKlOZELxTNeeiuIIKIdFwPYygMdW3PI9OButbubBf8BO9RMlFt1ydB.Mrh9r7UZ4WM4qv/d2iCEhDDuzi9M57h38Wc4QE24bPKx3e3tCDiPkOZQcmG48HZp.sX/itfeXFBGtBwF1QepTpOb9KL+CLkpmhVr7h8BwuNHuH/kN7BSqRi/ttbF0Ocp6.m5AiHtVMZvTY4hestoaz9fAwZTjorOhIGFzK4vgoONf6NYE959Mq9CCp9UDhZF3n.lcmLd9uMb0JnAgMBAAGjUzBRMB0GA1UdDgQWBBRV6Uh2vggtl8ZWWlULp7QQSxT2.ojAfBgNVHSMEGDAWgBRV6Uh2vggtl8ZWWlULp7QQSxT2ojAPBgNVHRMBAf8EBTAD.AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBCIDg1a0Ke17EVx1xsbrFjYsD2+XR9dy5O.Sy7CPWHBdQvwtYIQtgBhmPBmlQWHGl8EB4w6NfkKr8TTkmY42FicLEE7lEhGlHxJ.k1AimQsGMfNzVkm/yoJTvFhYspgyD+KqNj1r6fh4+Iij5BahOr+1fVTZOS5Od4

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe (copy)

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):5848896
                                                                                                                                                Entropy (8bit):7.994878119676408
                                                                                                                                                Encrypted:true
                                                                                                                                                SSDEEP:98304:2u33UC7GOvq8jDuqywJBcm+d4wiysY1JBW99qu1EQd71YUfxt1adDJYGBo:2ufGOv5jDVywjcLrBsY13GEUyUf0ZbS
                                                                                                                                                MD5:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                SHA1:9F1F166751452A2F9286DA2EC79092F031029617
                                                                                                                                                SHA-256:D2B17C8815A7E2E5F96C5A8DE96E949EDF4F4009EB9941A0B8A472D6A59A62EF
                                                                                                                                                SHA-512:A8D5DDE31BC4431ECF94D02891F3993AC4C10F60D4B5EA7FEEBB35C0CEA0E2A6D8A9D9E54B4EE1506B1C0A2B1A2DFC2C2CB4D67835F76FD0C444FCF95D67E7FA
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..................................... ....@..........................p.......SY..........@....................................................Y.P,...........................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@.............p......................@..@........................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1170432
                                                                                                                                                Entropy (8bit):6.39928428004553
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24576:w4VN4kkKF3hDXq8xeidJLvkU99kkkkJE58dlX3IiAtp3Nq3E/HoQYx96uYxyx:VT90guMXEdqwHkUj
                                                                                                                                                MD5:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                SHA1:AF8874BDF2AD726F5420E8132C10BECC2BBCD93C
                                                                                                                                                SHA-256:61674B90891CA099D5FEE62BF063A948A80863530AB6A31E7F9E06F0E5BC7599
                                                                                                                                                SHA-512:339B284B5DD7386DCFA86C8FDCF239A0E97CC168229EA9A66FC0C6B26771401FA7F27C2C6A435A836A43EA9C7E634A3E47EC77E0D27985794BBB4416DFC97AC8
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....,.Q..........................................@..............................................@...............................7..................................................................................t................................text...t........................... ..`.itext.. ........................... ..`.data...00.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............F...................rdata...............F..............@..@.rsrc................H..............@..@....................................@..@........................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert8.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):65536
                                                                                                                                                Entropy (8bit):1.235799340771983
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:CrvrXyA19Kr7XlH7X7uYfF97G7w7hKxu1IaWrnMFfTQBOO1L7R:Crvbo7X97X7us7G7c4EmkiL7R
                                                                                                                                                MD5:A77FD7DD9D3AE0A9EAF37B4E43D0CA88
                                                                                                                                                SHA1:BDF9398251F5364D05F4F7BFD909EE9BC8BED557
                                                                                                                                                SHA-256:B051DF44048FE742BD420A2C9296407004376C0BA02723FF580077C8C6170BE7
                                                                                                                                                SHA-512:37E10B1F163CA300A9BA9BEF4C023FAADA00C1045EA293C2500172BDE9E1F17BBF58F5E6B3EE764ADE86B0AA9D8526D405DC34C676B75C06E3957D4FD991D9D2
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 32768, file counter 13, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 13
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):229376
                                                                                                                                                Entropy (8bit):0.7152174399399324
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:Y1zkVmvQhyn+Zoz67xhMMTNlH333JqN8j/LKXj56uT:Y6hM0sCyl
                                                                                                                                                MD5:B575975591EF58A71BD5C1C0A68DCEA3
                                                                                                                                                SHA1:C8AA927C81C3BF04AA677274CEF328D7F07B8E3F
                                                                                                                                                SHA-256:E616CEF1D750A0479D88609B907D03D7573546138C21D7234542498993889596
                                                                                                                                                SHA-512:D8A4FA00CC0DEE15F48AB469C3CAEBB8FAB476E2C92409F9784BAC0BE5F50AAF0E8AB40B2B3DCAEB1EEF303BD2BFDD1CCE750701F2EF03D4272DAC65CC0B06E4
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:SQLite format 3......@ .........................................................................-.'.....z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db-journal

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite Rollback Journal
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):229944
                                                                                                                                                Entropy (8bit):0.7155942489719497
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:725JuOhMMTNlH333JqN8j/LKXwX1zkVmvQhyn+Zoz67J:ChM0sCyWg
                                                                                                                                                MD5:9C841DE18FE7DD4D7AFBF176E1E7227E
                                                                                                                                                SHA1:29D9890CC939AA205029D7DC7F9DB88631EA94EC
                                                                                                                                                SHA-256:06BA6C679BC055CE35200E88806A775A30484AE67C6C23FE2B193572055D572E
                                                                                                                                                SHA-512:1C7E042761E68F074A54E0F7FD82B6DB087C78EBFBEC51EADB42A6FE27AC97B07C3D529307D699AD653B130CE9A4E2765FBD2CBAACE22C4E66D5F8A2AE830383
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:.... .c.....q.}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key3.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):1.0619644581451437
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqL5geUDqgRpbw8aRay:5X9cvV3Xy/fu4DBR+LD
                                                                                                                                                MD5:C2BBD4294FD79F4FFAE597598A3AF903
                                                                                                                                                SHA1:19E611225105BA85C3978DF78862404012148445
                                                                                                                                                SHA-256:AFECDA707616A021F8F268689BCA5808666E1B23DA6199464F8CA6DA6831BCAB
                                                                                                                                                SHA-512:A82F6137C59C1B27FACE9951372289D020DD5A71542FB7CA263D5102AD3B7CC42D4BB2ADBB48D54A6BA1D720AB41268DE421F1667797CCCB3E7A257A924B05F5
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 32768, file counter 4, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):294912
                                                                                                                                                Entropy (8bit):0.2149793878289495
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:xva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vnmRGMSgf:x1zkVmvQhyn+Zoz67amsTgf
                                                                                                                                                MD5:E74D93836585DFF42658600B870FC61E
                                                                                                                                                SHA1:375957E41364E5483D9834F1F945E7FB7183C542
                                                                                                                                                SHA-256:65F12B325AF120A5F8901DBF02EBEED04BEA7B566319CAD0D9F7E98FFB007269
                                                                                                                                                SHA-512:340F5B0B5538B8CBEAFA262641CEE1D7B3C050D3D0C9685AEFAC4BF23F8A5474DBFF4538C4CF727828E53D938427564BD70A524C0012D4D4AE4472AAC5DFEBEB
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:SQLite format 3......@ .........................................................................-.'.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db-journal

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite Rollback Journal
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):98840
                                                                                                                                                Entropy (8bit):0.40608650990310763
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:7hVKRGMSMfyva0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vM:7h4sTky1zkVmvQhyn+Zoz67F
                                                                                                                                                MD5:E219D0A5068FC755946335D9D768AD92
                                                                                                                                                SHA1:B0F21A1BB1C0E30AAED2D0ADA8AEB1F63A07F2C9
                                                                                                                                                SHA-256:8868A3EBEA7A34859BAF04F4C732167645B315D9BEA6BC91048168CC9BC86351
                                                                                                                                                SHA-512:628205DC0663B400C0F5C7C862CE1BABFCC021CB3797E807B9233599E359CD6CBDFBF14509C60A2550837231B3F66185CC255563CAC50A1B534F3DE0C2588C86
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:.... .c.....f<.t...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................:.....x.....Y............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):585
                                                                                                                                                Entropy (8bit):5.392481256172488
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:T4Lwvf1W0hOudhNTf9682LDcGuyXkvsUvE+LK5H4liOlMMN:T4Lwvf171zf9JzHVG2wyh
                                                                                                                                                MD5:AADB839FFC075AF52E455BB45FA98E27
                                                                                                                                                SHA1:9CC1F6E310CC71BA939264846D7C107836210E55
                                                                                                                                                SHA-256:9749B341F50867668FB83B20900241581842142B53318345951C8331B4B8F4BF
                                                                                                                                                SHA-512:EBEFAD56307D74CAF5B77D8F9D7A850EB2A9A7373C63084A3D7A3C14E9B31C47E1513BE1579D98ECE60A3D42085BC523EC413A1DB637365DE5766500B198707C
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\v6zchhhv.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....library=.\/nssckbi.dll..name=Root Certs..NSS=trustOrder=100 ....

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\pkcs11.txu

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):518
                                                                                                                                                Entropy (8bit):5.385850521177622
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:T4Lwvf1W0hOudhNTf9682LDcGuyXkvsUvE+LK5H4ll:T4Lwvf171zf9JzHVG2D
                                                                                                                                                MD5:8B118CBED24221FA67C30BAB871BD830
                                                                                                                                                SHA1:22C57F5ED56AC7070F0ECE98B99B6F56A8802295
                                                                                                                                                SHA-256:6EF95845CAA60AE9B816B936782E094869AFD2B52EE24CD18F6664E35D5F0286
                                                                                                                                                SHA-512:D7DC51952DB7A21A07BEC139DFD6C076FE0115941385A534524BB1D1F7D3F245E2DF05120D9F6A17F9AC4D191FC14E58471F93FA762F39584B37768733DB0AC8
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:C:\\Users\\user\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\v6zchhhv.default-release' certPrefix='' keyPrefix='' secmod='secmod.db' flags=optimizeSpace updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})....

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\secmod.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):1.0405977878391515
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:5X9cvV3Xy/XKyrXsXSlxlX8ibAkm7f2WMDAh9LGVEyqQDACAMLycmUatZPNL9bAn:5NGV3Xy/NZXWviLDcGuyrJvGLOvP
                                                                                                                                                MD5:034E4E79FD530376E7B0A15C125D034C
                                                                                                                                                SHA1:7EB364455CC62774D7A546C0E75C66F89AEA47EF
                                                                                                                                                SHA-256:74E05369CFF695440FA16A2085CEFB013CC2A40327858D3F57ECB05F976A8D2D
                                                                                                                                                SHA-512:67E2F5FDA202E325B55C1A08A9B7AAACE4FCA2B4E709FD416311089A68F089DA263CDAC60D3D9FEC7077F392AE96A16BCF2BDDFD78375B4B3DB0A91D1D99713E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert8.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):65536
                                                                                                                                                Entropy (8bit):1.235799340771983
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:CrvrXyA19Kr7XlH7X7uYfF97G7w7hKxu1IaWrnMFfTQBOO1L7R:Crvbo7X97X7us7G7c4EmkiL7R
                                                                                                                                                MD5:A77FD7DD9D3AE0A9EAF37B4E43D0CA88
                                                                                                                                                SHA1:BDF9398251F5364D05F4F7BFD909EE9BC8BED557
                                                                                                                                                SHA-256:B051DF44048FE742BD420A2C9296407004376C0BA02723FF580077C8C6170BE7
                                                                                                                                                SHA-512:37E10B1F163CA300A9BA9BEF4C023FAADA00C1045EA293C2500172BDE9E1F17BBF58F5E6B3EE764ADE86B0AA9D8526D405DC34C676B75C06E3957D4FD991D9D2
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 2, database pages 10, cookie 0x5, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):10240
                                                                                                                                                Entropy (8bit):2.4933067550653023
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:KvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8GPSZZi:KozkVmvQhyn+ZooGaZ
                                                                                                                                                MD5:D829EBC328E99645F54E66C904939EF8
                                                                                                                                                SHA1:A2FA15F5426764709EC8B60ADDFB472F13417D81
                                                                                                                                                SHA-256:9954459403B3F315B6637C2F9EEC0C5B0D99840A77FD01057D5C3542998B4EE0
                                                                                                                                                SHA-512:04DC518305753C594BB10D1EF55F24BE48C7B62AEB80023DD9C38A37871E3FD0C850D1B21D3DB1AAB47FB0D4451A7FEDB878BAEC2CB71D421405E74517AC22FF
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:SQLite format 3......@ .........................................................................-.'.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................1...E...indexsqlite_autoindex_n

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cert9.db-journal

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:data
                                                                                                                                                Category:modified
                                                                                                                                                Size (bytes):6704
                                                                                                                                                Entropy (8bit):0.44557387726351855
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:osZnl897s4ozxq0Sl897s4ozxqs0XxqaUl/JJp6WvmMTn:oZ972xJN972xUXxzDMTn
                                                                                                                                                MD5:5BA052C524078E0B4A7B6BFF33DD4C34
                                                                                                                                                SHA1:356DC8B3369B1217D6027F4892C55E65732CCBDD
                                                                                                                                                SHA-256:9A1563D65AE444C63C41440752352215A9683FD8B88596A01BC27C7A12241019
                                                                                                                                                SHA-512:F87FCF944A272F579C44B964F5DE1E4082653DAA806921573B3BE503ECA55DB310C92385E05C46429FD276694C643F0F12CB191301EBCF654FADCDB2C1BA2A97
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:............X7..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key3.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):1.061513602313362
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqL0s8tKgrgRpbw8aRay:5X9cvV3Xy/fa8tKgcR+LD
                                                                                                                                                MD5:6E2429A756DD8F368F63E013D0D2CE24
                                                                                                                                                SHA1:D23B65A530C5C0718E8BEC7729F50F6933F8EB40
                                                                                                                                                SHA-256:60178D13E32F11ECAAB17D163F9CAD1765E8941E3ECC0745ABE87039F3A940E8
                                                                                                                                                SHA-512:729BC4DF8AD60BBF38F13D8A24F762FDAF94141A1E321E3B44196F58F82068CF4B5FF431C68159CF3677F1E95F0D53E2F225C98AF23D7AAB88904925223C63E3
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3007015, page size 1024, file counter 1, database pages 9, cookie 0x5, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):9216
                                                                                                                                                Entropy (8bit):1.4343584400685017
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:192:OvKXzkVmvQhyn+ZoQfqlQbGhMHPaVAL23v8:OozkVmvQhyn+Zoo
                                                                                                                                                MD5:E45C3FB0F28FE6590E3D75C785E65C1F
                                                                                                                                                SHA1:D96690392E6428CAC59BBAA9B2BCDBAC27E683E5
                                                                                                                                                SHA-256:020B3C13B4DC97A12AF70E1330D364FF2B17D08B6E4F607F3527EBCF962A2421
                                                                                                                                                SHA-512:BE49505ABD641BFD4A1BF6698578DAB5951DBD1B254CF540F863F586A76576833D9F52F82810B047582FF379884D7452085B277132E6627C7FBC4733A0246E2F
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:SQLite format 3......@ .........................................................................-.'...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................3...G!..indexsqlite_autoindex_nss

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db-journal

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:SQLite Rollback Journal
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):512
                                                                                                                                                Entropy (8bit):0.26077127604825584
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:7FEG2l/l38tFlxll:7+/l/lE
                                                                                                                                                MD5:B7512039A048D3D1AD61DC6F48E92794
                                                                                                                                                SHA1:2C26EFFB87FD5230890735869000B265E1CCEECA
                                                                                                                                                SHA-256:6CAEC0E3AB333A42AFF4A03B20E1978C3F050C890D56DE536CA561104B8961B8
                                                                                                                                                SHA-512:CC14105D6877021997E006BD2432AE7985F78CA49D92761016E33DA2B46C84BDE13A327A5E8205CF5971D0102394A904DCE0C4F9E40B6DB81EA796C4078E8211
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:.... .c.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txt

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):488
                                                                                                                                                Entropy (8bit):5.320628578226095
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:T4LwvfU2LDcGuyrJv7vEPJDthxq429+BOlMMN:T4LwvfUzGwj2Gyh
                                                                                                                                                MD5:B99D3583C6DDFE54E4E1DB6BDC93AC29
                                                                                                                                                SHA1:6FF823D6C3761506ABA81DF72AAE0396D324C22C
                                                                                                                                                SHA-256:5AB8B78C1F366189DCEF0AC930E2FEF3C296A84BB1E9F44F88B149B4EEC3D7D8
                                                                                                                                                SHA-512:0A98F545FB54D4795D338F555DF79AD06BA99E9EB93DBEB9F99259463597384675239262C82F92E12579DF9668AC65D74FB146AF7BB18783BC33CD9A8B5DB058
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:.\\' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical....library=.\/nssckbi.dll..name=Root Certs..NSS=trustOrder=100 ....

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\pkcs11.txu

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):421
                                                                                                                                                Entropy (8bit):5.31978933293004
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:EO4LLbAkm74+U2WMDAh9LGVEyqQDACAMLycmUatZr+Wkv1gX06feNWIuthIoJp/s:T4LwvfU2LDcGuyrJv7vEPJDthxq429+M
                                                                                                                                                MD5:1649BFBECBDCD7130B69D542B253555A
                                                                                                                                                SHA1:9D49992FF2694EA015BDAF9D99B419B3A49075BB
                                                                                                                                                SHA-256:E99DFC28DFC2F25B29DE94048531054BEAEC02DBCE322245522BE43B7C5B03CB
                                                                                                                                                SHA-512:99AEE8ABCAF391650E10B36EDA352AD3FB8F7C7F0B6B993C92BF47E0D54F04809B77ABE74E391B8097C7D525D2199D13A30AB37DB3B97389D4E305E511F2756B
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:library=..name=NSS Internal PKCS #11 Module..parameters=configdir='sql:.\\' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ..NSS=trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,SHA256,SHA512,Camellia,SEED,RANDOM askpw=any timeout=30 ] } Flags=internal,critical....

                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\secmod.db

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):16384
                                                                                                                                                Entropy (8bit):1.0405977878391515
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:6:5X9cvV3Xy/XKyrXsXSlxlX8ibAkm7f2WMDAh9LGVEyqQDACAMLycmUatZPNL9bAn:5NGV3Xy/NZXWviLDcGuyrJvGLOvP
                                                                                                                                                MD5:034E4E79FD530376E7B0A15C125D034C
                                                                                                                                                SHA1:7EB364455CC62774D7A546C0E75C66F89AEA47EF
                                                                                                                                                SHA-256:74E05369CFF695440FA16A2085CEFB013CC2A40327858D3F57ECB05F976A8D2D
                                                                                                                                                SHA-512:67E2F5FDA202E325B55C1A08A9B7AAACE4FCA2B4E709FD416311089A68F089DA263CDAC60D3D9FEC7077F392AE96A16BCF2BDDFD78375B4B3DB0A91D1D99713E
                                                                                                                                                Malicious:true
                                                                                                                                                Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                \Device\ConDrv

                                                                                                                                                Download File
                                                                                                                                                Process:C:\Windows\System32\netsh.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):7
                                                                                                                                                Entropy (8bit):2.2359263506290326
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:t:t
                                                                                                                                                MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                                                                                                SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                                                                                                SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                                                                                                SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                                                                                                Malicious:false
                                                                                                                                                Preview:Ok.....

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                Entropy (8bit):7.999756797985917
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                File name:veraport-g3-x64.exe
                                                                                                                                                File size:30'041'304 bytes
                                                                                                                                                MD5:c9207ccbdef51cada0bc0402c6f1623c
                                                                                                                                                SHA1:28f3530f6fa7cf504f126b2270c40be3bcc9eea9
                                                                                                                                                SHA256:7734b2849f3efc85344db57c3c91376601b1f993b3aa18cbcd83473a37d80f17
                                                                                                                                                SHA512:aa1b2dcc9e7a38afb7534f14805d78a60ca312e257b598d7a99e0fcb013a7706fab74fa80c4feebd2b30d401ddf7ea883634a96cac0a7efcd74def0b6b49cba0
                                                                                                                                                SSDEEP:786432:pYnAfUOUr0p9Nl56dybFx1eanhgyepNgDFFLx:p6AfjUr0p93ocvhvqupFd
                                                                                                                                                TLSH:3D6733020B8144B0F935AA3B8D940D367C8E70F53CFA466A3E79D5AD7D7B28449B9E31
                                                                                                                                                File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:2d2e3797b32b2b99

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4113bc
                                                                                                                                                Entrypoint Section:.itext
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                Time Stamp:0x51092C84 [Wed Jan 30 14:21:56 2013 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                OS Version Major:5
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:5
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:48aa5c8931746a9655524f67b25a47ef

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:true
                                                                                                                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                                Signature Validation Error:The operation completed successfully
                                                                                                                                                Error Number:0
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 28/08/2023 02:00:00 18/09/2026 01:59:59
                                                                                                                                                Subject Chain
                                                                                                                                                • CN="WIZVERA Co., Ltd.", O="WIZVERA Co., Ltd.", L=Seongdong-gu, S=Seoul, C=KR, SERIALNUMBER=110111-3810929, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Seoul, OID.1.3.6.1.4.1.311.60.2.1.3=KR
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:D11BF73855DAD71E2DBB41EEBF606BE1
                                                                                                                                                Thumbprint SHA-1:DA34AF2AA72AD28B7581E7EF377EDD0E7E449B5D
                                                                                                                                                Thumbprint SHA-256:E2939621E71BF2FC88AAE7D003949838715021FD4F5646350F1FBFFE728402CE
                                                                                                                                                Serial:0A6804A1E1DDBB28227470CF4FFB56F5

                                                                                                                                                Entrypoint Preview

                                                                                                                                                Instruction
                                                                                                                                                push ebp
                                                                                                                                                mov ebp, esp
                                                                                                                                                add esp, FFFFFFA4h
                                                                                                                                                push ebx
                                                                                                                                                push esi
                                                                                                                                                push edi
                                                                                                                                                xor eax, eax
                                                                                                                                                mov dword ptr [ebp-3Ch], eax
                                                                                                                                                mov dword ptr [ebp-40h], eax
                                                                                                                                                mov dword ptr [ebp-5Ch], eax
                                                                                                                                                mov dword ptr [ebp-30h], eax
                                                                                                                                                mov dword ptr [ebp-38h], eax
                                                                                                                                                mov dword ptr [ebp-34h], eax
                                                                                                                                                mov dword ptr [ebp-2Ch], eax
                                                                                                                                                mov dword ptr [ebp-28h], eax
                                                                                                                                                mov dword ptr [ebp-14h], eax
                                                                                                                                                mov eax, 0041002Ch
                                                                                                                                                call 00007F1F6C6890EDh
                                                                                                                                                xor eax, eax
                                                                                                                                                push ebp
                                                                                                                                                push 00411A9Eh
                                                                                                                                                push dword ptr fs:[eax]
                                                                                                                                                mov dword ptr fs:[eax], esp
                                                                                                                                                xor edx, edx
                                                                                                                                                push ebp
                                                                                                                                                push 00411A5Ah
                                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                                mov eax, dword ptr [00415B48h]
                                                                                                                                                call 00007F1F6C69171Bh
                                                                                                                                                call 00007F1F6C69126Ah
                                                                                                                                                cmp byte ptr [00412ADCh], 00000000h
                                                                                                                                                je 00007F1F6C693F0Eh
                                                                                                                                                call 00007F1F6C691830h
                                                                                                                                                xor eax, eax
                                                                                                                                                call 00007F1F6C687185h
                                                                                                                                                lea edx, dword ptr [ebp-14h]
                                                                                                                                                xor eax, eax
                                                                                                                                                call 00007F1F6C68E2E7h
                                                                                                                                                mov edx, dword ptr [ebp-14h]
                                                                                                                                                mov eax, 00418650h
                                                                                                                                                call 00007F1F6C68775Ah
                                                                                                                                                push 00000002h
                                                                                                                                                push 00000000h
                                                                                                                                                push 00000001h
                                                                                                                                                mov ecx, dword ptr [00418650h]
                                                                                                                                                mov dl, 01h
                                                                                                                                                mov eax, dword ptr [0040BF3Ch]
                                                                                                                                                call 00007F1F6C68EBD2h
                                                                                                                                                mov dword ptr [00418654h], eax
                                                                                                                                                xor edx, edx
                                                                                                                                                push ebp
                                                                                                                                                push 00411A06h
                                                                                                                                                push dword ptr fs:[edx]
                                                                                                                                                mov dword ptr fs:[edx], esp
                                                                                                                                                call 00007F1F6C69178Eh
                                                                                                                                                mov dword ptr [0041865Ch], eax
                                                                                                                                                mov eax, dword ptr [0041865Ch]
                                                                                                                                                cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                jne 00007F1F6C693F4Ah

                                                                                                                                                Data Directories

                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x190000xdd0.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000xb000.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1ca3b780x2960
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x1b0000x18.rdata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x192fc0x20c.idata
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x10000xf12c0xf2003a126e478661f20816f9d9285615f98eFalse0.550910382231405data6.391482648256754IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .itext0x110000xb440xc00ba48b9b17b3dd8b92da3bd93f20ddb34False0.5930989583333334data5.732070848969494IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                .data0x120000xc880xe00d7fd5f4b562d7961758f3d6a8c834fd0False0.24832589285714285data2.246312806661135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .bss0x130000x56b40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .idata0x190000xdd00xe0093d91a2b90e60bd758fc0c4908856ae1False0.36439732142857145data4.97188203376719IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .tls0x1a0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                .rdata0x1b0000x180x2003dffc444ccc131c9dcee18db49ee6403False0.05078125data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0x1c0000xb0000xb000c03b0b42d3399f2a61bfb7d9043d3585False0.17853338068181818data4.149834971915067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                Resources

                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                RT_ICON0x1c41c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                                                                RT_ICON0x1c5440x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                                                                RT_ICON0x1caac0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                                                                RT_ICON0x1cd940x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                                                                RT_STRING0x1d63c0x68data0.6538461538461539
                                                                                                                                                RT_STRING0x1d6a40xd4data0.5283018867924528
                                                                                                                                                RT_STRING0x1d7780xa4data0.6524390243902439
                                                                                                                                                RT_STRING0x1d81c0x2acdata0.45614035087719296
                                                                                                                                                RT_STRING0x1dac80x34cdata0.4218009478672986
                                                                                                                                                RT_STRING0x1de140x294data0.4106060606060606
                                                                                                                                                RT_RCDATA0x1e0a80x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                                RT_RCDATA0x263900x10data1.5
                                                                                                                                                RT_RCDATA0x263a00x150data0.8333333333333334
                                                                                                                                                RT_RCDATA0x264f00x2cdata1.1818181818181819
                                                                                                                                                RT_GROUP_ICON0x2651c0x3edataEnglishUnited States0.8387096774193549
                                                                                                                                                RT_VERSION0x2655c0x4f4dataEnglishUnited States0.27917981072555204
                                                                                                                                                RT_MANIFEST0x26a500x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024

                                                                                                                                                Imports

                                                                                                                                                DLLImport
                                                                                                                                                oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                                advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                                user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                                kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                                kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                                user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                                                                                kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
                                                                                                                                                advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                                                                                comctl32.dllInitCommonControls
                                                                                                                                                kernel32.dllSleep
                                                                                                                                                advapi32.dllAdjustTokenPrivileges

                                                                                                                                                Possible Origin

                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                DutchNetherlands
                                                                                                                                                EnglishUnited States

                                                                                                                                                Network Behavior

                                                                                                                                                No network behavior found

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Target ID:0
                                                                                                                                                Start time:15:28:30
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\Desktop\veraport-g3-x64.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\veraport-g3-x64.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:30'041'304 bytes
                                                                                                                                                MD5 hash:C9207CCBDEF51CADA0BC0402C6F1623C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:1
                                                                                                                                                Start time:15:28:30
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-E6MOR.tmp\veraport-g3-x64.tmp" /SL5="$10452,29641996,118784,C:\Users\user\Desktop\veraport-g3-x64.exe"
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'170'432 bytes
                                                                                                                                                MD5 hash:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 5%, ReversingLabs
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:3
                                                                                                                                                Start time:15:28:35
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\sc.exe" stop WizveraPMSvc
                                                                                                                                                Imagebase:0x7ff7ad220000
                                                                                                                                                File size:72'192 bytes
                                                                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:4
                                                                                                                                                Start time:15:28:35
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:5
                                                                                                                                                Start time:15:28:37
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /addloopback
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:6'840'000 bytes
                                                                                                                                                MD5 hash:D0F24C3902D7B2D7B1B66068B778224A
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 0%, ReversingLabs
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:6
                                                                                                                                                Start time:15:28:38
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\CheckNetIsolation.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\CheckNetIsolation.exe" LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
                                                                                                                                                Imagebase:0x7ff783e60000
                                                                                                                                                File size:30'208 bytes
                                                                                                                                                MD5 hash:03CF7163B4837A001BD4667A8880D6CD
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:7
                                                                                                                                                Start time:15:28:38
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:8
                                                                                                                                                Start time:15:28:39
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\veraport20unloader.exe" /link
                                                                                                                                                Imagebase:0x140000000
                                                                                                                                                File size:6'840'000 bytes
                                                                                                                                                MD5 hash:D0F24C3902D7B2D7B1B66068B778224A
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:low
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:9
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraport-x64.exe
                                                                                                                                                Imagebase:0x7ff7e5590000
                                                                                                                                                File size:101'376 bytes
                                                                                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:10
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:11
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraport.exe
                                                                                                                                                Imagebase:0x7ff7e5590000
                                                                                                                                                File size:101'376 bytes
                                                                                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:12
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:13
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\taskkill.exe" /f /im veraportmain20.exe
                                                                                                                                                Imagebase:0x7ff7e5590000
                                                                                                                                                File size:101'376 bytes
                                                                                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:14
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:15
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\System32\taskkill.exe" /f /im verainagent.exe
                                                                                                                                                Imagebase:0x7ff7e5590000
                                                                                                                                                File size:101'376 bytes
                                                                                                                                                MD5 hash:A599D3B2FAFBDE4C1A6D7D0F839451C7
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:16
                                                                                                                                                Start time:15:28:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:18
                                                                                                                                                Start time:15:28:57
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\regsvr32.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Wizvera\Veraport20\veraport20.dll"
                                                                                                                                                Imagebase:0x7ff6e8ec0000
                                                                                                                                                File size:25'088 bytes
                                                                                                                                                MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:19
                                                                                                                                                Start time:15:28:58
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files\Wizvera\Veraport20\wizveraregsvr.exe" veraport20.dll
                                                                                                                                                Imagebase:0x7ff69e230000
                                                                                                                                                File size:235'240 bytes
                                                                                                                                                MD5 hash:AA4EF1C182A79F24B519167C41FAB32E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:20
                                                                                                                                                Start time:15:28:58
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:21
                                                                                                                                                Start time:15:29:08
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files\Wizvera\Veraport20\veraport-x64.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
                                                                                                                                                Imagebase:0x7ff70f4c0000
                                                                                                                                                File size:7'876'288 bytes
                                                                                                                                                MD5 hash:9DCEECDFF4DA4C0F08C55A6D945F86B4
                                                                                                                                                Has elevated privileges:false
                                                                                                                                                Has administrator privileges:false
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:23
                                                                                                                                                Start time:15:30:24
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wizcertutil.exe" /force /gencert /target veraport
                                                                                                                                                Imagebase:0xe50000
                                                                                                                                                File size:2'172'216 bytes
                                                                                                                                                MD5 hash:0FFE29C5EFF5BD3E25142A388FBEDB5A
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:24
                                                                                                                                                Start time:15:30:27
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:25
                                                                                                                                                Start time:15:30:27
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6a5670000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:26
                                                                                                                                                Start time:15:30:28
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:27
                                                                                                                                                Start time:15:30:28
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:28
                                                                                                                                                Start time:15:30:29
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:29
                                                                                                                                                Start time:15:30:29
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:30
                                                                                                                                                Start time:15:30:30
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:31
                                                                                                                                                Start time:15:30:30
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:32
                                                                                                                                                Start time:15:30:31
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:33
                                                                                                                                                Start time:15:30:31
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:34
                                                                                                                                                Start time:15:30:32
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:35
                                                                                                                                                Start time:15:30:32
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:36
                                                                                                                                                Start time:15:30:32
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:37
                                                                                                                                                Start time:15:30:32
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:38
                                                                                                                                                Start time:15:30:33
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:39
                                                                                                                                                Start time:15:30:33
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:40
                                                                                                                                                Start time:15:30:34
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:41
                                                                                                                                                Start time:15:30:34
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:42
                                                                                                                                                Start time:15:30:35
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:43
                                                                                                                                                Start time:15:30:35
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:44
                                                                                                                                                Start time:15:30:36
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -L -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:45
                                                                                                                                                Start time:15:30:36
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:46
                                                                                                                                                Start time:15:30:36
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -D -n "Veraport-CA" -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:47
                                                                                                                                                Start time:15:30:36
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:48
                                                                                                                                                Start time:15:30:37
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d .\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:49
                                                                                                                                                Start time:15:30:38
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:50
                                                                                                                                                Start time:15:30:38
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\nss_new\certutil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"c:\users\user\appdata\local\temp\is-ttj7j.tmp\.\nss_new\certutil.exe" -A -n "Veraport-CA" -t "TCu,Cuw,Tuw" -i "C:\ProgramData\Wizvera\Veraport20\veraport_ca.crt" -d sql:.\
                                                                                                                                                Imagebase:0xb90000
                                                                                                                                                File size:114'688 bytes
                                                                                                                                                MD5 hash:F8DA06687FB47CA2C355C38CA2766262
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:51
                                                                                                                                                Start time:15:30:38
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:52
                                                                                                                                                Start time:15:30:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:5'848'896 bytes
                                                                                                                                                MD5 hash:EA18C971818F833249090BB8B11F72C3
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:53
                                                                                                                                                Start time:15:30:40
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Temp\is-VOJTI.tmp\wpmsvcsetup.tmp" /SL5="$504CE,5451002,118784,C:\Users\user\AppData\Local\Temp\is-TTJ7J.tmp\wpmsvcsetup.exe" /VERYSILENT
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:1'170'432 bytes
                                                                                                                                                MD5 hash:63B15124BE653DBE589C7981DA9D397C
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:Borland Delphi
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 5%, ReversingLabs
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:54
                                                                                                                                                Start time:15:30:41
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\system32\sc.exe" stop WizveraPMSvc
                                                                                                                                                Imagebase:0x500000
                                                                                                                                                File size:61'440 bytes
                                                                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:55
                                                                                                                                                Start time:15:30:41
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:56
                                                                                                                                                Start time:15:30:42
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\WizSvcUtil.exe" -fw add
                                                                                                                                                Imagebase:0x700000
                                                                                                                                                File size:4'758'688 bytes
                                                                                                                                                MD5 hash:50E4842EA92F74B2C82426FF562E2CCD
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:57
                                                                                                                                                Start time:15:30:42
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:58
                                                                                                                                                Start time:15:30:44
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\system32\sc.exe" config WizveraPMSvc start= auto
                                                                                                                                                Imagebase:0x500000
                                                                                                                                                File size:61'440 bytes
                                                                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:59
                                                                                                                                                Start time:15:30:44
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:60
                                                                                                                                                Start time:15:30:44
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe" /i
                                                                                                                                                Imagebase:0x590000
                                                                                                                                                File size:5'647'008 bytes
                                                                                                                                                MD5 hash:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:61
                                                                                                                                                Start time:15:30:45
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:62
                                                                                                                                                Start time:15:30:47
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\SysWOW64\sc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Windows\system32\sc.exe" start WizveraPMSvc
                                                                                                                                                Imagebase:0x500000
                                                                                                                                                File size:61'440 bytes
                                                                                                                                                MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:63
                                                                                                                                                Start time:15:30:47
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:64
                                                                                                                                                Start time:15:30:47
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Program Files (x86)\Wizvera\Common\wpmsvc\wpmsvc.exe"
                                                                                                                                                Imagebase:0x590000
                                                                                                                                                File size:5'647'008 bytes
                                                                                                                                                MD5 hash:3C126066F71E9A97F6D8E6383D4BA9B0
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:false

                                                                                                                                                General

                                                                                                                                                Target ID:65
                                                                                                                                                Start time:15:30:50
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Program Files\Wizvera\Veraport20\veraport-x64.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" wizvera-veraport://exec/x86/16105/
                                                                                                                                                Imagebase:0x7ff70f4c0000
                                                                                                                                                File size:7'876'288 bytes
                                                                                                                                                MD5 hash:9DCEECDFF4DA4C0F08C55A6D945F86B4
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:66
                                                                                                                                                Start time:15:30:50
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="Wizvera-Veraport-G3(x64)"
                                                                                                                                                Imagebase:0x7ff7fdfc0000
                                                                                                                                                File size:96'768 bytes
                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:67
                                                                                                                                                Start time:15:30:50
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:68
                                                                                                                                                Start time:15:30:51
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Wizvera-Veraport-G3(x64)" dir=in program="C:\Program Files\Wizvera\Veraport20\veraport-x64.exe" action=allow
                                                                                                                                                Imagebase:0x7ff7fdfc0000
                                                                                                                                                File size:96'768 bytes
                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:69
                                                                                                                                                Start time:15:30:51
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:70
                                                                                                                                                Start time:15:30:51
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\sc.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:"C:\Windows\system32\sc.exe" start WizveraPMSvc
                                                                                                                                                Imagebase:0x7ff7ad220000
                                                                                                                                                File size:72'192 bytes
                                                                                                                                                MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                General

                                                                                                                                                Target ID:71
                                                                                                                                                Start time:15:30:51
                                                                                                                                                Start date:28/10/2024
                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                File size:862'208 bytes
                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Has exited:true

                                                                                                                                                Disassembly

                                                                                                                                                Reset < >

                                                                                                                                                  Execution Graph

                                                                                                                                                  Execution Coverage:3.3%
                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                  Signature Coverage:11.9%
                                                                                                                                                  Total number of Nodes:1499
                                                                                                                                                  Total number of Limit Nodes:52
                                                                                                                                                  execution_graph 14428 7ff69e246f67 14431 7ff69e248020 14428->14431 14432 7ff69e24492c _getptd 45 API calls 14431->14432 14433 7ff69e248029 14432->14433 14436 7ff69e2494f8 14433->14436 14437 7ff69e249508 14436->14437 14439 7ff69e249512 __SehTransFilter 14436->14439 14438 7ff69e245d84 _FF_MSGBANNER 45 API calls 14437->14438 14438->14439 14440 7ff69e249526 14439->14440 14446 7ff69e248400 14439->14446 14442 7ff69e24958e __SehTransFilter 14440->14442 14443 7ff69e24952f RtlCaptureContext 14440->14443 14444 7ff69e2437c0 shared_ptr 14443->14444 14445 7ff69e24954f SetUnhandledExceptionFilter UnhandledExceptionFilter 14444->14445 14445->14442 14447 7ff69e24842c 14446->14447 14448 7ff69e248486 DecodePointer 14446->14448 14447->14448 14450 7ff69e2484d7 14447->14450 14452 7ff69e248450 14447->14452 14453 7ff69e2484dc __SehTransFilter 14448->14453 14451 7ff69e2448a8 _errno 45 API calls 14450->14451 14451->14453 14452->14448 14455 7ff69e24845f 14452->14455 14454 7ff69e248294 _lock 45 API calls 14453->14454 14457 7ff69e24857b 14453->14457 14463 7ff69e24847e 14453->14463 14454->14457 14456 7ff69e243728 _errno 45 API calls 14455->14456 14458 7ff69e248464 14456->14458 14461 7ff69e2485cd 14457->14461 14464 7ff69e2447b8 EncodePointer 14457->14464 14459 7ff69e245ca0 _flush 7 API calls 14458->14459 14459->14463 14461->14463 14465 7ff69e248194 LeaveCriticalSection 14461->14465 14463->14440 17216 7ff69e252568 17217 7ff69e25257a 17216->17217 17218 7ff69e252584 17216->17218 17220 7ff69e248194 LeaveCriticalSection 17217->17220 17233 7ff69e244d70 17238 7ff69e24b438 17233->17238 17239 7ff69e24b344 17238->17239 17240 7ff69e248294 _lock 45 API calls 17239->17240 17246 7ff69e24b36d 17240->17246 17241 7ff69e24b40a 17267 7ff69e248194 LeaveCriticalSection 17241->17267 17244 7ff69e244df8 46 API calls 17244->17246 17245 7ff69e244e80 2 API calls 17245->17246 17246->17241 17246->17244 17246->17245 17257 7ff69e24b2fc 17246->17257 17258 7ff69e24b30a 17257->17258 17259 7ff69e24b311 17257->17259 17268 7ff69e24b344 17258->17268 17261 7ff69e24b280 _flush 77 API calls 17259->17261 17262 7ff69e24b316 17261->17262 17263 7ff69e24b4b4 _flush 45 API calls 17262->17263 17266 7ff69e24b30f 17262->17266 17264 7ff69e24b32e 17263->17264 17277 7ff69e24df34 17264->17277 17266->17246 17269 7ff69e248294 _lock 45 API calls 17268->17269 17275 7ff69e24b36d 17269->17275 17270 7ff69e24b40a 17303 7ff69e248194 LeaveCriticalSection 17270->17303 17273 7ff69e244df8 46 API calls 17273->17275 17274 7ff69e244e80 2 API calls 17274->17275 17275->17270 17275->17273 17275->17274 17276 7ff69e24b2fc 81 API calls 17275->17276 17276->17275 17278 7ff69e24df4d 17277->17278 17279 7ff69e24df60 17277->17279 17280 7ff69e243728 _errno 45 API calls 17278->17280 17281 7ff69e24e016 17279->17281 17282 7ff69e24df74 17279->17282 17300 7ff69e24df52 17280->17300 17283 7ff69e243728 _errno 45 API calls 17281->17283 17285 7ff69e24df9a 17282->17285 17286 7ff69e24dfbf 17282->17286 17284 7ff69e24e01b 17283->17284 17287 7ff69e245ca0 _flush 7 API calls 17284->17287 17288 7ff69e243728 _errno 45 API calls 17285->17288 17289 7ff69e24e414 _flush 46 API calls 17286->17289 17287->17300 17290 7ff69e24df9f 17288->17290 17291 7ff69e24dfc6 17289->17291 17292 7ff69e245ca0 _flush 7 API calls 17290->17292 17293 7ff69e24e390 _close_nolock 45 API calls 17291->17293 17302 7ff69e24dffb 17291->17302 17292->17300 17295 7ff69e24dfd9 FlushFileBuffers 17293->17295 17294 7ff69e243728 _errno 45 API calls 17296 7ff69e24e002 17294->17296 17297 7ff69e24dfe6 GetLastError 17295->17297 17298 7ff69e24dff0 17295->17298 17304 7ff69e24e4bc LeaveCriticalSection 17296->17304 17297->17298 17298->17296 17301 7ff69e243748 __doserrno 45 API calls 17298->17301 17300->17266 17301->17302 17302->17294 17398 7ff69e242170 17401 7ff69e24467c 17398->17401 17402 7ff69e248294 _lock 45 API calls 17401->17402 17405 7ff69e24468f 17402->17405 17403 7ff69e2446d8 17410 7ff69e248194 LeaveCriticalSection 17403->17410 17405->17403 17406 7ff69e2446c3 17405->17406 17409 7ff69e242650 free 45 API calls 17405->17409 17408 7ff69e242650 free 45 API calls 17406->17408 17408->17403 17409->17406 17655 7ff69e244950 17656 7ff69e244959 17655->17656 17684 7ff69e244a7a 17655->17684 17657 7ff69e244974 17656->17657 17658 7ff69e242650 free 45 API calls 17656->17658 17659 7ff69e244982 17657->17659 17660 7ff69e242650 free 45 API calls 17657->17660 17658->17657 17661 7ff69e244990 17659->17661 17662 7ff69e242650 free 45 API calls 17659->17662 17660->17659 17663 7ff69e24499e 17661->17663 17664 7ff69e242650 free 45 API calls 17661->17664 17662->17661 17665 7ff69e2449ac 17663->17665 17667 7ff69e242650 free 45 API calls 17663->17667 17664->17663 17666 7ff69e2449ba 17665->17666 17668 7ff69e242650 free 45 API calls 17665->17668 17669 7ff69e2449cb 17666->17669 17670 7ff69e242650 free 45 API calls 17666->17670 17667->17665 17668->17666 17671 7ff69e2449e3 17669->17671 17672 7ff69e242650 free 45 API calls 17669->17672 17670->17669 17673 7ff69e248294 _lock 45 API calls 17671->17673 17672->17671 17677 7ff69e2449ed 17673->17677 17674 7ff69e244a1b 17687 7ff69e248194 LeaveCriticalSection 17674->17687 17677->17674 17679 7ff69e242650 free 45 API calls 17677->17679 17679->17674 17763 7ff69e24b1a8 17764 7ff69e24b1bf 17763->17764 17765 7ff69e24b1b5 17763->17765 17767 7ff69e24afb0 17765->17767 17768 7ff69e24492c _getptd 45 API calls 17767->17768 17769 7ff69e24afd4 17768->17769 17770 7ff69e24abec __initmbctable 45 API calls 17769->17770 17771 7ff69e24afdc 17770->17771 17791 7ff69e24aca8 17771->17791 17774 7ff69e24b15d 17774->17764 17775 7ff69e244b0c _getbuf 45 API calls 17776 7ff69e24b000 __initmbctable 17775->17776 17776->17774 17798 7ff69e24ad38 17776->17798 17779 7ff69e24b03b 17784 7ff69e242650 free 45 API calls 17779->17784 17785 7ff69e24b060 17779->17785 17780 7ff69e24b15f 17780->17774 17781 7ff69e24b178 17780->17781 17782 7ff69e242650 free 45 API calls 17780->17782 17783 7ff69e243728 _errno 45 API calls 17781->17783 17782->17781 17783->17774 17784->17785 17785->17774 17786 7ff69e248294 _lock 45 API calls 17785->17786 17787 7ff69e24b098 17786->17787 17788 7ff69e24b148 17787->17788 17790 7ff69e242650 free 45 API calls 17787->17790 17808 7ff69e248194 LeaveCriticalSection 17788->17808 17790->17788 17792 7ff69e244fb4 __initmbctable 45 API calls 17791->17792 17793 7ff69e24acbc 17792->17793 17794 7ff69e24aced 17793->17794 17795 7ff69e24acc8 GetOEMCP 17793->17795 17796 7ff69e24acf2 GetACP 17794->17796 17797 7ff69e24acd8 17794->17797 17795->17797 17796->17797 17797->17774 17797->17775 17799 7ff69e24aca8 __initmbctable 47 API calls 17798->17799 17800 7ff69e24ad5f 17799->17800 17801 7ff69e24ad67 __initmbctable 17800->17801 17803 7ff69e24adb8 IsValidCodePage 17800->17803 17807 7ff69e24adde shared_ptr 17800->17807 17802 7ff69e242150 write_char 8 API calls 17801->17802 17804 7ff69e24af9b 17802->17804 17803->17801 17805 7ff69e24adc9 GetCPInfo 17803->17805 17804->17779 17804->17780 17805->17801 17805->17807 17809 7ff69e24aa08 GetCPInfo 17807->17809 17810 7ff69e24ab36 17809->17810 17811 7ff69e24aa4a shared_ptr 17809->17811 17814 7ff69e242150 write_char 8 API calls 17810->17814 17819 7ff69e24d6fc 17811->17819 17816 7ff69e24abd6 17814->17816 17816->17801 17818 7ff69e24dd98 __initmbctable 78 API calls 17818->17810 17820 7ff69e244fb4 __initmbctable 45 API calls 17819->17820 17821 7ff69e24d720 17820->17821 17829 7ff69e24d490 17821->17829 17824 7ff69e24dd98 17825 7ff69e244fb4 __initmbctable 45 API calls 17824->17825 17826 7ff69e24ddbc 17825->17826 17907 7ff69e24d858 17826->17907 17830 7ff69e24d51d 17829->17830 17831 7ff69e24d4e0 GetStringTypeW 17829->17831 17833 7ff69e24d64c 17830->17833 17834 7ff69e24d4fa 17830->17834 17832 7ff69e24d502 GetLastError 17831->17832 17831->17834 17832->17830 17853 7ff69e250918 GetLocaleInfoA 17833->17853 17835 7ff69e24d645 17834->17835 17836 7ff69e24d546 MultiByteToWideChar 17834->17836 17839 7ff69e242150 write_char 8 API calls 17835->17839 17836->17835 17842 7ff69e24d574 17836->17842 17840 7ff69e24aacd 17839->17840 17840->17824 17841 7ff69e24d6a7 GetStringTypeA 17841->17835 17844 7ff69e24d6ca 17841->17844 17845 7ff69e242598 malloc 45 API calls 17842->17845 17848 7ff69e24d599 shared_ptr _flush 17842->17848 17849 7ff69e242650 free 45 API calls 17844->17849 17845->17848 17846 7ff69e24d600 MultiByteToWideChar 17850 7ff69e24d637 17846->17850 17851 7ff69e24d622 GetStringTypeW 17846->17851 17848->17835 17848->17846 17849->17835 17850->17835 17852 7ff69e242650 free 45 API calls 17850->17852 17851->17850 17852->17835 17854 7ff69e25094f 17853->17854 17855 7ff69e25094a 17853->17855 17884 7ff69e24cf94 17854->17884 17857 7ff69e242150 write_char 8 API calls 17855->17857 17858 7ff69e24d676 17857->17858 17858->17835 17858->17841 17859 7ff69e25096c 17858->17859 17860 7ff69e2509be GetCPInfo 17859->17860 17861 7ff69e250a96 17859->17861 17862 7ff69e250a6f MultiByteToWideChar 17860->17862 17863 7ff69e2509d0 17860->17863 17864 7ff69e242150 write_char 8 API calls 17861->17864 17862->17861 17868 7ff69e2509f5 _FF_MSGBANNER 17862->17868 17863->17862 17865 7ff69e2509da GetCPInfo 17863->17865 17866 7ff69e24d69c 17864->17866 17865->17862 17867 7ff69e2509ef 17865->17867 17866->17835 17866->17841 17867->17862 17867->17868 17869 7ff69e242598 malloc 45 API calls 17868->17869 17871 7ff69e250a31 shared_ptr _flush 17868->17871 17869->17871 17870 7ff69e250acd MultiByteToWideChar 17872 7ff69e250af7 17870->17872 17882 7ff69e250b2f 17870->17882 17871->17861 17871->17870 17873 7ff69e250afc WideCharToMultiByte 17872->17873 17874 7ff69e250b37 17872->17874 17873->17882 17876 7ff69e250b3d WideCharToMultiByte 17874->17876 17877 7ff69e250b69 17874->17877 17875 7ff69e242650 free 45 API calls 17875->17861 17876->17877 17876->17882 17878 7ff69e244b78 _errno 45 API calls 17877->17878 17879 7ff69e250b76 17878->17879 17880 7ff69e250b7e WideCharToMultiByte 17879->17880 17879->17882 17881 7ff69e250ba7 17880->17881 17880->17882 17883 7ff69e242650 free 45 API calls 17881->17883 17882->17861 17882->17875 17883->17882 17885 7ff69e24e87c 17884->17885 17888 7ff69e24e5f8 17885->17888 17889 7ff69e244fb4 __initmbctable 45 API calls 17888->17889 17892 7ff69e24e62a 17889->17892 17890 7ff69e24e638 17891 7ff69e243728 _errno 45 API calls 17890->17891 17893 7ff69e24e63d 17891->17893 17892->17890 17896 7ff69e24e673 17892->17896 17894 7ff69e245ca0 _flush 7 API calls 17893->17894 17899 7ff69e24e658 17894->17899 17897 7ff69e24e6c3 17896->17897 17900 7ff69e24e1d8 17896->17900 17898 7ff69e243728 _errno 45 API calls 17897->17898 17897->17899 17898->17899 17899->17855 17901 7ff69e244fb4 __initmbctable 45 API calls 17900->17901 17902 7ff69e24e1f9 17901->17902 17903 7ff69e24b868 __initmbctable 45 API calls 17902->17903 17906 7ff69e24e206 17902->17906 17904 7ff69e24e22e 17903->17904 17905 7ff69e24d6fc __initmbctable 67 API calls 17904->17905 17905->17906 17906->17896 17908 7ff69e24d8b0 LCMapStringW 17907->17908 17911 7ff69e24d8d4 17907->17911 17909 7ff69e24d8e0 GetLastError 17908->17909 17908->17911 17909->17911 17910 7ff69e24dba2 17914 7ff69e250918 __initmbctable 67 API calls 17910->17914 17911->17910 17912 7ff69e24d94f 17911->17912 17913 7ff69e24db9b 17912->17913 17915 7ff69e24d96d MultiByteToWideChar 17912->17915 17916 7ff69e242150 write_char 8 API calls 17913->17916 17917 7ff69e24dbd0 17914->17917 17915->17913 17922 7ff69e24d99c 17915->17922 17918 7ff69e24ab00 17916->17918 17917->17913 17919 7ff69e24dd2b LCMapStringA 17917->17919 17920 7ff69e24dbef 17917->17920 17918->17818 17941 7ff69e24dc37 17919->17941 17923 7ff69e25096c __initmbctable 60 API calls 17920->17923 17921 7ff69e24da18 MultiByteToWideChar 17924 7ff69e24db8d 17921->17924 17925 7ff69e24da42 LCMapStringW 17921->17925 17926 7ff69e24d9cd _flush 17922->17926 17927 7ff69e242598 malloc 45 API calls 17922->17927 17928 7ff69e24dc07 17923->17928 17924->17913 17932 7ff69e242650 free 45 API calls 17924->17932 17925->17924 17929 7ff69e24da6c 17925->17929 17926->17913 17926->17921 17927->17926 17928->17913 17930 7ff69e24dc0f LCMapStringA 17928->17930 17933 7ff69e24da77 17929->17933 17938 7ff69e24dab2 17929->17938 17930->17941 17942 7ff69e24dc3e 17930->17942 17931 7ff69e24dd5b 17931->17913 17936 7ff69e242650 free 45 API calls 17931->17936 17932->17913 17933->17924 17935 7ff69e24da8e LCMapStringW 17933->17935 17934 7ff69e242650 free 45 API calls 17934->17931 17935->17924 17936->17913 17937 7ff69e24db1f LCMapStringW 17943 7ff69e24db7f 17937->17943 17944 7ff69e24db40 WideCharToMultiByte 17937->17944 17939 7ff69e24dad0 _flush 17938->17939 17945 7ff69e242598 malloc 45 API calls 17938->17945 17939->17924 17939->17937 17940 7ff69e24dc5f shared_ptr _flush 17940->17941 17946 7ff69e24dcc1 LCMapStringA 17940->17946 17941->17931 17941->17934 17942->17940 17947 7ff69e242598 malloc 45 API calls 17942->17947 17943->17924 17951 7ff69e242650 free 45 API calls 17943->17951 17944->17943 17945->17939 17948 7ff69e24dced 17946->17948 17949 7ff69e24dce9 17946->17949 17947->17940 17952 7ff69e25096c __initmbctable 60 API calls 17948->17952 17949->17941 17953 7ff69e242650 free 45 API calls 17949->17953 17951->17924 17952->17949 17953->17941 18093 7ff69e25258a 18096 7ff69e248194 LeaveCriticalSection 18093->18096 13246 7ff69e2423ec 13247 7ff69e242404 13246->13247 13286 7ff69e246974 HeapCreate 13247->13286 13250 7ff69e242492 13289 7ff69e244a88 13250->13289 13252 7ff69e242479 13363 7ff69e245fac 13252->13363 13253 7ff69e24247e 13372 7ff69e245d84 13253->13372 13257 7ff69e2424bd _RTC_Initialize 13305 7ff69e246614 GetStartupInfoA 13257->13305 13259 7ff69e2424a9 13263 7ff69e245d84 _FF_MSGBANNER 45 API calls 13259->13263 13260 7ff69e2424a4 13262 7ff69e245fac _FF_MSGBANNER 45 API calls 13260->13262 13262->13259 13264 7ff69e2424b3 13263->13264 13266 7ff69e242d64 malloc 3 API calls 13264->13266 13266->13257 13268 7ff69e2424d6 GetCommandLineW 13318 7ff69e246580 GetEnvironmentStringsW 13268->13318 13273 7ff69e2424f3 13274 7ff69e242501 13273->13274 13275 7ff69e242cf8 _lock 45 API calls 13273->13275 13328 7ff69e2461c0 13274->13328 13275->13274 13278 7ff69e242514 13341 7ff69e242e04 13278->13341 13279 7ff69e242cf8 _lock 45 API calls 13279->13278 13281 7ff69e24251b 13282 7ff69e242526 13281->13282 13283 7ff69e242cf8 _lock 45 API calls 13281->13283 13350 7ff69e231000 GetCommandLineW GetModuleHandleW 13282->13350 13283->13282 13285 7ff69e242546 13287 7ff69e246998 HeapSetInformation 13286->13287 13288 7ff69e24246c 13286->13288 13287->13288 13288->13250 13288->13252 13288->13253 13413 7ff69e243078 13289->13413 13291 7ff69e244a93 13418 7ff69e248084 13291->13418 13294 7ff69e244afc 13436 7ff69e2447cc 13294->13436 13295 7ff69e244a9c FlsAlloc 13295->13294 13296 7ff69e244ab4 13295->13296 13422 7ff69e244b78 13296->13422 13301 7ff69e244acb FlsSetValue 13301->13294 13302 7ff69e244ade 13301->13302 13427 7ff69e2447f4 13302->13427 13306 7ff69e244b78 _errno 45 API calls 13305->13306 13307 7ff69e246651 13306->13307 13310 7ff69e244b78 _errno 45 API calls 13307->13310 13312 7ff69e246817 13307->13312 13313 7ff69e246780 13307->13313 13317 7ff69e2424c8 13307->13317 13308 7ff69e24683d GetStdHandle 13308->13312 13309 7ff69e24686c GetFileType 13309->13312 13310->13307 13311 7ff69e2468cc SetHandleCount 13311->13317 13312->13308 13312->13309 13312->13311 13315 7ff69e24868c _lock InitializeCriticalSectionAndSpinCount 13312->13315 13312->13317 13313->13312 13314 7ff69e2467b3 GetFileType 13313->13314 13316 7ff69e24868c _lock InitializeCriticalSectionAndSpinCount 13313->13316 13313->13317 13314->13313 13315->13312 13316->13313 13317->13268 13408 7ff69e242cf8 13317->13408 13319 7ff69e2424e7 13318->13319 13320 7ff69e2465a8 13318->13320 13324 7ff69e246490 GetModuleFileNameW 13319->13324 13320->13320 13321 7ff69e244b0c _getbuf 45 API calls 13320->13321 13322 7ff69e2465cf __initmbctable 13321->13322 13323 7ff69e2465e8 FreeEnvironmentStringsW 13322->13323 13323->13319 13325 7ff69e2464d0 13324->13325 13326 7ff69e244b0c _getbuf 45 API calls 13325->13326 13327 7ff69e246530 13325->13327 13326->13327 13327->13273 13329 7ff69e2461f3 13328->13329 13330 7ff69e242506 13328->13330 13331 7ff69e244b78 _errno 45 API calls 13329->13331 13330->13278 13330->13279 13338 7ff69e246221 13331->13338 13332 7ff69e24629e 13333 7ff69e242650 free 45 API calls 13332->13333 13333->13330 13334 7ff69e244b78 _errno 45 API calls 13334->13338 13335 7ff69e2462de 13336 7ff69e242650 free 45 API calls 13335->13336 13336->13330 13338->13330 13338->13332 13338->13334 13338->13335 13339 7ff69e246279 13338->13339 13541 7ff69e2430e0 13338->13541 13340 7ff69e245b78 _FF_MSGBANNER 6 API calls 13339->13340 13340->13338 13343 7ff69e242e1a _cinit 13341->13343 13550 7ff69e2482d8 13343->13550 13344 7ff69e242e37 _initterm_e 13347 7ff69e242e7d _cinit 13344->13347 13553 7ff69e242318 13344->13553 13347->13281 13737 7ff69e232a08 SetErrorMode SetErrorMode 13350->13737 13353 7ff69e231045 13355 7ff69e23105d LoadLibraryExW 13353->13355 13356 7ff69e23104a 13353->13356 13357 7ff69e23106f 13355->13357 13358 7ff69e231082 GetProcAddress 13355->13358 13356->13285 13357->13285 13359 7ff69e231097 FreeLibrary 13358->13359 13360 7ff69e2310b5 13358->13360 13359->13285 13361 7ff69e2310d9 FreeLibrary 13360->13361 13362 7ff69e2310be FreeLibrary 13360->13362 13361->13285 13362->13285 14322 7ff69e24bc50 13363->14322 13366 7ff69e245fc9 13368 7ff69e245d84 _FF_MSGBANNER 45 API calls 13366->13368 13370 7ff69e245fea 13366->13370 13367 7ff69e24bc50 _FF_MSGBANNER 45 API calls 13367->13366 13369 7ff69e245fe0 13368->13369 13371 7ff69e245d84 _FF_MSGBANNER 45 API calls 13369->13371 13370->13253 13371->13370 13373 7ff69e245da7 13372->13373 13374 7ff69e242488 13373->13374 13375 7ff69e24bc50 _FF_MSGBANNER 42 API calls 13373->13375 13405 7ff69e242d64 13374->13405 13376 7ff69e245dc9 13375->13376 13377 7ff69e245f4e GetStdHandle 13376->13377 13379 7ff69e24bc50 _FF_MSGBANNER 42 API calls 13376->13379 13377->13374 13378 7ff69e245f61 _FF_MSGBANNER 13377->13378 13378->13374 13382 7ff69e245f77 WriteFile 13378->13382 13380 7ff69e245ddc 13379->13380 13380->13377 13381 7ff69e245ded 13380->13381 13381->13374 14328 7ff69e24a4bc 13381->14328 13382->13374 13385 7ff69e245e31 GetModuleFileNameA 13387 7ff69e245e51 13385->13387 13390 7ff69e245e82 _FF_MSGBANNER 13385->13390 13386 7ff69e245b78 _FF_MSGBANNER 6 API calls 13386->13385 13388 7ff69e24a4bc _FF_MSGBANNER 42 API calls 13387->13388 13389 7ff69e245e69 13388->13389 13389->13390 13393 7ff69e245b78 _FF_MSGBANNER 6 API calls 13389->13393 13391 7ff69e245edd 13390->13391 14337 7ff69e24bb78 13390->14337 14346 7ff69e24baec 13391->14346 13393->13390 13396 7ff69e245f08 13399 7ff69e24baec _FF_MSGBANNER 42 API calls 13396->13399 13398 7ff69e245b78 _FF_MSGBANNER 6 API calls 13398->13396 13400 7ff69e245f1e 13399->13400 13402 7ff69e245f37 13400->13402 13403 7ff69e245b78 _FF_MSGBANNER 6 API calls 13400->13403 13401 7ff69e245b78 _FF_MSGBANNER 6 API calls 13401->13391 14355 7ff69e24b8f8 13402->14355 13403->13402 14373 7ff69e242d28 GetModuleHandleW 13405->14373 13409 7ff69e245fac _FF_MSGBANNER 44 API calls 13408->13409 13410 7ff69e242d05 13409->13410 13411 7ff69e245d84 _FF_MSGBANNER 44 API calls 13410->13411 13412 7ff69e242d0c DecodePointer 13411->13412 13444 7ff69e2447b8 EncodePointer 13413->13444 13415 7ff69e243083 _initp_misc_winsig 13416 7ff69e248068 EncodePointer 13415->13416 13417 7ff69e2430c6 EncodePointer 13416->13417 13417->13291 13419 7ff69e2480a7 13418->13419 13421 7ff69e244a98 13419->13421 13445 7ff69e24868c InitializeCriticalSectionAndSpinCount 13419->13445 13421->13294 13421->13295 13423 7ff69e244b9d 13422->13423 13425 7ff69e244ac3 13423->13425 13426 7ff69e244bbb Sleep 13423->13426 13447 7ff69e24a404 13423->13447 13425->13294 13425->13301 13426->13423 13426->13425 13490 7ff69e248294 13427->13490 13437 7ff69e2447db FlsFree 13436->13437 13438 7ff69e2447e8 13436->13438 13437->13438 13439 7ff69e248161 13438->13439 13440 7ff69e248143 DeleteCriticalSection 13438->13440 13442 7ff69e24816f DeleteCriticalSection 13439->13442 13443 7ff69e242497 13439->13443 13441 7ff69e242650 free 45 API calls 13440->13441 13441->13438 13442->13439 13443->13257 13443->13259 13443->13260 13446 7ff69e2486b4 13445->13446 13446->13419 13448 7ff69e24a419 13447->13448 13453 7ff69e24a44b realloc 13447->13453 13449 7ff69e24a427 13448->13449 13448->13453 13456 7ff69e243728 13449->13456 13450 7ff69e24a463 HeapAlloc 13452 7ff69e24a447 13450->13452 13450->13453 13452->13423 13453->13450 13453->13452 13463 7ff69e2448a8 GetLastError FlsGetValue 13456->13463 13458 7ff69e243731 13459 7ff69e245ca0 DecodePointer 13458->13459 13460 7ff69e245ceb _flush 13459->13460 13462 7ff69e245cd1 13459->13462 13481 7ff69e245b78 13460->13481 13462->13452 13464 7ff69e244916 SetLastError 13463->13464 13465 7ff69e2448ce 13463->13465 13464->13458 13466 7ff69e244b78 _errno 40 API calls 13465->13466 13467 7ff69e2448db 13466->13467 13467->13464 13468 7ff69e2448e3 FlsSetValue 13467->13468 13469 7ff69e2448f9 13468->13469 13470 7ff69e24490f 13468->13470 13471 7ff69e2447f4 _errno 40 API calls 13469->13471 13475 7ff69e242650 13470->13475 13473 7ff69e244900 GetCurrentThreadId 13471->13473 13473->13464 13474 7ff69e244914 13474->13464 13476 7ff69e242655 HeapFree 13475->13476 13480 7ff69e242685 free 13475->13480 13477 7ff69e242670 13476->13477 13476->13480 13478 7ff69e243728 _errno 43 API calls 13477->13478 13479 7ff69e242675 GetLastError 13478->13479 13479->13480 13480->13474 13488 7ff69e2437c0 13481->13488 13484 7ff69e245bd5 13485 7ff69e245c35 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 13484->13485 13486 7ff69e245c80 GetCurrentProcess TerminateProcess 13485->13486 13487 7ff69e245c74 _flush 13485->13487 13486->13462 13487->13486 13489 7ff69e2437c9 RtlCaptureContext 13488->13489 13489->13484 13491 7ff69e2482b2 13490->13491 13492 7ff69e2482c3 EnterCriticalSection 13490->13492 13496 7ff69e2481ac 13491->13496 13495 7ff69e242cf8 _lock 44 API calls 13495->13492 13497 7ff69e2481d3 13496->13497 13499 7ff69e2481ea 13496->13499 13498 7ff69e245fac _FF_MSGBANNER 44 API calls 13497->13498 13501 7ff69e2481d8 13498->13501 13500 7ff69e2481ff 13499->13500 13522 7ff69e244b0c 13499->13522 13500->13492 13500->13495 13503 7ff69e245d84 _FF_MSGBANNER 44 API calls 13501->13503 13507 7ff69e2481e0 13503->13507 13505 7ff69e248224 13509 7ff69e248294 _lock 44 API calls 13505->13509 13506 7ff69e248215 13508 7ff69e243728 _errno 44 API calls 13506->13508 13510 7ff69e242d64 malloc 3 API calls 13507->13510 13508->13500 13511 7ff69e24822e 13509->13511 13510->13499 13512 7ff69e248266 13511->13512 13513 7ff69e248237 13511->13513 13514 7ff69e242650 free 44 API calls 13512->13514 13515 7ff69e24868c _lock InitializeCriticalSectionAndSpinCount 13513->13515 13516 7ff69e248255 LeaveCriticalSection 13514->13516 13517 7ff69e248244 13515->13517 13516->13500 13517->13516 13519 7ff69e242650 free 44 API calls 13517->13519 13520 7ff69e248250 13519->13520 13521 7ff69e243728 _errno 44 API calls 13520->13521 13521->13516 13523 7ff69e244b28 13522->13523 13525 7ff69e244b60 13523->13525 13526 7ff69e244b40 Sleep 13523->13526 13527 7ff69e242598 13523->13527 13525->13505 13525->13506 13526->13523 13526->13525 13528 7ff69e24262c realloc 13527->13528 13529 7ff69e2425b0 realloc 13527->13529 13533 7ff69e243728 _errno 44 API calls 13528->13533 13530 7ff69e2425e8 HeapAlloc 13529->13530 13531 7ff69e2425c8 13529->13531 13535 7ff69e242611 13529->13535 13538 7ff69e242616 13529->13538 13530->13529 13534 7ff69e242621 13530->13534 13531->13530 13532 7ff69e245fac _FF_MSGBANNER 44 API calls 13531->13532 13536 7ff69e245d84 _FF_MSGBANNER 44 API calls 13531->13536 13539 7ff69e242d64 malloc 3 API calls 13531->13539 13532->13531 13533->13534 13534->13523 13537 7ff69e243728 _errno 44 API calls 13535->13537 13536->13531 13537->13538 13540 7ff69e243728 _errno 44 API calls 13538->13540 13539->13531 13540->13534 13542 7ff69e2430f1 13541->13542 13543 7ff69e2430fb 13541->13543 13542->13543 13545 7ff69e24312b 13542->13545 13544 7ff69e243728 _errno 45 API calls 13543->13544 13549 7ff69e243103 13544->13549 13547 7ff69e24311e 13545->13547 13548 7ff69e243728 _errno 45 API calls 13545->13548 13546 7ff69e245ca0 _flush 7 API calls 13546->13547 13547->13338 13548->13549 13549->13546 13551 7ff69e2482ee EncodePointer 13550->13551 13551->13551 13552 7ff69e248303 13551->13552 13552->13344 13562 7ff69e242210 13553->13562 13555 7ff69e242321 13555->13347 13556 7ff69e252cb0 13555->13556 13559 7ff69e252a68 13555->13559 13578 7ff69e23efcc 13556->13578 13584 7ff69e233b4c 13559->13584 13577 7ff69e242d7c 13562->13577 13564 7ff69e242231 DecodePointer DecodePointer 13565 7ff69e242259 13564->13565 13568 7ff69e2422f1 _cinit 13564->13568 13566 7ff69e244168 _cinit 46 API calls 13565->13566 13565->13568 13567 7ff69e242275 13566->13567 13569 7ff69e2422d1 EncodePointer EncodePointer 13567->13569 13570 7ff69e242291 13567->13570 13571 7ff69e2422a2 13567->13571 13568->13555 13569->13568 13572 7ff69e244bfc _cinit 49 API calls 13570->13572 13571->13568 13573 7ff69e242299 13571->13573 13572->13573 13573->13571 13574 7ff69e2422ba EncodePointer 13573->13574 13575 7ff69e244bfc _cinit 49 API calls 13573->13575 13574->13569 13576 7ff69e2422b5 13575->13576 13576->13568 13576->13574 13583 7ff69e23ef38 8 API calls 13578->13583 13587 7ff69e235480 13584->13587 13596 7ff69e2367d0 13587->13596 13590 7ff69e2354a1 13592 7ff69e233b5a 13590->13592 13618 7ff69e2362ec 13590->13618 13595 7ff69e232cfc _RunAllParam 2 API calls 13595->13592 13597 7ff69e2367fb 13596->13597 13598 7ff69e236800 13596->13598 13599 7ff69e232cfc _RunAllParam 2 API calls 13597->13599 13610 7ff69e236835 13598->13610 13611 7ff69e236849 13598->13611 13650 7ff69e2363a0 TlsAlloc 13598->13650 13599->13598 13604 7ff69e23683e 13608 7ff69e232cfc _RunAllParam 2 API calls 13604->13608 13604->13611 13605 7ff69e235497 13605->13590 13613 7ff69e232cfc 13605->13613 13606 7ff69e236823 13607 7ff69e232cfc _RunAllParam 2 API calls 13606->13607 13606->13610 13607->13610 13608->13611 13609 7ff69e236860 13655 7ff69e236620 EnterCriticalSection 13609->13655 13624 7ff69e2363f0 EnterCriticalSection 13610->13624 13643 7ff69e236258 EnterCriticalSection 13611->13643 13614 7ff69e243b38 __SehTransFilter RaiseException 13613->13614 13615 7ff69e232d1d 13614->13615 13616 7ff69e23621c _RunAllParam 2 API calls 13615->13616 13617 7ff69e232d37 _RunAllParam 13616->13617 13617->13590 13619 7ff69e2354be 13618->13619 13620 7ff69e23630e 13618->13620 13619->13592 13619->13595 13724 7ff69e23e80c 13620->13724 13626 7ff69e236422 13624->13626 13625 7ff69e236536 shared_ptr 13627 7ff69e236549 LeaveCriticalSection 13625->13627 13626->13625 13628 7ff69e23649e GlobalHandle GlobalUnlock 13626->13628 13629 7ff69e236473 13626->13629 13627->13604 13631 7ff69e2364cc GlobalReAlloc 13628->13631 13632 7ff69e2364c1 13628->13632 13630 7ff69e23648f GlobalAlloc 13629->13630 13678 7ff69e231748 13629->13678 13634 7ff69e2364de 13630->13634 13631->13634 13635 7ff69e231748 _RunAllParam 49 API calls 13632->13635 13636 7ff69e23650b GlobalLock 13634->13636 13639 7ff69e2364ec GlobalHandle GlobalLock 13634->13639 13640 7ff69e2364fb LeaveCriticalSection 13634->13640 13638 7ff69e2364cb 13635->13638 13636->13625 13638->13631 13639->13640 13684 7ff69e232cb4 13640->13684 13644 7ff69e2362a9 LeaveCriticalSection 13643->13644 13645 7ff69e23627b 13643->13645 13647 7ff69e2362b5 13644->13647 13645->13644 13646 7ff69e236280 TlsGetValue 13645->13646 13646->13644 13648 7ff69e23628d 13646->13648 13647->13605 13647->13609 13648->13644 13649 7ff69e236292 LeaveCriticalSection 13648->13649 13649->13647 13651 7ff69e2363db InitializeCriticalSection 13650->13651 13652 7ff69e2363d5 13650->13652 13651->13606 13653 7ff69e232cb4 _RunAllParam RaiseException 13652->13653 13654 7ff69e2363da 13653->13654 13654->13651 13656 7ff69e23665c 13655->13656 13657 7ff69e23678b LeaveCriticalSection 13655->13657 13656->13657 13658 7ff69e236665 TlsGetValue 13656->13658 13659 7ff69e236795 13657->13659 13660 7ff69e236689 13658->13660 13664 7ff69e236675 13658->13664 13659->13605 13720 7ff69e23621c LocalAlloc 13660->13720 13661 7ff69e23676d LeaveCriticalSection 13661->13659 13664->13661 13665 7ff69e2366c9 13664->13665 13666 7ff69e2366f4 13664->13666 13667 7ff69e2366e5 LocalAlloc 13665->13667 13669 7ff69e231748 _RunAllParam 49 API calls 13665->13669 13668 7ff69e236710 LocalReAlloc 13666->13668 13671 7ff69e231748 _RunAllParam 49 API calls 13666->13671 13670 7ff69e236725 13667->13670 13668->13670 13672 7ff69e2366e4 13669->13672 13674 7ff69e236739 shared_ptr 13670->13674 13675 7ff69e23672a LeaveCriticalSection 13670->13675 13673 7ff69e23670f 13671->13673 13672->13667 13673->13668 13677 7ff69e23675a TlsSetValue 13674->13677 13676 7ff69e232cb4 _RunAllParam RaiseException 13675->13676 13676->13674 13677->13661 13679 7ff69e231759 13678->13679 13680 7ff69e231754 13678->13680 13687 7ff69e2369c8 13679->13687 13681 7ff69e232cb4 _RunAllParam RaiseException 13680->13681 13681->13679 13685 7ff69e243b38 __SehTransFilter RaiseException 13684->13685 13686 7ff69e232cd5 13685->13686 13704 7ff69e231110 13687->13704 13689 7ff69e2369e8 _RunAllParam 13708 7ff69e243b38 13689->13708 13691 7ff69e236a28 FormatMessageW 13693 7ff69e23175f 13691->13693 13694 7ff69e236a80 13691->13694 13711 7ff69e243a4c 13694->13711 13696 7ff69e236abe LocalFree 13696->13693 13697 7ff69e236ab7 13698 7ff69e232cb4 _RunAllParam RaiseException 13697->13698 13700 7ff69e236abd 13698->13700 13699 7ff69e236ab1 13702 7ff69e232cfc _RunAllParam 2 API calls 13699->13702 13700->13696 13702->13697 13703 7ff69e232cfc _RunAllParam 2 API calls 13703->13699 13705 7ff69e23111f 13704->13705 13706 7ff69e242598 malloc 45 API calls 13705->13706 13707 7ff69e231144 13705->13707 13706->13705 13707->13689 13710 7ff69e243b5f __initmbctable 13708->13710 13709 7ff69e243ba6 RaiseException 13709->13691 13710->13709 13715 7ff69e243a60 13711->13715 13712 7ff69e243a65 13713 7ff69e243728 _errno 45 API calls 13712->13713 13714 7ff69e236a94 13712->13714 13716 7ff69e243a8f 13713->13716 13714->13696 13714->13697 13714->13699 13714->13703 13715->13712 13715->13714 13718 7ff69e243ab7 13715->13718 13717 7ff69e245ca0 _flush 7 API calls 13716->13717 13717->13714 13718->13714 13719 7ff69e243728 _errno 45 API calls 13718->13719 13719->13716 13721 7ff69e236238 13720->13721 13722 7ff69e236233 13720->13722 13721->13664 13723 7ff69e232cb4 _RunAllParam RaiseException 13722->13723 13723->13721 13725 7ff69e23e81e 13724->13725 13731 7ff69e23e823 13724->13731 13727 7ff69e232cfc _RunAllParam 2 API calls 13725->13727 13726 7ff69e23e832 13729 7ff69e23e880 EnterCriticalSection 13726->13729 13730 7ff69e23e843 EnterCriticalSection 13726->13730 13727->13731 13732 7ff69e23e85a InitializeCriticalSection 13730->13732 13733 7ff69e23e873 LeaveCriticalSection 13730->13733 13731->13726 13734 7ff69e23e7dc 13731->13734 13732->13733 13733->13729 13735 7ff69e23e807 13734->13735 13736 7ff69e23e7ea InitializeCriticalSection 13734->13736 13735->13726 13736->13735 13738 7ff69e235480 _RunAllParam 79 API calls 13737->13738 13739 7ff69e232a3a 13738->13739 13768 7ff69e2348a8 13739->13768 13742 7ff69e235480 _RunAllParam 79 API calls 13743 7ff69e232a4f 13742->13743 13744 7ff69e232a71 13743->13744 13782 7ff69e232798 13743->13782 13746 7ff69e235480 _RunAllParam 79 API calls 13744->13746 13747 7ff69e232a76 13746->13747 13748 7ff69e232a81 GetModuleHandleW 13747->13748 13839 7ff69e2335b4 13747->13839 13750 7ff69e231035 13748->13750 13751 7ff69e232a93 GetProcAddress 13748->13751 13750->13353 13752 7ff69e242330 13750->13752 13751->13750 13753 7ff69e24237a write_char 13752->13753 13754 7ff69e242355 13752->13754 13943 7ff69e244df8 13753->13943 13755 7ff69e243728 _errno 45 API calls 13754->13755 13756 7ff69e24235a 13755->13756 13758 7ff69e245ca0 _flush 7 API calls 13756->13758 13767 7ff69e242375 13758->13767 13759 7ff69e242392 write_char 13948 7ff69e244ea8 13759->13948 13761 7ff69e2423a1 write_char 13955 7ff69e245060 13761->13955 13763 7ff69e2423bc write_char 13975 7ff69e244f7c 13763->13975 13765 7ff69e2423ce write_char 13979 7ff69e244e80 13765->13979 13767->13353 13845 7ff69e2347b4 13768->13845 13771 7ff69e234906 13773 7ff69e234910 SetLastError 13771->13773 13774 7ff69e23491e 13771->13774 13772 7ff69e2349bd 13852 7ff69e242150 13772->13852 13773->13772 13777 7ff69e234956 CreateActCtxW 13774->13777 13778 7ff69e23495f 13774->13778 13776 7ff69e232a4a 13776->13742 13777->13778 13779 7ff69e23498c 13778->13779 13780 7ff69e234983 CreateActCtxW 13778->13780 13779->13772 13781 7ff69e2349b4 CreateActCtxW 13779->13781 13780->13779 13781->13772 13783 7ff69e235480 _RunAllParam 79 API calls 13782->13783 13784 7ff69e2327c7 GetModuleFileNameW 13783->13784 13785 7ff69e232801 13784->13785 13786 7ff69e23280b PathFindExtensionW 13785->13786 13898 7ff69e2356f8 13785->13898 13788 7ff69e23281e 13786->13788 13789 7ff69e232823 13786->13789 13790 7ff69e2356f8 RaiseException 13788->13790 13864 7ff69e23271c 13789->13864 13790->13789 13793 7ff69e232844 13795 7ff69e23286b 13793->13795 13901 7ff69e2439d8 13793->13901 13794 7ff69e2356f8 RaiseException 13794->13793 13797 7ff69e2328b9 13795->13797 13879 7ff69e2368b8 13795->13879 13799 7ff69e232972 13797->13799 13801 7ff69e232920 13797->13801 13806 7ff69e2430e0 45 API calls 13797->13806 13803 7ff69e2329de 13799->13803 13909 7ff69e24393c 13799->13909 13807 7ff69e2430e0 45 API calls 13801->13807 13804 7ff69e242150 write_char 8 API calls 13803->13804 13809 7ff69e2329ef 13804->13809 13805 7ff69e232cb4 _RunAllParam RaiseException 13805->13795 13823 7ff69e2328f7 13806->13823 13825 7ff69e23292d 13807->13825 13809->13744 13810 7ff69e2439d8 45 API calls 13812 7ff69e2328a8 13810->13812 13811 7ff69e232956 13814 7ff69e2439d8 45 API calls 13811->13814 13812->13797 13828 7ff69e232cb4 _RunAllParam RaiseException 13812->13828 13813 7ff69e2329bf 13817 7ff69e2439d8 45 API calls 13813->13817 13821 7ff69e232961 13814->13821 13815 7ff69e23291a 13819 7ff69e232cb4 _RunAllParam RaiseException 13815->13819 13816 7ff69e232950 13820 7ff69e232cb4 _RunAllParam RaiseException 13816->13820 13827 7ff69e2329cd 13817->13827 13818 7ff69e2329b9 13826 7ff69e232cb4 _RunAllParam RaiseException 13818->13826 13819->13801 13820->13811 13821->13799 13834 7ff69e232cb4 _RunAllParam RaiseException 13821->13834 13822 7ff69e232914 13832 7ff69e232cfc _RunAllParam 2 API calls 13822->13832 13823->13811 13823->13815 13823->13822 13837 7ff69e232cfc _RunAllParam 2 API calls 13823->13837 13824 7ff69e23294a 13833 7ff69e232cfc _RunAllParam 2 API calls 13824->13833 13825->13811 13825->13816 13825->13824 13838 7ff69e232cfc _RunAllParam 2 API calls 13825->13838 13826->13813 13827->13803 13835 7ff69e232cb4 _RunAllParam RaiseException 13827->13835 13828->13797 13829 7ff69e2329b3 13831 7ff69e232cfc _RunAllParam 2 API calls 13829->13831 13831->13818 13832->13815 13833->13816 13834->13799 13835->13803 13836 7ff69e232cfc _RunAllParam 2 API calls 13836->13829 13837->13822 13838->13824 13840 7ff69e235480 _RunAllParam 79 API calls 13839->13840 13841 7ff69e2335bf 13840->13841 13842 7ff69e2335ed 13841->13842 13938 7ff69e234c4c 13841->13938 13842->13748 13846 7ff69e2347c6 GetModuleHandleW 13845->13846 13847 7ff69e23484d GetModuleFileNameW 13845->13847 13848 7ff69e2347df 13846->13848 13849 7ff69e2347e5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 13846->13849 13847->13771 13847->13772 13850 7ff69e232cfc _RunAllParam 2 API calls 13848->13850 13849->13847 13851 7ff69e2347e4 13850->13851 13851->13849 13853 7ff69e242159 13852->13853 13854 7ff69e242164 13853->13854 13855 7ff69e244530 RtlCaptureContext RtlLookupFunctionEntry 13853->13855 13854->13776 13856 7ff69e2445b5 13855->13856 13857 7ff69e244574 RtlVirtualUnwind 13855->13857 13858 7ff69e2445d7 IsDebuggerPresent 13856->13858 13857->13858 13863 7ff69e24a4b4 13858->13863 13860 7ff69e244636 SetUnhandledExceptionFilter UnhandledExceptionFilter 13861 7ff69e24465e GetCurrentProcess TerminateProcess 13860->13861 13862 7ff69e244654 _flush 13860->13862 13861->13776 13862->13861 13863->13860 13865 7ff69e232737 PathFindFileNameW 13864->13865 13866 7ff69e232731 13864->13866 13867 7ff69e23274f 13865->13867 13868 7ff69e232742 lstrlenW 13865->13868 13869 7ff69e232cfc _RunAllParam 2 API calls 13866->13869 13871 7ff69e243a4c _RunAllParam 45 API calls 13867->13871 13870 7ff69e23278a 13868->13870 13872 7ff69e232736 13869->13872 13870->13793 13870->13794 13876 7ff69e232761 13871->13876 13872->13865 13873 7ff69e232784 13874 7ff69e232cb4 _RunAllParam RaiseException 13873->13874 13874->13870 13875 7ff69e23277e 13877 7ff69e232cfc _RunAllParam 2 API calls 13875->13877 13876->13870 13876->13873 13876->13875 13878 7ff69e232cfc _RunAllParam 2 API calls 13876->13878 13877->13873 13878->13875 13880 7ff69e2369a5 13879->13880 13881 7ff69e2368e5 13879->13881 13883 7ff69e232cfc _RunAllParam 2 API calls 13880->13883 13881->13880 13882 7ff69e2368ee 13881->13882 13884 7ff69e235480 _RunAllParam 79 API calls 13882->13884 13885 7ff69e2369aa 13883->13885 13886 7ff69e2368f3 FindResourceExW 13884->13886 13887 7ff69e236919 13886->13887 13895 7ff69e232890 13886->13895 13918 7ff69e231760 LoadResource 13887->13918 13891 7ff69e236974 13892 7ff69e232cb4 _RunAllParam RaiseException 13891->13892 13892->13895 13893 7ff69e236950 13893->13891 13893->13895 13896 7ff69e232cfc _RunAllParam 2 API calls 13893->13896 13897 7ff69e23696e 13893->13897 13894 7ff69e232cfc _RunAllParam 2 API calls 13894->13891 13895->13810 13896->13897 13897->13894 13899 7ff69e243b38 __SehTransFilter RaiseException 13898->13899 13900 7ff69e235719 13899->13900 13902 7ff69e23285a 13901->13902 13903 7ff69e2439ef 13901->13903 13902->13795 13902->13805 13931 7ff69e2444ec 13903->13931 13906 7ff69e2430e0 45 API calls 13907 7ff69e243a1c 13906->13907 13907->13902 13908 7ff69e245b78 _FF_MSGBANNER 6 API calls 13907->13908 13908->13902 13910 7ff69e24395a 13909->13910 13913 7ff69e243950 13909->13913 13911 7ff69e243728 _errno 45 API calls 13910->13911 13912 7ff69e243962 13911->13912 13914 7ff69e245ca0 _flush 7 API calls 13912->13914 13913->13910 13915 7ff69e2439a4 13913->13915 13916 7ff69e232996 13914->13916 13915->13916 13917 7ff69e243728 _errno 45 API calls 13915->13917 13916->13813 13916->13818 13916->13829 13916->13836 13917->13912 13919 7ff69e231788 13918->13919 13920 7ff69e23178c LockResource 13918->13920 13919->13895 13922 7ff69e2434fc 13919->13922 13920->13919 13921 7ff69e23179d SizeofResource 13920->13921 13921->13919 13925 7ff69e243519 __initmbctable 13922->13925 13926 7ff69e24351d shared_ptr 13922->13926 13923 7ff69e243522 13924 7ff69e243728 _errno 45 API calls 13923->13924 13927 7ff69e243527 13924->13927 13925->13893 13926->13923 13926->13925 13928 7ff69e24356d 13926->13928 13929 7ff69e245ca0 _flush 7 API calls 13927->13929 13928->13925 13930 7ff69e243728 _errno 45 API calls 13928->13930 13929->13925 13930->13927 13932 7ff69e24a404 calloc 45 API calls 13931->13932 13933 7ff69e244501 13932->13933 13934 7ff69e243a05 13933->13934 13935 7ff69e243728 _errno 45 API calls 13933->13935 13934->13902 13934->13906 13936 7ff69e244514 13935->13936 13936->13934 13937 7ff69e243728 _errno 45 API calls 13936->13937 13937->13934 13939 7ff69e2367d0 _RunAllParam 73 API calls 13938->13939 13940 7ff69e234c63 13939->13940 13941 7ff69e2335ca GetCurrentThreadId SetWindowsHookExW 13940->13941 13942 7ff69e232cfc _RunAllParam 2 API calls 13940->13942 13941->13842 13942->13941 13944 7ff69e244e06 13943->13944 13945 7ff69e244e15 EnterCriticalSection 13943->13945 13946 7ff69e248294 _lock 45 API calls 13944->13946 13947 7ff69e244e0e 13945->13947 13946->13947 13947->13759 13984 7ff69e24b4b4 13948->13984 13952 7ff69e244f1e 13952->13761 13953 7ff69e244ec7 write_char 13953->13952 13954 7ff69e244b0c _getbuf 45 API calls 13953->13954 13954->13952 13998 7ff69e244fb4 13955->13998 13957 7ff69e2450cb 13958 7ff69e243728 _errno 45 API calls 13957->13958 13959 7ff69e2450d0 13958->13959 13960 7ff69e245ca0 _flush 7 API calls 13959->13960 13961 7ff69e2450ec 13960->13961 13962 7ff69e242150 write_char 8 API calls 13961->13962 13963 7ff69e245b52 13962->13963 13963->13763 13964 7ff69e24569d DecodePointer 13968 7ff69e2450c3 _FF_MSGBANNER 13964->13968 13965 7ff69e24b6ec 47 API calls 13965->13968 13966 7ff69e242650 free 45 API calls 13966->13968 13967 7ff69e244b0c _getbuf 45 API calls 13967->13968 13968->13957 13968->13961 13968->13964 13968->13965 13968->13966 13968->13967 13969 7ff69e2456f7 DecodePointer 13968->13969 13971 7ff69e24571e DecodePointer 13968->13971 13972 7ff69e2488d8 79 API calls 13968->13972 13973 7ff69e248884 79 API calls write_multi_char 13968->13973 13974 7ff69e24884c 79 API calls write_char 13968->13974 14006 7ff69e24b868 13968->14006 13969->13968 13971->13968 13972->13968 13973->13968 13974->13968 13976 7ff69e244f97 13975->13976 13977 7ff69e244f80 13975->13977 13976->13765 13977->13976 14185 7ff69e24b280 13977->14185 13980 7ff69e244e89 13979->13980 13981 7ff69e244e98 LeaveCriticalSection 13979->13981 14321 7ff69e248194 LeaveCriticalSection 13980->14321 13983 7ff69e244e96 13981->13983 13983->13767 13985 7ff69e24b4bd 13984->13985 13987 7ff69e244ec0 13984->13987 13986 7ff69e243728 _errno 45 API calls 13985->13986 13988 7ff69e24b4c2 13986->13988 13990 7ff69e24b444 13987->13990 13989 7ff69e245ca0 _flush 7 API calls 13988->13989 13989->13987 13991 7ff69e24b45a 13990->13991 13992 7ff69e24b44d 13990->13992 13994 7ff69e24b452 13991->13994 13995 7ff69e243728 _errno 45 API calls 13991->13995 13993 7ff69e243728 _errno 45 API calls 13992->13993 13993->13994 13994->13953 13996 7ff69e24b491 13995->13996 13997 7ff69e245ca0 _flush 7 API calls 13996->13997 13997->13994 13999 7ff69e244fca 13998->13999 14003 7ff69e24502e 13998->14003 14009 7ff69e24492c 13999->14009 14002 7ff69e245007 14002->14003 14028 7ff69e24abec 14002->14028 14003->13968 14007 7ff69e244fb4 __initmbctable 45 API calls 14006->14007 14008 7ff69e24b87a 14007->14008 14008->13968 14010 7ff69e2448a8 _errno 45 API calls 14009->14010 14011 7ff69e244937 14010->14011 14012 7ff69e244947 14011->14012 14013 7ff69e242cf8 _lock 45 API calls 14011->14013 14012->14002 14014 7ff69e24a8fc 14012->14014 14013->14012 14015 7ff69e24492c _getptd 45 API calls 14014->14015 14016 7ff69e24a907 14015->14016 14017 7ff69e24a930 14016->14017 14018 7ff69e24a922 14016->14018 14019 7ff69e248294 _lock 45 API calls 14017->14019 14020 7ff69e24492c _getptd 45 API calls 14018->14020 14021 7ff69e24a93a 14019->14021 14022 7ff69e24a927 14020->14022 14039 7ff69e24a8a4 14021->14039 14026 7ff69e24a968 14022->14026 14027 7ff69e242cf8 _lock 45 API calls 14022->14027 14026->14002 14027->14026 14029 7ff69e24492c _getptd 45 API calls 14028->14029 14030 7ff69e24abfb 14029->14030 14031 7ff69e24ac16 14030->14031 14032 7ff69e248294 _lock 45 API calls 14030->14032 14033 7ff69e24ac9a 14031->14033 14036 7ff69e242cf8 _lock 45 API calls 14031->14036 14037 7ff69e24ac29 14032->14037 14033->14003 14034 7ff69e24ac60 14184 7ff69e248194 LeaveCriticalSection 14034->14184 14036->14033 14037->14034 14038 7ff69e242650 free 45 API calls 14037->14038 14038->14034 14040 7ff69e24a8ee 14039->14040 14041 7ff69e24a8b2 _errno __initmbctable 14039->14041 14043 7ff69e248194 LeaveCriticalSection 14040->14043 14041->14040 14044 7ff69e24a5e8 14041->14044 14045 7ff69e24a67f 14044->14045 14048 7ff69e24a606 14044->14048 14046 7ff69e24a6d2 14045->14046 14049 7ff69e242650 free 45 API calls 14045->14049 14047 7ff69e24a6ff 14046->14047 14096 7ff69e24d1c4 14046->14096 14056 7ff69e24a74b 14047->14056 14064 7ff69e242650 45 API calls free 14047->14064 14048->14045 14051 7ff69e24a645 14048->14051 14059 7ff69e242650 free 45 API calls 14048->14059 14052 7ff69e24a6a3 14049->14052 14055 7ff69e24a667 14051->14055 14061 7ff69e242650 free 45 API calls 14051->14061 14054 7ff69e242650 free 45 API calls 14052->14054 14060 7ff69e24a6b7 14054->14060 14057 7ff69e242650 free 45 API calls 14055->14057 14062 7ff69e24a673 14057->14062 14058 7ff69e242650 free 45 API calls 14058->14047 14063 7ff69e24a639 14059->14063 14065 7ff69e242650 free 45 API calls 14060->14065 14067 7ff69e24a65b 14061->14067 14068 7ff69e242650 free 45 API calls 14062->14068 14072 7ff69e24d3f8 14063->14072 14064->14047 14066 7ff69e24a6c6 14065->14066 14070 7ff69e242650 free 45 API calls 14066->14070 14088 7ff69e24d3b0 14067->14088 14068->14045 14070->14046 14073 7ff69e24d401 14072->14073 14086 7ff69e24d487 14072->14086 14074 7ff69e24d41b 14073->14074 14075 7ff69e242650 free 45 API calls 14073->14075 14076 7ff69e24d42d 14074->14076 14078 7ff69e242650 free 45 API calls 14074->14078 14075->14074 14077 7ff69e24d43f 14076->14077 14079 7ff69e242650 free 45 API calls 14076->14079 14080 7ff69e24d451 14077->14080 14081 7ff69e242650 free 45 API calls 14077->14081 14078->14076 14079->14077 14082 7ff69e242650 free 45 API calls 14080->14082 14084 7ff69e24d463 14080->14084 14081->14080 14082->14084 14083 7ff69e24d475 14083->14086 14087 7ff69e242650 free 45 API calls 14083->14087 14084->14083 14085 7ff69e242650 free 45 API calls 14084->14085 14085->14083 14086->14051 14087->14086 14089 7ff69e24d3b5 14088->14089 14094 7ff69e24d3f2 14088->14094 14090 7ff69e24d3ce 14089->14090 14092 7ff69e242650 free 45 API calls 14089->14092 14091 7ff69e24d3e0 14090->14091 14093 7ff69e242650 free 45 API calls 14090->14093 14091->14094 14095 7ff69e242650 free 45 API calls 14091->14095 14092->14090 14093->14091 14094->14055 14095->14094 14097 7ff69e24d1cd 14096->14097 14183 7ff69e24a6f3 14096->14183 14098 7ff69e242650 free 45 API calls 14097->14098 14099 7ff69e24d1de 14098->14099 14100 7ff69e242650 free 45 API calls 14099->14100 14101 7ff69e24d1e7 14100->14101 14102 7ff69e242650 free 45 API calls 14101->14102 14103 7ff69e24d1f0 14102->14103 14104 7ff69e242650 free 45 API calls 14103->14104 14105 7ff69e24d1f9 14104->14105 14106 7ff69e242650 free 45 API calls 14105->14106 14107 7ff69e24d202 14106->14107 14108 7ff69e242650 free 45 API calls 14107->14108 14109 7ff69e24d20b 14108->14109 14110 7ff69e242650 free 45 API calls 14109->14110 14111 7ff69e24d213 14110->14111 14112 7ff69e242650 free 45 API calls 14111->14112 14113 7ff69e24d21c 14112->14113 14114 7ff69e242650 free 45 API calls 14113->14114 14115 7ff69e24d225 14114->14115 14116 7ff69e242650 free 45 API calls 14115->14116 14117 7ff69e24d22e 14116->14117 14118 7ff69e242650 free 45 API calls 14117->14118 14119 7ff69e24d237 14118->14119 14120 7ff69e242650 free 45 API calls 14119->14120 14121 7ff69e24d240 14120->14121 14122 7ff69e242650 free 45 API calls 14121->14122 14123 7ff69e24d249 14122->14123 14124 7ff69e242650 free 45 API calls 14123->14124 14125 7ff69e24d252 14124->14125 14126 7ff69e242650 free 45 API calls 14125->14126 14127 7ff69e24d25b 14126->14127 14128 7ff69e242650 free 45 API calls 14127->14128 14129 7ff69e24d264 14128->14129 14130 7ff69e242650 free 45 API calls 14129->14130 14131 7ff69e24d270 14130->14131 14132 7ff69e242650 free 45 API calls 14131->14132 14133 7ff69e24d27c 14132->14133 14134 7ff69e242650 free 45 API calls 14133->14134 14135 7ff69e24d288 14134->14135 14136 7ff69e242650 free 45 API calls 14135->14136 14137 7ff69e24d294 14136->14137 14138 7ff69e242650 free 45 API calls 14137->14138 14139 7ff69e24d2a0 14138->14139 14140 7ff69e242650 free 45 API calls 14139->14140 14141 7ff69e24d2ac 14140->14141 14142 7ff69e242650 free 45 API calls 14141->14142 14143 7ff69e24d2b8 14142->14143 14144 7ff69e242650 free 45 API calls 14143->14144 14145 7ff69e24d2c4 14144->14145 14146 7ff69e242650 free 45 API calls 14145->14146 14147 7ff69e24d2d0 14146->14147 14148 7ff69e242650 free 45 API calls 14147->14148 14149 7ff69e24d2dc 14148->14149 14150 7ff69e242650 free 45 API calls 14149->14150 14151 7ff69e24d2e8 14150->14151 14152 7ff69e242650 free 45 API calls 14151->14152 14153 7ff69e24d2f4 14152->14153 14154 7ff69e242650 free 45 API calls 14153->14154 14155 7ff69e24d300 14154->14155 14156 7ff69e242650 free 45 API calls 14155->14156 14157 7ff69e24d30c 14156->14157 14158 7ff69e242650 free 45 API calls 14157->14158 14159 7ff69e24d318 14158->14159 14160 7ff69e242650 free 45 API calls 14159->14160 14161 7ff69e24d324 14160->14161 14162 7ff69e242650 free 45 API calls 14161->14162 14163 7ff69e24d330 14162->14163 14164 7ff69e242650 free 45 API calls 14163->14164 14165 7ff69e24d33c 14164->14165 14166 7ff69e242650 free 45 API calls 14165->14166 14167 7ff69e24d348 14166->14167 14168 7ff69e242650 free 45 API calls 14167->14168 14169 7ff69e24d354 14168->14169 14170 7ff69e242650 free 45 API calls 14169->14170 14171 7ff69e24d360 14170->14171 14172 7ff69e242650 free 45 API calls 14171->14172 14173 7ff69e24d36c 14172->14173 14174 7ff69e242650 free 45 API calls 14173->14174 14175 7ff69e24d378 14174->14175 14176 7ff69e242650 free 45 API calls 14175->14176 14177 7ff69e24d384 14176->14177 14178 7ff69e242650 free 45 API calls 14177->14178 14179 7ff69e24d390 14178->14179 14180 7ff69e242650 free 45 API calls 14179->14180 14181 7ff69e24d39c 14180->14181 14182 7ff69e242650 free 45 API calls 14181->14182 14182->14183 14183->14058 14186 7ff69e24b29d 14185->14186 14190 7ff69e24b2c2 14185->14190 14187 7ff69e24b4b4 _flush 45 API calls 14186->14187 14186->14190 14188 7ff69e24b2b4 14187->14188 14191 7ff69e24c7d0 14188->14191 14190->13976 14192 7ff69e24c7f9 14191->14192 14193 7ff69e24c815 14191->14193 14222 7ff69e243748 14192->14222 14194 7ff69e24c8c0 14193->14194 14196 7ff69e24c82b 14193->14196 14197 7ff69e243748 __doserrno 45 API calls 14194->14197 14199 7ff69e24c87c 14196->14199 14200 7ff69e24c851 14196->14200 14201 7ff69e24c8c5 14197->14201 14225 7ff69e24e414 14199->14225 14203 7ff69e243748 __doserrno 45 API calls 14200->14203 14205 7ff69e243728 _errno 45 API calls 14201->14205 14202 7ff69e243728 _errno 45 API calls 14209 7ff69e24c807 14202->14209 14206 7ff69e24c856 14203->14206 14208 7ff69e24c8cc 14205->14208 14210 7ff69e243728 _errno 45 API calls 14206->14210 14213 7ff69e245ca0 _flush 7 API calls 14208->14213 14209->14190 14215 7ff69e24c85d 14210->14215 14211 7ff69e24c88f 14235 7ff69e24c070 14211->14235 14212 7ff69e24c8a0 14214 7ff69e243728 _errno 45 API calls 14212->14214 14213->14209 14217 7ff69e24c8a5 14214->14217 14218 7ff69e245ca0 _flush 7 API calls 14215->14218 14220 7ff69e243748 __doserrno 45 API calls 14217->14220 14218->14209 14219 7ff69e24c89c 14289 7ff69e24e4bc LeaveCriticalSection 14219->14289 14220->14219 14223 7ff69e2448a8 _errno 45 API calls 14222->14223 14224 7ff69e243751 14223->14224 14224->14202 14226 7ff69e24e456 14225->14226 14227 7ff69e24e489 14225->14227 14228 7ff69e248294 _lock 45 API calls 14226->14228 14229 7ff69e24c883 14227->14229 14230 7ff69e24e48d EnterCriticalSection 14227->14230 14231 7ff69e24e45e 14228->14231 14229->14211 14229->14212 14230->14229 14232 7ff69e24e475 14231->14232 14233 7ff69e24868c _lock InitializeCriticalSectionAndSpinCount 14231->14233 14290 7ff69e248194 LeaveCriticalSection 14232->14290 14233->14232 14236 7ff69e24c08a _flush 14235->14236 14237 7ff69e24c0c1 14236->14237 14242 7ff69e24c131 14236->14242 14267 7ff69e24c0b5 14236->14267 14238 7ff69e243748 __doserrno 45 API calls 14237->14238 14240 7ff69e24c0c6 14238->14240 14239 7ff69e242150 write_char 8 API calls 14241 7ff69e24c7b3 14239->14241 14243 7ff69e243728 _errno 45 API calls 14240->14243 14241->14219 14244 7ff69e24c146 14242->14244 14291 7ff69e24bea0 14242->14291 14246 7ff69e24c0cd 14243->14246 14245 7ff69e24b444 write_char 45 API calls 14244->14245 14248 7ff69e24c14d 14245->14248 14249 7ff69e245ca0 _flush 7 API calls 14246->14249 14250 7ff69e24c446 14248->14250 14253 7ff69e24492c _getptd 45 API calls 14248->14253 14249->14267 14251 7ff69e24c45d 14250->14251 14252 7ff69e24c727 WriteFile 14250->14252 14256 7ff69e24c53b 14251->14256 14261 7ff69e24c46b 14251->14261 14254 7ff69e24c745 14252->14254 14255 7ff69e24c750 GetLastError 14252->14255 14257 7ff69e24c171 GetConsoleMode 14253->14257 14254->14255 14260 7ff69e24c75d 14255->14260 14268 7ff69e24c545 14256->14268 14281 7ff69e24c619 14256->14281 14257->14250 14259 7ff69e24c1a2 14257->14259 14258 7ff69e24c769 14262 7ff69e243728 _errno 45 API calls 14258->14262 14258->14267 14259->14250 14263 7ff69e24c1af GetConsoleCP 14259->14263 14304 7ff69e243768 14260->14304 14261->14258 14265 7ff69e24c4b6 WriteFile 14261->14265 14276 7ff69e24c3d2 14261->14276 14266 7ff69e24c78c 14262->14266 14263->14276 14286 7ff69e24c1c9 _flush 14263->14286 14265->14261 14270 7ff69e24c52e GetLastError 14265->14270 14269 7ff69e243748 __doserrno 45 API calls 14266->14269 14267->14239 14268->14258 14272 7ff69e24c59d WriteFile 14268->14272 14268->14276 14269->14267 14270->14276 14271 7ff69e24c667 WideCharToMultiByte 14274 7ff69e24c436 GetLastError 14271->14274 14271->14281 14272->14268 14272->14270 14273 7ff69e24c3ef 14273->14260 14275 7ff69e24c3f8 14273->14275 14274->14276 14278 7ff69e243728 _errno 45 API calls 14275->14278 14276->14258 14276->14267 14276->14273 14277 7ff69e24c6b8 WriteFile 14280 7ff69e24c6fd GetLastError 14277->14280 14277->14281 14282 7ff69e24c3fd 14278->14282 14280->14281 14281->14258 14281->14271 14281->14276 14281->14277 14283 7ff69e243748 __doserrno 45 API calls 14282->14283 14283->14267 14284 7ff69e24c27d WideCharToMultiByte 14284->14276 14285 7ff69e24c2bf WriteFile 14284->14285 14285->14274 14285->14286 14286->14274 14286->14276 14286->14284 14287 7ff69e24e4e4 14 API calls _flush 14286->14287 14288 7ff69e24c315 WriteFile 14286->14288 14301 7ff69e24b8b0 14286->14301 14287->14286 14288->14274 14288->14286 14309 7ff69e24e390 14291->14309 14294 7ff69e24bec2 14296 7ff69e243728 _errno 45 API calls 14294->14296 14295 7ff69e24bed3 SetFilePointer 14297 7ff69e24bef1 GetLastError 14295->14297 14299 7ff69e24bec7 14295->14299 14296->14299 14298 7ff69e24befb 14297->14298 14297->14299 14300 7ff69e243768 _close_nolock 45 API calls 14298->14300 14299->14244 14300->14299 14302 7ff69e244fb4 __initmbctable 45 API calls 14301->14302 14303 7ff69e24b8c4 14302->14303 14303->14286 14305 7ff69e2448a8 _errno 45 API calls 14304->14305 14306 7ff69e243775 14305->14306 14307 7ff69e2448a8 _errno 45 API calls 14306->14307 14308 7ff69e24378e free 14307->14308 14308->14267 14310 7ff69e24e399 14309->14310 14312 7ff69e24e3ae 14309->14312 14311 7ff69e243748 __doserrno 45 API calls 14310->14311 14314 7ff69e24e39e 14311->14314 14313 7ff69e243748 __doserrno 45 API calls 14312->14313 14318 7ff69e24bebc 14312->14318 14315 7ff69e24e3e8 14313->14315 14316 7ff69e243728 _errno 45 API calls 14314->14316 14317 7ff69e243728 _errno 45 API calls 14315->14317 14316->14318 14319 7ff69e24e3f0 14317->14319 14318->14294 14318->14295 14320 7ff69e245ca0 _flush 7 API calls 14319->14320 14320->14318 14323 7ff69e24bc58 14322->14323 14324 7ff69e245fba 14323->14324 14325 7ff69e243728 _errno 45 API calls 14323->14325 14324->13366 14324->13367 14326 7ff69e24bc7d 14325->14326 14327 7ff69e245ca0 _flush 7 API calls 14326->14327 14327->14324 14329 7ff69e24a4c7 14328->14329 14331 7ff69e24a4d1 14328->14331 14329->14331 14333 7ff69e24a4fd 14329->14333 14330 7ff69e243728 _errno 45 API calls 14332 7ff69e24a4d9 14330->14332 14331->14330 14334 7ff69e245ca0 _flush 7 API calls 14332->14334 14335 7ff69e245e18 14333->14335 14336 7ff69e243728 _errno 45 API calls 14333->14336 14334->14335 14335->13385 14335->13386 14336->14332 14341 7ff69e24bb86 14337->14341 14338 7ff69e24bb8b 14339 7ff69e243728 _errno 45 API calls 14338->14339 14340 7ff69e245ec4 14338->14340 14342 7ff69e24bbb5 14339->14342 14340->13391 14340->13401 14341->14338 14341->14340 14344 7ff69e24bbd9 14341->14344 14343 7ff69e245ca0 _flush 7 API calls 14342->14343 14343->14340 14344->14340 14345 7ff69e243728 _errno 45 API calls 14344->14345 14345->14342 14347 7ff69e24bb04 14346->14347 14349 7ff69e24bafa 14346->14349 14348 7ff69e243728 _errno 45 API calls 14347->14348 14354 7ff69e24bb0c 14348->14354 14349->14347 14352 7ff69e24bb48 14349->14352 14350 7ff69e245ca0 _flush 7 API calls 14351 7ff69e245eef 14350->14351 14351->13396 14351->13398 14352->14351 14353 7ff69e243728 _errno 45 API calls 14352->14353 14353->14354 14354->14350 14372 7ff69e2447b8 EncodePointer 14355->14372 14374 7ff69e242d5b ExitProcess 14373->14374 14375 7ff69e242d42 GetProcAddress 14373->14375 14375->14374 14376 7ff69e242d57 14375->14376 14376->14374 16097 7ff69e2438ac 16098 7ff69e2438e4 __GSHandlerCheckCommon 16097->16098 16099 7ff69e24391a 16098->16099 16101 7ff69e242890 16098->16101 16102 7ff69e24492c _getptd 45 API calls 16101->16102 16103 7ff69e2428b2 16102->16103 16104 7ff69e24492c _getptd 45 API calls 16103->16104 16105 7ff69e2428c2 16104->16105 16106 7ff69e24492c _getptd 45 API calls 16105->16106 16107 7ff69e2428d2 16106->16107 16110 7ff69e247df8 16107->16110 16111 7ff69e24492c _getptd 45 API calls 16110->16111 16112 7ff69e247e21 16111->16112 16114 7ff69e247f1f 16112->16114 16116 7ff69e247e8c 16112->16116 16127 7ff69e242907 16112->16127 16113 7ff69e247f79 16113->16127 16170 7ff69e247878 16113->16170 16120 7ff69e247f3f 16114->16120 16114->16127 16164 7ff69e24277c 16114->16164 16117 7ff69e247ee8 16116->16117 16121 7ff69e247eae 16116->16121 16116->16127 16119 7ff69e247f0c 16117->16119 16122 7ff69e247ef1 16117->16122 16155 7ff69e2427e4 16119->16155 16120->16113 16120->16127 16167 7ff69e242794 16120->16167 16132 7ff69e246ab0 16121->16132 16128 7ff69e247ed2 16122->16128 16129 7ff69e248044 __SehTransFilter 50 API calls 16122->16129 16127->16099 16138 7ff69e246d9c 16128->16138 16129->16128 16130 7ff69e248044 __SehTransFilter 50 API calls 16130->16128 16133 7ff69e246ad2 16132->16133 16135 7ff69e246ad7 16132->16135 16134 7ff69e248044 __SehTransFilter 50 API calls 16133->16134 16134->16135 16136 7ff69e248044 __SehTransFilter 50 API calls 16135->16136 16137 7ff69e246ae9 16135->16137 16136->16137 16137->16128 16137->16130 16240 7ff69e246b44 16138->16240 16141 7ff69e24277c __SehTransFilter 45 API calls 16142 7ff69e246dd6 16141->16142 16143 7ff69e24492c _getptd 45 API calls 16142->16143 16153 7ff69e246de3 __SehTransFilter 16143->16153 16144 7ff69e246ee7 16145 7ff69e24492c _getptd 45 API calls 16144->16145 16146 7ff69e246eec 16145->16146 16148 7ff69e246efa 16146->16148 16149 7ff69e24492c _getptd 45 API calls 16146->16149 16147 7ff69e248044 __SehTransFilter 50 API calls 16147->16153 16150 7ff69e246f0f __SehTransFilter 16148->16150 16151 7ff69e248044 __SehTransFilter 50 API calls 16148->16151 16149->16148 16150->16127 16151->16150 16152 7ff69e24277c 45 API calls __SehTransFilter 16152->16153 16153->16144 16153->16147 16153->16152 16244 7ff69e2427ac 16153->16244 16247 7ff69e242690 16155->16247 16159 7ff69e24492c _getptd 45 API calls 16161 7ff69e242819 16159->16161 16160 7ff69e242858 16162 7ff69e246d9c __SehTransFilter 50 API calls 16160->16162 16161->16159 16161->16160 16163 7ff69e242877 16162->16163 16163->16127 16165 7ff69e24492c _getptd 45 API calls 16164->16165 16166 7ff69e242785 16165->16166 16166->16120 16168 7ff69e24492c _getptd 45 API calls 16167->16168 16169 7ff69e24279d 16168->16169 16169->16113 16171 7ff69e246b3c __SetUnwindTryBlock 50 API calls 16170->16171 16172 7ff69e2478cb 16171->16172 16173 7ff69e242690 __SetUnwindTryBlock 51 API calls 16172->16173 16174 7ff69e2478e0 16173->16174 16258 7ff69e246bb4 16174->16258 16177 7ff69e247918 16179 7ff69e246bb4 __GetUnwindTryBlock 51 API calls 16177->16179 16178 7ff69e2478f8 __SehTransFilter 16261 7ff69e246b78 16178->16261 16180 7ff69e247916 16179->16180 16182 7ff69e248044 __SehTransFilter 50 API calls 16180->16182 16185 7ff69e247931 16180->16185 16182->16185 16183 7ff69e247d88 16184 7ff69e247d25 __SehTransFilter 16183->16184 16187 7ff69e247d98 16183->16187 16188 7ff69e247dcc 16183->16188 16186 7ff69e24492c _getptd 45 API calls 16184->16186 16185->16183 16193 7ff69e247aee 16185->16193 16195 7ff69e24492c _getptd 45 API calls 16185->16195 16189 7ff69e247d5f 16186->16189 16309 7ff69e247634 16187->16309 16191 7ff69e248020 __SehTransFilter 49 API calls 16188->16191 16196 7ff69e247d6d 16189->16196 16200 7ff69e248044 __SehTransFilter 50 API calls 16189->16200 16192 7ff69e247dd1 16191->16192 16326 7ff69e24bd14 16192->16326 16193->16183 16194 7ff69e247b2c 16193->16194 16198 7ff69e247cb1 16194->16198 16283 7ff69e242a10 16194->16283 16199 7ff69e247975 16195->16199 16196->16127 16198->16184 16204 7ff69e24277c __SehTransFilter 45 API calls 16198->16204 16208 7ff69e247cdc 16198->16208 16199->16196 16203 7ff69e24492c _getptd 45 API calls 16199->16203 16200->16196 16205 7ff69e247987 16203->16205 16204->16208 16206 7ff69e24492c _getptd 45 API calls 16205->16206 16209 7ff69e247993 16206->16209 16207 7ff69e247cf3 16213 7ff69e246f98 __SehTransFilter 50 API calls 16207->16213 16208->16184 16208->16207 16210 7ff69e24277c __SehTransFilter 45 API calls 16208->16210 16264 7ff69e2427c8 16209->16264 16210->16207 16211 7ff69e24277c __SehTransFilter 45 API calls 16230 7ff69e247b65 16211->16230 16214 7ff69e247d0a 16213->16214 16214->16184 16215 7ff69e242690 __SetUnwindTryBlock 51 API calls 16214->16215 16215->16184 16216 7ff69e242794 45 API calls __SehTransFilter 16216->16230 16217 7ff69e2479b0 __SehTransFilter 16218 7ff69e248044 __SehTransFilter 50 API calls 16217->16218 16221 7ff69e2479c7 16217->16221 16218->16221 16219 7ff69e2479fb 16220 7ff69e24492c _getptd 45 API calls 16219->16220 16222 7ff69e247a00 16220->16222 16221->16219 16223 7ff69e248044 __SehTransFilter 50 API calls 16221->16223 16222->16193 16224 7ff69e24492c _getptd 45 API calls 16222->16224 16223->16219 16225 7ff69e247a12 16224->16225 16226 7ff69e24492c _getptd 45 API calls 16225->16226 16227 7ff69e247a1e 16226->16227 16267 7ff69e246f98 16227->16267 16230->16198 16230->16211 16230->16216 16288 7ff69e246c2c 16230->16288 16302 7ff69e247570 16230->16302 16232 7ff69e247a97 16233 7ff69e248020 __SehTransFilter 49 API calls 16232->16233 16234 7ff69e247a9c __SehTransFilter 16233->16234 16277 7ff69e24bca0 16234->16277 16235 7ff69e24277c 45 API calls __SehTransFilter 16236 7ff69e247a30 __SehTransFilter 16235->16236 16236->16193 16236->16232 16236->16234 16236->16235 16239 7ff69e243b38 __SehTransFilter RaiseException 16239->16193 16241 7ff69e246b66 16240->16241 16242 7ff69e246b5b 16240->16242 16241->16141 16243 7ff69e246ab0 __SehTransFilter 50 API calls 16242->16243 16243->16241 16245 7ff69e24492c _getptd 45 API calls 16244->16245 16246 7ff69e2427ba 16245->16246 16246->16153 16248 7ff69e246b3c __SetUnwindTryBlock 50 API calls 16247->16248 16249 7ff69e2426c4 16248->16249 16250 7ff69e2426f9 RtlLookupFunctionEntry 16249->16250 16251 7ff69e242747 16249->16251 16250->16249 16252 7ff69e246b3c 16251->16252 16253 7ff69e246ab0 16252->16253 16254 7ff69e246ad7 16253->16254 16255 7ff69e248044 __SehTransFilter 50 API calls 16253->16255 16256 7ff69e248044 __SehTransFilter 50 API calls 16254->16256 16257 7ff69e246ae9 16254->16257 16255->16254 16256->16257 16257->16161 16259 7ff69e242690 __SetUnwindTryBlock 51 API calls 16258->16259 16260 7ff69e246bc7 16259->16260 16260->16177 16260->16178 16262 7ff69e242690 __SetUnwindTryBlock 51 API calls 16261->16262 16263 7ff69e246b92 16262->16263 16263->16180 16265 7ff69e24492c _getptd 45 API calls 16264->16265 16266 7ff69e2427d6 16265->16266 16266->16217 16268 7ff69e246fbf 16267->16268 16276 7ff69e246fc9 16267->16276 16269 7ff69e248044 __SehTransFilter 50 API calls 16268->16269 16271 7ff69e246fc4 16269->16271 16270 7ff69e24704b 16270->16236 16272 7ff69e248020 __SehTransFilter 49 API calls 16271->16272 16272->16276 16273 7ff69e242794 45 API calls __SehTransFilter 16273->16276 16274 7ff69e24277c __SehTransFilter 45 API calls 16274->16276 16275 7ff69e246c2c __SehTransFilter 45 API calls 16275->16276 16276->16270 16276->16273 16276->16274 16276->16275 16278 7ff69e24bcc7 _FF_MSGBANNER 16277->16278 16282 7ff69e247acb 16277->16282 16279 7ff69e242598 malloc 45 API calls 16278->16279 16280 7ff69e24bcd8 16279->16280 16281 7ff69e24a4bc _FF_MSGBANNER 45 API calls 16280->16281 16280->16282 16281->16282 16282->16239 16284 7ff69e246b3c __SetUnwindTryBlock 50 API calls 16283->16284 16285 7ff69e242a44 16284->16285 16286 7ff69e242a4f 16285->16286 16287 7ff69e248044 __SehTransFilter 50 API calls 16285->16287 16286->16230 16287->16286 16289 7ff69e246c57 16288->16289 16291 7ff69e246c5f 16288->16291 16290 7ff69e24277c __SehTransFilter 45 API calls 16289->16290 16290->16291 16292 7ff69e24277c __SehTransFilter 45 API calls 16291->16292 16294 7ff69e246c7e 16291->16294 16301 7ff69e246cdb __SehTransFilter 16291->16301 16292->16294 16293 7ff69e246c9a 16296 7ff69e242794 __SehTransFilter 45 API calls 16293->16296 16294->16293 16295 7ff69e24277c __SehTransFilter 45 API calls 16294->16295 16294->16301 16295->16293 16297 7ff69e246cae 16296->16297 16298 7ff69e246cc7 16297->16298 16299 7ff69e24277c __SehTransFilter 45 API calls 16297->16299 16297->16301 16300 7ff69e242794 __SehTransFilter 45 API calls 16298->16300 16299->16298 16300->16301 16301->16230 16303 7ff69e242690 __SetUnwindTryBlock 51 API calls 16302->16303 16304 7ff69e2475ad 16303->16304 16305 7ff69e2475d3 16304->16305 16332 7ff69e2474c0 16304->16332 16307 7ff69e24277c __SehTransFilter 45 API calls 16305->16307 16308 7ff69e2475d8 __SehTransFilter 16307->16308 16308->16230 16310 7ff69e247860 16309->16310 16311 7ff69e247665 16309->16311 16310->16184 16312 7ff69e24492c _getptd 45 API calls 16311->16312 16313 7ff69e24766a 16312->16313 16314 7ff69e2476ca 16313->16314 16316 7ff69e24492c _getptd 45 API calls 16313->16316 16314->16310 16315 7ff69e2476dd 16314->16315 16317 7ff69e248044 __SehTransFilter 50 API calls 16314->16317 16318 7ff69e242a10 __SehTransFilter 50 API calls 16315->16318 16319 7ff69e247689 16316->16319 16317->16315 16323 7ff69e247712 16318->16323 16362 7ff69e2447b8 EncodePointer 16319->16362 16323->16310 16324 7ff69e24277c 45 API calls __SehTransFilter 16323->16324 16325 7ff69e247570 __SehTransFilter 51 API calls 16323->16325 16324->16323 16325->16323 16327 7ff69e24bd3d _FF_MSGBANNER 16326->16327 16331 7ff69e247de2 16326->16331 16328 7ff69e242598 malloc 45 API calls 16327->16328 16327->16331 16329 7ff69e24bd57 16328->16329 16330 7ff69e24a4bc _FF_MSGBANNER 45 API calls 16329->16330 16329->16331 16330->16331 16331->16127 16333 7ff69e2474dc 16332->16333 16341 7ff69e247298 16333->16341 16335 7ff69e2474ed 16336 7ff69e24752d 16335->16336 16337 7ff69e2474f2 16335->16337 16338 7ff69e242794 __SehTransFilter 45 API calls 16336->16338 16340 7ff69e247505 __AdjustPointer 16336->16340 16339 7ff69e242794 __SehTransFilter 45 API calls 16337->16339 16337->16340 16338->16340 16339->16340 16340->16305 16342 7ff69e2472c8 16341->16342 16344 7ff69e2472d0 16341->16344 16343 7ff69e24277c __SehTransFilter 45 API calls 16342->16343 16343->16344 16345 7ff69e24277c __SehTransFilter 45 API calls 16344->16345 16346 7ff69e2472ed 16344->16346 16359 7ff69e24734d __AdjustPointer __initmbctable 16344->16359 16345->16346 16347 7ff69e247371 16346->16347 16351 7ff69e24732b __SehTransFilter 16346->16351 16346->16359 16348 7ff69e2473dc 16347->16348 16352 7ff69e24737b __SehTransFilter 16347->16352 16349 7ff69e2473e6 16348->16349 16350 7ff69e242794 __SehTransFilter 45 API calls 16348->16350 16355 7ff69e2473fa __SehTransFilter 16349->16355 16358 7ff69e24743f __SehTransFilter 16349->16358 16350->16349 16353 7ff69e248044 __SehTransFilter 50 API calls 16351->16353 16351->16359 16354 7ff69e248044 __SehTransFilter 50 API calls 16352->16354 16352->16359 16353->16359 16354->16359 16356 7ff69e248044 __SehTransFilter 50 API calls 16355->16356 16355->16359 16356->16359 16357 7ff69e248044 __SehTransFilter 50 API calls 16357->16359 16360 7ff69e247466 __SehTransFilter 16358->16360 16361 7ff69e242794 __SehTransFilter 45 API calls 16358->16361 16359->16335 16360->16357 16360->16359 16361->16360 14377 7ff69e242eb4 14378 7ff69e248294 _lock 45 API calls 14377->14378 14379 7ff69e242ee2 14378->14379 14381 7ff69e242f09 DecodePointer 14379->14381 14386 7ff69e242fc5 _initterm 14379->14386 14380 7ff69e242ffb 14384 7ff69e243026 14380->14384 14398 7ff69e248194 LeaveCriticalSection 14380->14398 14382 7ff69e242f26 DecodePointer 14381->14382 14381->14386 14385 7ff69e242f4a 14382->14385 14385->14386 14390 7ff69e242f69 DecodePointer 14385->14390 14399 7ff69e2447b8 EncodePointer 14385->14399 14386->14380 14400 7ff69e248194 LeaveCriticalSection 14386->14400 14388 7ff69e243014 14391 7ff69e242d28 malloc GetModuleHandleW GetProcAddress 14388->14391 14397 7ff69e2447b8 EncodePointer 14390->14397 14393 7ff69e24301c ExitProcess 14391->14393 14394 7ff69e242f79 14396 7ff69e23633c ReleaseActCtx LocalFree EnterCriticalSection LeaveCriticalSection 14394->14396 14395 7ff69e242f7e DecodePointer DecodePointer 14395->14385 14396->14395 18968 7ff69e23c710 18969 7ff69e232e2c 79 API calls 18968->18969 18970 7ff69e23c71e 18969->18970 18971 7ff69e23c742 18970->18971 18979 7ff69e23ef38 8 API calls 18970->18979 18973 7ff69e23ecec GetWindowLongW 18971->18973 18975 7ff69e23c74a 18973->18975 18974 7ff69e23c776 18975->18974 18976 7ff69e23a94c 75 API calls 18975->18976 18977 7ff69e23c755 18976->18977 18978 7ff69e23bdfc 128 API calls 18977->18978 18978->18974 17139 7ff69e2528f9 17142 7ff69e244e28 17139->17142 17143 7ff69e244e38 17142->17143 17144 7ff69e244e6f LeaveCriticalSection 17142->17144 17143->17144 17145 7ff69e244e44 17143->17145 17146 7ff69e244e6d 17144->17146 17148 7ff69e248194 LeaveCriticalSection 17145->17148

                                                                                                                                                  Executed Functions

                                                                                                                                                  Function 00007FF69E231000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressErrorHandleLibraryModeModuleProc$CommandFreeLineLoad_errno
                                                                                                                                                  • String ID: DllRegisterServer$Fatal Error: MFC initialization failed
                                                                                                                                                  • API String ID: 3431495632-2866467626
                                                                                                                                                  • Opcode ID: de6ec1b3697931bec9263fddc2bc06da22dd8eaa65c34ca7906eab493d068374
                                                                                                                                                  • Instruction ID: e58d63f3d1adcf8c7721df39b0a9ee2baa126f5fa1f2cac2797e90da513134af
                                                                                                                                                  • Opcode Fuzzy Hash: de6ec1b3697931bec9263fddc2bc06da22dd8eaa65c34ca7906eab493d068374
                                                                                                                                                  • Instruction Fuzzy Hash: 63219521F19A8281EB658B26F6800397360EF9CBD4B4821B1FE5EC375DEE3CE4818710
                                                                                                                                                  Function 00007FF69E2363F0 Relevance: 15.1, APIs: 10, Instructions: 112memoryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2667261700-0
                                                                                                                                                  • Opcode ID: 1eb7ab081779f79a4f18dc36c5d68e58cc16676bb72a86f14fe6c1a6a97704d8
                                                                                                                                                  • Instruction ID: 60206d7c5c829880f6e7608f37b3010eb2fe115e3f2e59ff2b5e3ee5ef3f84af
                                                                                                                                                  • Opcode Fuzzy Hash: 1eb7ab081779f79a4f18dc36c5d68e58cc16676bb72a86f14fe6c1a6a97704d8
                                                                                                                                                  • Instruction Fuzzy Hash: 4641AD71B0468293EB28CB25939427873A1FF54F81B109575EB6E87B9ACF3CE4618750
                                                                                                                                                  Function 00007FF69E242EB4 Relevance: 13.6, APIs: 9, Instructions: 98COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer$_initterm$ExitProcess_lock
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2551688548-0
                                                                                                                                                  • Opcode ID: 613bac1f2c58c51e04f88a1044d7a35f3d2962f8a1aa9ec0a6903019c51b69e8
                                                                                                                                                  • Instruction ID: 2e8dadadabe39e12c76128840febe87d0a0a75fb8cd25c6bc9f4cd6d8a1e8a3e
                                                                                                                                                  • Opcode Fuzzy Hash: 613bac1f2c58c51e04f88a1044d7a35f3d2962f8a1aa9ec0a6903019c51b69e8
                                                                                                                                                  • Instruction Fuzzy Hash: CE41B222A1964281EA74DB02EAC113872D4FF69B84F5401B6F94DC779AFF3CE441C720
                                                                                                                                                  Function 00007FF69E2348A8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                    • Part of subcall function 00007FF69E2347B4: GetModuleHandleW.KERNEL32(?,?,?,?,00007FF69E2348D4), ref: 00007FF69E2347CD
                                                                                                                                                    • Part of subcall function 00007FF69E2347B4: GetProcAddress.KERNEL32(?,?,?,?,00007FF69E2348D4), ref: 00007FF69E2347EF
                                                                                                                                                    • Part of subcall function 00007FF69E2347B4: GetProcAddress.KERNEL32(?,?,?,?,00007FF69E2348D4), ref: 00007FF69E23480A
                                                                                                                                                    • Part of subcall function 00007FF69E2347B4: GetProcAddress.KERNEL32(?,?,?,?,00007FF69E2348D4), ref: 00007FF69E234825
                                                                                                                                                    • Part of subcall function 00007FF69E2347B4: GetProcAddress.KERNEL32(?,?,?,?,00007FF69E2348D4), ref: 00007FF69E234840
                                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 00007FF69E2348F8
                                                                                                                                                  • SetLastError.KERNEL32 ref: 00007FF69E234913
                                                                                                                                                  • CreateActCtxW.KERNELBASE ref: 00007FF69E23495B
                                                                                                                                                  • CreateActCtxW.KERNELBASE ref: 00007FF69E234988
                                                                                                                                                  • CreateActCtxW.KERNELBASE ref: 00007FF69E2349B9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$Create$Module$ErrorFileHandleLastName
                                                                                                                                                  • String ID: 8
                                                                                                                                                  • API String ID: 3223166449-4194326291
                                                                                                                                                  • Opcode ID: d14974a5c716cf7f0d27e37c84661555f04b9f7dc2864d760011af9fdf0ed141
                                                                                                                                                  • Instruction ID: 86adb7456005385444424e2bbcf92470c25f9518a4fc068a343cc7495daa8fd4
                                                                                                                                                  • Opcode Fuzzy Hash: d14974a5c716cf7f0d27e37c84661555f04b9f7dc2864d760011af9fdf0ed141
                                                                                                                                                  • Instruction Fuzzy Hash: 94318432609B8081EB70CB00E68436973A5FB98FD4F5416B6EA8D47798DF3CE544CB20
                                                                                                                                                  Function 00007FF69E232A08 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorModule$FileModeName$AddressExtensionFindHandleLastPathProc
                                                                                                                                                  • String ID: NotifyWinEvent$user32.dll
                                                                                                                                                  • API String ID: 607988645-597752486
                                                                                                                                                  • Opcode ID: 1242ba9bb2ed459f8ed8bbafcd6cdc8d3f3db4a1beef15c5206ca0a3b77248b2
                                                                                                                                                  • Instruction ID: 541805a9f323b9d99f4586ff5dbd04c0a4c16aaf62d3da94e0071449cc5675bf
                                                                                                                                                  • Opcode Fuzzy Hash: 1242ba9bb2ed459f8ed8bbafcd6cdc8d3f3db4a1beef15c5206ca0a3b77248b2
                                                                                                                                                  • Instruction Fuzzy Hash: 68119422E0978281EB649F50BA8527832A0FFA8F80F5450B5F94DC735ACF3CD4458760
                                                                                                                                                  Function 00007FF69E23EF38 Relevance: 10.5, APIs: 7, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MetricsSystem$CapsDevice
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 4163108049-0
                                                                                                                                                  • Opcode ID: bc37d8915490797640417a1c53e5cdb44734ee3c6f389cb8ff5005068f66c408
                                                                                                                                                  • Instruction ID: 988513897426790403c45f094fe00fa817b005f636346eb542836bb5c77a8e2f
                                                                                                                                                  • Opcode Fuzzy Hash: bc37d8915490797640417a1c53e5cdb44734ee3c6f389cb8ff5005068f66c408
                                                                                                                                                  • Instruction Fuzzy Hash: E0012C71E0874187EB144F61EB9822932A1FB5CB41F20A479EA1EC775EDF3CE5548B10
                                                                                                                                                  Function 00007FF69E232798 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 120 7ff69e232798-7ff69e2327ff call 7ff69e235480 GetModuleFileNameW 123 7ff69e232806 call 7ff69e2356f8 120->123 124 7ff69e232801-7ff69e232804 120->124 125 7ff69e23280b-7ff69e23281c PathFindExtensionW 123->125 124->123 124->125 127 7ff69e23281e call 7ff69e2356f8 125->127 128 7ff69e232823-7ff69e23283d call 7ff69e23271c 125->128 127->128 132 7ff69e23283f call 7ff69e2356f8 128->132 133 7ff69e232844-7ff69e23284b 128->133 132->133 135 7ff69e23286c-7ff69e232876 133->135 136 7ff69e23284d-7ff69e232864 call 7ff69e2439d8 133->136 138 7ff69e232878-7ff69e23288b call 7ff69e2368b8 135->138 139 7ff69e2328ba-7ff69e2328c5 135->139 136->135 144 7ff69e232866-7ff69e23286b call 7ff69e232cb4 136->144 147 7ff69e232890-7ff69e23289a 138->147 141 7ff69e232976-7ff69e23297d 139->141 142 7ff69e2328cb-7ff69e2328e9 139->142 148 7ff69e2329df-7ff69e232a06 call 7ff69e242150 141->148 149 7ff69e23297f-7ff69e232998 call 7ff69e24393c 141->149 145 7ff69e2328eb-7ff69e2328f9 call 7ff69e2430e0 142->145 146 7ff69e232921-7ff69e23292f call 7ff69e2430e0 142->146 144->135 163 7ff69e232957-7ff69e23296b call 7ff69e2439d8 145->163 164 7ff69e2328fb-7ff69e2328fe 145->164 146->163 165 7ff69e232931-7ff69e232934 146->165 154 7ff69e23289c 147->154 155 7ff69e2328a3-7ff69e2328b2 call 7ff69e2439d8 147->155 167 7ff69e23299a-7ff69e23299d 149->167 168 7ff69e2329c0-7ff69e2329d7 call 7ff69e2439d8 149->168 154->155 155->139 175 7ff69e2328b4-7ff69e2328b9 call 7ff69e232cb4 155->175 193 7ff69e23296d-7ff69e232972 call 7ff69e232cb4 163->193 194 7ff69e232973 163->194 170 7ff69e23291b-7ff69e232920 call 7ff69e232cb4 164->170 171 7ff69e232900-7ff69e232903 164->171 172 7ff69e232936-7ff69e232939 165->172 173 7ff69e232951-7ff69e232956 call 7ff69e232cb4 165->173 176 7ff69e2329ba-7ff69e2329bf call 7ff69e232cb4 167->176 177 7ff69e23299f-7ff69e2329a2 167->177 168->148 201 7ff69e2329d9-7ff69e2329de call 7ff69e232cb4 168->201 170->146 181 7ff69e232915-7ff69e23291a call 7ff69e232cfc 171->181 182 7ff69e232905-7ff69e232908 171->182 183 7ff69e23294b-7ff69e232950 call 7ff69e232cfc 172->183 184 7ff69e23293b-7ff69e23293e 172->184 173->163 175->139 176->168 188 7ff69e2329b4-7ff69e2329b9 call 7ff69e232cfc 177->188 189 7ff69e2329a4-7ff69e2329a7 177->189 181->170 182->181 196 7ff69e23290a-7ff69e23290d 182->196 183->173 184->183 197 7ff69e232940-7ff69e232943 184->197 188->176 189->188 190 7ff69e2329a9-7ff69e2329ac 189->190 190->168 206 7ff69e2329ae-7ff69e2329b3 call 7ff69e232cfc 190->206 193->194 194->141 196->163 204 7ff69e23290f-7ff69e232914 call 7ff69e232cfc 196->204 197->163 208 7ff69e232945-7ff69e23294a call 7ff69e232cfc 197->208 201->148 204->181 206->188 208->183
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExtensionFileFindModuleNamePath
                                                                                                                                                  • String ID: .CHM$.HLP$.INI
                                                                                                                                                  • API String ID: 2295281026-4017452060
                                                                                                                                                  • Opcode ID: 70ca3ed8a539f235d82268567e9004cb1a3f67b9402dd34ea4c6998a67e2ff55
                                                                                                                                                  • Instruction ID: 0703dbaa18a76ff7af29f8f14b7b76ef8ba6c98c7d90308580f77190b83d6273
                                                                                                                                                  • Opcode Fuzzy Hash: 70ca3ed8a539f235d82268567e9004cb1a3f67b9402dd34ea4c6998a67e2ff55
                                                                                                                                                  • Instruction Fuzzy Hash: 33618522A0C68640FA74AB5596D53B93251FF6CFC4F742CB2FA4CC2696DE3CE5448A70
                                                                                                                                                  Function 00007FF69E246614 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 219 7ff69e246614-7ff69e24665a GetStartupInfoA call 7ff69e244b78 222 7ff69e24665c-7ff69e24665f 219->222 223 7ff69e246664-7ff69e24667d 219->223 224 7ff69e2468df-7ff69e246900 222->224 225 7ff69e24667f-7ff69e2466ba 223->225 226 7ff69e2466c2-7ff69e2466c8 223->226 225->225 227 7ff69e2466bc 225->227 228 7ff69e246817-7ff69e24681a 226->228 229 7ff69e2466ce-7ff69e2466d6 226->229 227->226 231 7ff69e24681d-7ff69e24682f 228->231 229->228 230 7ff69e2466dc-7ff69e2466f7 229->230 234 7ff69e2466fd 230->234 235 7ff69e24678a 230->235 232 7ff69e24683d-7ff69e246865 GetStdHandle 231->232 233 7ff69e246831-7ff69e246835 231->233 238 7ff69e246867-7ff69e24686a 232->238 239 7ff69e2468b1-7ff69e2468b5 232->239 233->232 236 7ff69e246837-7ff69e24683b 233->236 240 7ff69e246704-7ff69e246717 call 7ff69e244b78 234->240 237 7ff69e246791-7ff69e246797 235->237 241 7ff69e2468bc-7ff69e2468c6 236->241 237->228 242 7ff69e246799-7ff69e24679d 237->242 238->239 243 7ff69e24686c-7ff69e246878 GetFileType 238->243 239->241 253 7ff69e246719-7ff69e246736 240->253 254 7ff69e246782-7ff69e246788 240->254 241->231 245 7ff69e2468cc-7ff69e2468da SetHandleCount 241->245 246 7ff69e24680a-7ff69e246815 242->246 247 7ff69e24679f-7ff69e2467a3 242->247 243->239 248 7ff69e24687a-7ff69e246883 243->248 245->224 246->228 246->242 247->246 250 7ff69e2467a5-7ff69e2467aa 247->250 251 7ff69e24688b-7ff69e24688e 248->251 252 7ff69e246885-7ff69e246889 248->252 250->246 255 7ff69e2467ac-7ff69e2467b1 250->255 256 7ff69e246894-7ff69e2468a5 call 7ff69e24868c 251->256 257 7ff69e246890 251->257 252->256 258 7ff69e246779-7ff69e24677e 253->258 259 7ff69e246738-7ff69e246771 253->259 254->237 260 7ff69e2467c1-7ff69e2467f9 call 7ff69e24868c 255->260 261 7ff69e2467b3-7ff69e2467bf GetFileType 255->261 268 7ff69e2468a7-7ff69e2468aa 256->268 269 7ff69e2468ac-7ff69e2468af 256->269 257->256 258->240 264 7ff69e246780 258->264 259->259 263 7ff69e246773 259->263 270 7ff69e2467fb-7ff69e246800 260->270 271 7ff69e246802-7ff69e246805 260->271 261->246 261->260 263->258 264->237 268->241 269->224 270->246 271->224
                                                                                                                                                  APIs
                                                                                                                                                  • GetStartupInfoA.KERNEL32 ref: 00007FF69E246639
                                                                                                                                                    • Part of subcall function 00007FF69E244B78: Sleep.KERNEL32(?,?,?,00007FF69E2448DB,?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018), ref: 00007FF69E244BBD
                                                                                                                                                  • GetFileType.KERNEL32 ref: 00007FF69E2467B6
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: FileInfoSleepStartupType
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1527402494-0
                                                                                                                                                  • Opcode ID: ee8fe385f8a7bae63a8730c52e7fdd718cb5336290bce8ea5ba7ddf394c836ee
                                                                                                                                                  • Instruction ID: cee97830c6e683cecf97d0f442f21a8b0fa9adef2f7f2d4daf0471f6b5c5ef38
                                                                                                                                                  • Opcode Fuzzy Hash: ee8fe385f8a7bae63a8730c52e7fdd718cb5336290bce8ea5ba7ddf394c836ee
                                                                                                                                                  • Instruction Fuzzy Hash: E791C221A0868681E7208B24D6C87283795FB25774F2587B6EA7DC73D1EF3DE846C721
                                                                                                                                                  Function 00007FF69E2423EC Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 272 7ff69e2423ec-7ff69e242402 273 7ff69e24245a-7ff69e24245c 272->273 274 7ff69e242404-7ff69e24241b 272->274 275 7ff69e242460-7ff69e24246e call 7ff69e246974 273->275 276 7ff69e24241d-7ff69e242423 274->276 277 7ff69e242425-7ff69e24242e 274->277 284 7ff69e242470-7ff69e242477 275->284 285 7ff69e242492-7ff69e242499 call 7ff69e244a88 275->285 276->275 278 7ff69e242438-7ff69e24243f 277->278 279 7ff69e242430-7ff69e242436 277->279 281 7ff69e242449-7ff69e242458 278->281 282 7ff69e242441-7ff69e242447 278->282 279->275 281->275 282->275 287 7ff69e242479 call 7ff69e245fac 284->287 288 7ff69e24247e-7ff69e24248d call 7ff69e245d84 call 7ff69e242d64 284->288 292 7ff69e2424bd-7ff69e2424ca call 7ff69e246904 call 7ff69e246614 285->292 293 7ff69e24249b-7ff69e2424a2 285->293 287->288 288->285 306 7ff69e2424d6-7ff69e2424f5 GetCommandLineW call 7ff69e246580 call 7ff69e246490 292->306 307 7ff69e2424cc-7ff69e2424d1 call 7ff69e242cf8 292->307 295 7ff69e2424a9-7ff69e2424b8 call 7ff69e245d84 call 7ff69e242d64 293->295 296 7ff69e2424a4 call 7ff69e245fac 293->296 295->292 296->295 313 7ff69e2424f7-7ff69e2424fc call 7ff69e242cf8 306->313 314 7ff69e242501-7ff69e242508 call 7ff69e2461c0 306->314 307->306 313->314 318 7ff69e24250a-7ff69e24250f call 7ff69e242cf8 314->318 319 7ff69e242514-7ff69e24251d call 7ff69e242e04 314->319 318->319 323 7ff69e242526-7ff69e24254e call 7ff69e231000 319->323 324 7ff69e24251f-7ff69e242521 call 7ff69e242cf8 319->324 328 7ff69e242557-7ff69e242581 call 7ff69e243058 323->328 329 7ff69e242550-7ff69e242552 call 7ff69e243040 323->329 324->323 329->328
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CommandInitializeLine_cinit
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2063639010-0
                                                                                                                                                  • Opcode ID: 73efe3b6d90c96ad922ca23ca4327714b748d3bbec6081ed1af1c7a9eaab04cf
                                                                                                                                                  • Instruction ID: a997e65a7d4aab03d2042193576fd3f5cb6592ac70e5c3adde0e6c48d203f6b3
                                                                                                                                                  • Opcode Fuzzy Hash: 73efe3b6d90c96ad922ca23ca4327714b748d3bbec6081ed1af1c7a9eaab04cf
                                                                                                                                                  • Instruction Fuzzy Hash: F2412D22E0824786F674AB6697D12793191EFB4B44F1401BBFA0DC72D2FE7CA8409671
                                                                                                                                                  Function 00007FF69E246580 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF69E2424E7), ref: 00007FF69E246594
                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF69E2424E7), ref: 00007FF69E2465EB
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: EnvironmentStrings$Free
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3328510275-0
                                                                                                                                                  • Opcode ID: e3bb415079cd11859b8169f8141e96aecc310e129393e857c4116e218e0d6aee
                                                                                                                                                  • Instruction ID: b60b7da989b43acc68e02541df861686f9f2046585ffd0ae49640896f88c84ae
                                                                                                                                                  • Opcode Fuzzy Hash: e3bb415079cd11859b8169f8141e96aecc310e129393e857c4116e218e0d6aee
                                                                                                                                                  • Instruction Fuzzy Hash: 63014861F0964185DF706F61A79503972A0EB64FC0B5C4472FB4E87749EE7CE5818710
                                                                                                                                                  Function 00007FF69E23EFCC Relevance: 3.0, APIs: 2, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Color$MetricsSystem$BrushCapsCursorDeviceLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3232524254-0
                                                                                                                                                  • Opcode ID: 2cbb93d929c4d26e8c5390df0f83621c8d03d46152ac4825cb8fc845562b67b3
                                                                                                                                                  • Instruction ID: b2f8e93ee4b825df2b5a5bcc98aa964e5d67774d38471fb2ece46c3f5e2647b5
                                                                                                                                                  • Opcode Fuzzy Hash: 2cbb93d929c4d26e8c5390df0f83621c8d03d46152ac4825cb8fc845562b67b3
                                                                                                                                                  • Instruction Fuzzy Hash: 25F08C62A14B4182EB299F34A15A33D32A0FB18B08F101138D90A8A38ACF3CD8588390
                                                                                                                                                  Function 00007FF69E246974 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 352 7ff69e246974-7ff69e246996 HeapCreate 353 7ff69e246998-7ff69e2469b6 HeapSetInformation 352->353 354 7ff69e2469bb-7ff69e2469bf 352->354 353->354
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Heap$CreateInformation
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1774340351-0
                                                                                                                                                  • Opcode ID: 4a77dc74018123dcf0479a67818c13b1144aec1cd09ee941559b273ab3ae9128
                                                                                                                                                  • Instruction ID: 9f9b775e5f70d32bcb506a9c84f80e37a734a08b116ae9caeaa3939b1634296f
                                                                                                                                                  • Opcode Fuzzy Hash: 4a77dc74018123dcf0479a67818c13b1144aec1cd09ee941559b273ab3ae9128
                                                                                                                                                  • Instruction Fuzzy Hash: EBE0DF71F25B8282F7A99B21E9857253250FB98740F909039F90D8278CEF3CD0448A10
                                                                                                                                                  Function 00007FF69E244B0C Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  • Executed
                                                                                                                                                  • Not Executed
                                                                                                                                                  control_flow_graph 355 7ff69e244b0c-7ff69e244b25 356 7ff69e244b28-7ff69e244b2b call 7ff69e242598 355->356 358 7ff69e244b30-7ff69e244b36 356->358 359 7ff69e244b38-7ff69e244b3e 358->359 360 7ff69e244b60-7ff69e244b77 358->360 359->360 361 7ff69e244b40-7ff69e244b5e Sleep 359->361 361->356 361->360
                                                                                                                                                  APIs
                                                                                                                                                  • malloc.LIBCMT ref: 00007FF69E244B2B
                                                                                                                                                    • Part of subcall function 00007FF69E242598: _FF_MSGBANNER.LIBCMT ref: 00007FF69E2425C8
                                                                                                                                                    • Part of subcall function 00007FF69E242598: HeapAlloc.KERNEL32(?,?,00000018,00007FF69E23113C), ref: 00007FF69E2425ED
                                                                                                                                                    • Part of subcall function 00007FF69E242598: _errno.LIBCMT ref: 00007FF69E242611
                                                                                                                                                    • Part of subcall function 00007FF69E242598: _errno.LIBCMT ref: 00007FF69E24261C
                                                                                                                                                  • Sleep.KERNEL32(?,?,00000000,00007FF69E24820D,?,?,00000000,00007FF69E2482B7,?,?,?,?,?,?,00000000,00007FF69E244900), ref: 00007FF69E244B42
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$AllocHeapSleepmalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 496785850-0
                                                                                                                                                  • Opcode ID: 8d5a5681cb76660347dc6760b3a415f16e25a25ce6f7e777330e5ab5ecc0302e
                                                                                                                                                  • Instruction ID: 2aa0a31ca6603f78b350e255ae2dd5bf6b4bb2d725b1d56cff689d672c5885f0
                                                                                                                                                  • Opcode Fuzzy Hash: 8d5a5681cb76660347dc6760b3a415f16e25a25ce6f7e777330e5ab5ecc0302e
                                                                                                                                                  • Instruction Fuzzy Hash: DAF0C832A09A4582E6259F12B59013D7350FB98F90F580275FA6D83755DF3CE8518701
                                                                                                                                                  Function 00007FF69E2368B8 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Resource$FindLoad
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2619053042-0
                                                                                                                                                  • Opcode ID: 569313eefb31feacebb68d9e547acda70483d0dc08d56f4d15fc22930ae72797
                                                                                                                                                  • Instruction ID: fb155e16006438b3b9967309a36e39a98a4fade77a4d09073df6889d3889cab6
                                                                                                                                                  • Opcode Fuzzy Hash: 569313eefb31feacebb68d9e547acda70483d0dc08d56f4d15fc22930ae72797
                                                                                                                                                  • Instruction Fuzzy Hash: 3221D622B1864245EA7CDB11828417C72A6FF98F80F696872FB4DC3755CE3CE841CB62
                                                                                                                                                  Function 00007FF69E234C74 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule

                                                                                                                                                  Control-flow Graph

                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Release
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1375353473-0
                                                                                                                                                  • Opcode ID: 735871f63fd3bc5b5d41c807c05f614ff791dabb330cd40c01ee753c3b94acdb
                                                                                                                                                  • Instruction ID: a46a1cb431b56934382199e12033bdbf9c6450744c7d9a3395db7165066b829f
                                                                                                                                                  • Opcode Fuzzy Hash: 735871f63fd3bc5b5d41c807c05f614ff791dabb330cd40c01ee753c3b94acdb
                                                                                                                                                  • Instruction Fuzzy Hash: CE212826602E4981EF649F29C8943683360EB94F74F188772DE3E877E4CF28C885C720

                                                                                                                                                  Non-executed Functions

                                                                                                                                                  Function 00007FF69E24C070 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __doserrno_errno
                                                                                                                                                  • String ID: U
                                                                                                                                                  • API String ID: 921712934-4171548499
                                                                                                                                                  • Opcode ID: b7db40e86064036e614d708566bac55be6f989a57c89864edb513edba0b3f7de
                                                                                                                                                  • Instruction ID: 1f221390573a701b5f1e3ae4a5c1964a9b1ac07a8124abdd811088ec08c7c6a8
                                                                                                                                                  • Opcode Fuzzy Hash: b7db40e86064036e614d708566bac55be6f989a57c89864edb513edba0b3f7de
                                                                                                                                                  • Instruction Fuzzy Hash: 4412E222A0864686FB308F28D6C537A77A0FBA4B44F144177FA4DC7699EE7DE445CB20
                                                                                                                                                  Function 00007FF69E24D858 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1837315383-0
                                                                                                                                                  • Opcode ID: e4605640d6e570f5626ae63ce0ce73990c4c5a2b851189bcd070c5013030da3c
                                                                                                                                                  • Instruction ID: 2547d97030db315f6d40b38d4f96c5134444dcba024257ed9285539f2727fcdf
                                                                                                                                                  • Opcode Fuzzy Hash: e4605640d6e570f5626ae63ce0ce73990c4c5a2b851189bcd070c5013030da3c
                                                                                                                                                  • Instruction Fuzzy Hash: 4AF1E832A087818AE7308F21D6806797791FB68B94F544276FA5ED7B98EF3CE9418710
                                                                                                                                                  Function 00007FF69E231900 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 123libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$AddressFileFindHandleInfoLibraryLoadLocaleModuleNamePathProc_snwprintf_s
                                                                                                                                                  • String ID: FindActCtxSectionStringW$KERNEL32$LOC$p
                                                                                                                                                  • API String ID: 1871938174-4153832316
                                                                                                                                                  • Opcode ID: 66270953a3ca5eceec9caff8501ab1beb8d3c2e1576dce9f41bcf0a9bc7f1791
                                                                                                                                                  • Instruction ID: 5a5c095e90e2bfd011c438eead39bc86db8aac63cf1881256d1e9515bd6f38d1
                                                                                                                                                  • Opcode Fuzzy Hash: 66270953a3ca5eceec9caff8501ab1beb8d3c2e1576dce9f41bcf0a9bc7f1791
                                                                                                                                                  • Instruction Fuzzy Hash: 1D51D421A0828295FB359B5096C53BD3290FFA8B41F9451B2F64DC36DADF3CE945CA30
                                                                                                                                                  Function 00007FF69E24895C Relevance: 17.3, APIs: 11, Instructions: 757COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer$write_multi_char$_errno$Sleep_getptdfreemallocwrite_char
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3557194103-0
                                                                                                                                                  • Opcode ID: 29b38cfb6244c05fc9fe4c9388e808a45ea3e3e0b8eae504d0fea494912cd712
                                                                                                                                                  • Instruction ID: a61480294dfa8296c471bf733df900f27553e7947ba29267244872f395792d67
                                                                                                                                                  • Opcode Fuzzy Hash: 29b38cfb6244c05fc9fe4c9388e808a45ea3e3e0b8eae504d0fea494912cd712
                                                                                                                                                  • Instruction Fuzzy Hash: 9A62C222A1C68785EB788B55D68437A76A0FBA1784F144077FB4EC76D4FE7DE8408B20
                                                                                                                                                  Function 00007FF69E245060 Relevance: 15.7, APIs: 10, Instructions: 726COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer$write_multi_char$_errno_getptdfreewrite_char
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2334620807-0
                                                                                                                                                  • Opcode ID: e58a3349c33a8a410f223af1158196bc06afeb7e2ec2527ed9466b2c39b516af
                                                                                                                                                  • Instruction ID: 39f7e3dd802fda633b5333b0449ebae6e83e936df0751fc9c5ec9f88f0da5412
                                                                                                                                                  • Opcode Fuzzy Hash: e58a3349c33a8a410f223af1158196bc06afeb7e2ec2527ed9466b2c39b516af
                                                                                                                                                  • Instruction Fuzzy Hash: 2F52C322A4C68686EB748B1496C427E77A1FB65784F144077FACEC76D4FE7DE8408B20
                                                                                                                                                  Function 00007FF69E245D84 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69E245FE0,?,?,?,?,00007FF69E2481D8,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E245E47
                                                                                                                                                  • GetStdHandle.KERNEL32(?,?,?,?,?,00007FF69E245FE0,?,?,?,?,00007FF69E2481D8,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E245F53
                                                                                                                                                  • WriteFile.KERNEL32 ref: 00007FF69E245F8D
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: File$HandleModuleNameWrite
                                                                                                                                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                  • API String ID: 3784150691-4022980321
                                                                                                                                                  • Opcode ID: 51dbc543883988f1e80855e55fea12dfa78da3c34e5dd58239b041b224f47cba
                                                                                                                                                  • Instruction ID: dae01500fdf78d4968b7158b7d2a2e34adda2f04b9e9232925cf602f065f6a77
                                                                                                                                                  • Opcode Fuzzy Hash: 51dbc543883988f1e80855e55fea12dfa78da3c34e5dd58239b041b224f47cba
                                                                                                                                                  • Instruction Fuzzy Hash: 1F51A021F4864282FB3497219BD577A3251EF65784F4442B7FD8DC3ADAEE3CE5058620
                                                                                                                                                  Function 00007FF69E242150 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3778485334-0
                                                                                                                                                  • Opcode ID: d584a69cddaa4e6b1754793a9b29406e2965d42ebec6e8e045fe7a99673207f7
                                                                                                                                                  • Instruction ID: b3ed657f02a08986ea91e94a061edf527d820d1a692e08c014558e1151c86700
                                                                                                                                                  • Opcode Fuzzy Hash: d584a69cddaa4e6b1754793a9b29406e2965d42ebec6e8e045fe7a99673207f7
                                                                                                                                                  • Instruction Fuzzy Hash: DE310B35908B8695EB309B10FAD436A73A0FB64B54F504176EA8DC3769EF7CE044C760
                                                                                                                                                  Function 00007FF69E2497C8 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$DecodePointer_getptd
                                                                                                                                                  • String ID: -$e+000$gfff
                                                                                                                                                  • API String ID: 2834218312-2620144452
                                                                                                                                                  • Opcode ID: 83e302c1b54ab71601af1ae8cc60b03937c81087c0d27ac0f3e7979bef3bf7d7
                                                                                                                                                  • Instruction ID: 18fa5fc169524a0e08b80735d2bf6646c3eabf7b22a3025ecfddc36c7ba45529
                                                                                                                                                  • Opcode Fuzzy Hash: 83e302c1b54ab71601af1ae8cc60b03937c81087c0d27ac0f3e7979bef3bf7d7
                                                                                                                                                  • Instruction Fuzzy Hash: 9E616C26A0C6C246E730CB2A96C166E76A1FB95B88F588273FA8C877C5DE3DD444C710
                                                                                                                                                  Function 00007FF69E24CFA0 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$ByteCharErrorLastMultiWide
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3895584640-0
                                                                                                                                                  • Opcode ID: 5fa6bc18691b61f6c5cded0d34cc75f323a545abe9fa45bc01fbffea11aee526
                                                                                                                                                  • Instruction ID: 9798e553f0e5088c20dbe33731a601207236db7d21533b94972dc14d59f625f4
                                                                                                                                                  • Opcode Fuzzy Hash: 5fa6bc18691b61f6c5cded0d34cc75f323a545abe9fa45bc01fbffea11aee526
                                                                                                                                                  • Instruction Fuzzy Hash: 3451D462A0C7824AF7719F24E28037EB790EB91750F645177F68D87AC9EE6CD4428B20
                                                                                                                                                  Function 00007FF69E245B78 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1269745586-0
                                                                                                                                                  • Opcode ID: 107efe28c5ff7bfec1fe3b2a9b7be94f818d3e2d939d11d6faa0b212bb3c0782
                                                                                                                                                  • Instruction ID: bdf70f8345e3f08b5c123fed5cbc0e0d26c7122bfe9758f4d4a4715867478d87
                                                                                                                                                  • Opcode Fuzzy Hash: 107efe28c5ff7bfec1fe3b2a9b7be94f818d3e2d939d11d6faa0b212bb3c0782
                                                                                                                                                  • Instruction Fuzzy Hash: 2431247250CB8582EB348B64E5843AEB3A0FB94745F544135E7CD83A99EF7CD145CB10
                                                                                                                                                  Function 00007FF69E249B2C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$DecodePointer_getptd
                                                                                                                                                  • String ID: 0$gfffffff
                                                                                                                                                  • API String ID: 2834218312-1804767287
                                                                                                                                                  • Opcode ID: a03b16e5b8be9f2d27172765239d181bb4c129a7e91530aa3e1f17c25b92f7ec
                                                                                                                                                  • Instruction ID: c1754db3ec425f3c96589797202f26dfe3857a120be98987c0e742acdeebf86c
                                                                                                                                                  • Opcode Fuzzy Hash: a03b16e5b8be9f2d27172765239d181bb4c129a7e91530aa3e1f17c25b92f7ec
                                                                                                                                                  • Instruction Fuzzy Hash: DEB11462B0C3C746EB318B2A92813697B95EB61790F1482B3EB5D877D6EE3DE411C710
                                                                                                                                                  Function 00007FF69E2469C0 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1445889803-0
                                                                                                                                                  • Opcode ID: ce64f8101d70ba3ee7211268957e7f31521b5bf0f9ae9b383255ed29d9d2bc8f
                                                                                                                                                  • Instruction ID: 977203a33a2b81b24b5255f55325a123167aaa13b4cbf8ce88a39a5a4de00707
                                                                                                                                                  • Opcode Fuzzy Hash: ce64f8101d70ba3ee7211268957e7f31521b5bf0f9ae9b383255ed29d9d2bc8f
                                                                                                                                                  • Instruction Fuzzy Hash: 4B01A121A68E4181E7608F21EBD02693360FB58F90F146671FE9EC77A8DE3CD8858320
                                                                                                                                                  Function 00007FF69E23A800 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                  • String ID: InitCommonControlsEx
                                                                                                                                                  • API String ID: 310444273-2357626986
                                                                                                                                                  • Opcode ID: 88b712c4db6e0c7741b864b470c9efc69e1526e8c30d0015929980efe9aed252
                                                                                                                                                  • Instruction ID: cf5863b6f1ab5f442bf77f520c59922019068acdf4d2a7355ad8634dfe8422ed
                                                                                                                                                  • Opcode Fuzzy Hash: 88b712c4db6e0c7741b864b470c9efc69e1526e8c30d0015929980efe9aed252
                                                                                                                                                  • Instruction Fuzzy Hash: 05016D32A05F45C1DF658F25E6C032873B0EB68F98F289075DA4C86768DF38D8A6C750
                                                                                                                                                  Function 00007FF69E23B090 Relevance: 6.0, APIs: 4, Instructions: 49keyboardwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: State$LongMessageSendWindow
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1063413437-0
                                                                                                                                                  • Opcode ID: 90532dc7b57d2035bdebbf167271912926a735c251f95edbaba371a971d4f8b9
                                                                                                                                                  • Instruction ID: 7c145c541453e5f007d1e0dedd83dfdf6ec78036f6468e645b87f677de686928
                                                                                                                                                  • Opcode Fuzzy Hash: 90532dc7b57d2035bdebbf167271912926a735c251f95edbaba371a971d4f8b9
                                                                                                                                                  • Instruction Fuzzy Hash: 2911C621F1858242FB746F51E6941B87251EF54F80F486475FA8EC778ACE2CE8914B20
                                                                                                                                                  Function 00007FF69E24FDB0 Relevance: 5.8, Strings: 4, Instructions: 795COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                  • API String ID: 0-2761157908
                                                                                                                                                  • Opcode ID: 6bcc50de6553a083ecdcb418b0f0c85ca5865dd63f3e0b4dc6f05bfed80608eb
                                                                                                                                                  • Instruction ID: f67c5ad65b64f6e1fe98e366f48f42bd9138e0299ec1de0bb0e62a45aab64b35
                                                                                                                                                  • Opcode Fuzzy Hash: 6bcc50de6553a083ecdcb418b0f0c85ca5865dd63f3e0b4dc6f05bfed80608eb
                                                                                                                                                  • Instruction Fuzzy Hash: 8D62F373A1C282C7E7348B28D680A2E7BA1F7A5744F545136F689C7A99DE3CE941CF10
                                                                                                                                                  Function 00007FF69E231760 Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Resource$LoadLockSizeof
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2853612939-0
                                                                                                                                                  • Opcode ID: e183fb0c610d6a55e9de8e9ab7248045a9e70f3b6cbd1b85e622a50c81ec1c2e
                                                                                                                                                  • Instruction ID: 134a79c325378485ed17ab01bc68f15679fc4c278261f75c4ed10a4283138f0b
                                                                                                                                                  • Opcode Fuzzy Hash: e183fb0c610d6a55e9de8e9ab7248045a9e70f3b6cbd1b85e622a50c81ec1c2e
                                                                                                                                                  • Instruction Fuzzy Hash: CC01B512B19A5281EF314B11A5810B97290EB65F94F1C9571FA5E8778CDF3CE8818720
                                                                                                                                                  Function 00007FF69E237A88 Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: b0ea8ed6de35107b2ea9b6fc2538e86f2241f84a6cc74cc1ba37322831178f63
                                                                                                                                                  • Instruction ID: a33127932b33d6f616e49d26d0a1846988751ed97afcf10761635737e13ae17f
                                                                                                                                                  • Opcode Fuzzy Hash: b0ea8ed6de35107b2ea9b6fc2538e86f2241f84a6cc74cc1ba37322831178f63
                                                                                                                                                  • Instruction Fuzzy Hash: 49016721B0C64281FF745715ABC027B7261DF64F80F5470B1F95EC2699FE6CE6058A20
                                                                                                                                                  Function 00007FF69E2494F8 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • RtlCaptureContext.KERNEL32 ref: 00007FF69E249537
                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69E24957D
                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32 ref: 00007FF69E249588
                                                                                                                                                    • Part of subcall function 00007FF69E245D84: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69E245FE0,?,?,?,?,00007FF69E2481D8,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E245E47
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2731829486-0
                                                                                                                                                  • Opcode ID: da90b7742b705927d249b4b0db0db45d998b7c53dac5fe63bbc89996e2596b8a
                                                                                                                                                  • Instruction ID: 07cef66dc512f4dfd95a1320756b35baac8a31d23a4ea335cb8b9acb4f300b6a
                                                                                                                                                  • Opcode Fuzzy Hash: da90b7742b705927d249b4b0db0db45d998b7c53dac5fe63bbc89996e2596b8a
                                                                                                                                                  • Instruction Fuzzy Hash: 7C01842161CA4692E7359760E6953BA7390FFA5304F140176F68E876D6EF2CE104CB21
                                                                                                                                                  Function 00007FF69E23D084 Relevance: 2.2, Strings: 1, Instructions: 962COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 0-3916222277
                                                                                                                                                  • Opcode ID: 81780e6265242e019c28caf0357659295af285c94995c441b3db1ed953ed5e2e
                                                                                                                                                  • Instruction ID: a2cbe988f09bb3dc3488a3247ee9936e1be525864d8fca7f64b247dc17758ef9
                                                                                                                                                  • Opcode Fuzzy Hash: 81780e6265242e019c28caf0357659295af285c94995c441b3db1ed953ed5e2e
                                                                                                                                                  • Instruction Fuzzy Hash: 7472D511B2D38581EA74B725A28473A76E0FBA5F84F543876F94EC7B85DE3CE4019B20
                                                                                                                                                  Function 00007FF69E24F4B4 Relevance: 2.1, APIs: 1, Instructions: 633COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3485708101-0
                                                                                                                                                  • Opcode ID: 917aa2339e18407a15d7d5015bb49544d7a0683f38fb48614af95cf5fb53a453
                                                                                                                                                  • Instruction ID: ad97cb682f1fbd224bf9430985a6008dc853fab281819ba8e44d5316b519826f
                                                                                                                                                  • Opcode Fuzzy Hash: 917aa2339e18407a15d7d5015bb49544d7a0683f38fb48614af95cf5fb53a453
                                                                                                                                                  • Instruction Fuzzy Hash: E432B072E1C28686F7708F14D2D06B97792FBE0744F502077FA4A87A95EE2DE945CB20
                                                                                                                                                  Function 00007FF69E250918 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                  • Opcode ID: 54d26462e43d72f0f18d4a5743c2f75d68ce832c23bc5718f1ed867df073ce2d
                                                                                                                                                  • Instruction ID: 2920cdb74897722b3be0d32889485249ff9640daf4a5d0420681f1e025d36a2d
                                                                                                                                                  • Opcode Fuzzy Hash: 54d26462e43d72f0f18d4a5743c2f75d68ce832c23bc5718f1ed867df073ce2d
                                                                                                                                                  • Instruction Fuzzy Hash: F5E06521A1C582C1FB309711EA913AA7750FFADB68F900272F68CC66A9DE2CD1058B10
                                                                                                                                                  Function 00007FF69E237844 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Version
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                  • Opcode ID: e1eddc11400611e7e699e534aca1055c8d65906e993579bdca6f5fa340bbf103
                                                                                                                                                  • Instruction ID: bf622b51dbc58fed9205a89f777e0402751021119c0b8839adad07d463f8bed8
                                                                                                                                                  • Opcode Fuzzy Hash: e1eddc11400611e7e699e534aca1055c8d65906e993579bdca6f5fa340bbf103
                                                                                                                                                  • Instruction Fuzzy Hash: FBE0302662854085F770DB21E59536EB290FB9C748F800266E58D82646DF3CD205CB10
                                                                                                                                                  Function 00007FF69E245D6C Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                  • Opcode ID: 602350371ad69e3a9fef2ca3ca5ab222f0be6c96c24bbbf433a3f716f5bcafc9
                                                                                                                                                  • Instruction ID: 617b778044601132156e559c6e32dcba42fd33967db96e7cb0cf3a9b889295ae
                                                                                                                                                  • Opcode Fuzzy Hash: 602350371ad69e3a9fef2ca3ca5ab222f0be6c96c24bbbf433a3f716f5bcafc9
                                                                                                                                                  • Instruction Fuzzy Hash: DAB09210E55502C1D614AB319EC906422A0AFAC310FD404B1E00DC5164EE1C919B8710
                                                                                                                                                  Function 00007FF69E250E78 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID:
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID:
                                                                                                                                                  • Opcode ID: 39a81eb42a508cc14279fe36ec7017db94bc1542069801c66aa87ebe719f3046
                                                                                                                                                  • Instruction ID: 15d75c62e91ff49f5d5bde481a408323da9b027746b1278432453adaecb9ced5
                                                                                                                                                  • Opcode Fuzzy Hash: 39a81eb42a508cc14279fe36ec7017db94bc1542069801c66aa87ebe719f3046
                                                                                                                                                  • Instruction Fuzzy Hash: AD61B277A14692CBD728CF29D690A2A77A1F794B4CB54C039EA09CB748DF39E841CB50
                                                                                                                                                  Function 00007FF69E24D1C4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1012874770-0
                                                                                                                                                  • Opcode ID: 078e20cf4cca2798441a399f6a1c80414ff55ac0272ff3eec50b991a9d86eb43
                                                                                                                                                  • Instruction ID: 01bf7eed2bb5659def8e588bff1ad67f03bae58838262568c26a0d8ae9f3f26d
                                                                                                                                                  • Opcode Fuzzy Hash: 078e20cf4cca2798441a399f6a1c80414ff55ac0272ff3eec50b991a9d86eb43
                                                                                                                                                  • Instruction Fuzzy Hash: E2417533A1554181EB65BF36D5912BD2324EFACB44F044173FB5DCB2A7EE14D89683A0
                                                                                                                                                  Function 00007FF69E24B8F8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B935
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B951
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B979
                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B982
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B998
                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B9A1
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B9B7
                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B9C0
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B9DE
                                                                                                                                                  • EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24B9E7
                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24BA19
                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24BA28
                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24BA80
                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24BAA0
                                                                                                                                                  • DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000001,00007FF69E245F4C,?,?,?,?,?,00007FF69E245FE0), ref: 00007FF69E24BAB9
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
                                                                                                                                                  • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                                  • API String ID: 3085332118-232180764
                                                                                                                                                  • Opcode ID: 600ea6198b5b0b1679be1331fb7d23f83606866e0f5b3ab088cef2f6e97bbff2
                                                                                                                                                  • Instruction ID: 25470909085c1e1c2dcc0bed1454869e3841438dff479dcb0934e0efe7591789
                                                                                                                                                  • Opcode Fuzzy Hash: 600ea6198b5b0b1679be1331fb7d23f83606866e0f5b3ab088cef2f6e97bbff2
                                                                                                                                                  • Instruction Fuzzy Hash: A5510420A0AB5281EE75EB12BB9417872D0EF65F84F0405B6FD0DC37A5FE3CE5518220
                                                                                                                                                  Function 00007FF69E2378A4 Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 76libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                                                                                                                  • API String ID: 667068680-2451437823
                                                                                                                                                  • Opcode ID: 9a83c15635a61a6ebc7d80dc90bc7af22203be6b66c9f2c2d3975b780fd826e3
                                                                                                                                                  • Instruction ID: 695be31da2cd6602f7c7073c4ff83bad701c493510672bf1071bd5b9ea772884
                                                                                                                                                  • Opcode Fuzzy Hash: 9a83c15635a61a6ebc7d80dc90bc7af22203be6b66c9f2c2d3975b780fd826e3
                                                                                                                                                  • Instruction Fuzzy Hash: D241AC65A4DB4381EB709B15FBC843533A5FF24B80F945AB6E54DC23A8EF7CB4948620
                                                                                                                                                  Function 00007FF69E231E14 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 214libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileLanguagesNameResource
                                                                                                                                                  • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                                                                                                                                                  • API String ID: 3469480098-2299501126
                                                                                                                                                  • Opcode ID: f5d01864e168359bee715a1d1d7b975c87933834da8f1bcc652a08cde8fa1949
                                                                                                                                                  • Instruction ID: 30d9716e6d70560625d9b220819ee392a6e6886866acb9a0b659dcfcb19a8534
                                                                                                                                                  • Opcode Fuzzy Hash: f5d01864e168359bee715a1d1d7b975c87933834da8f1bcc652a08cde8fa1949
                                                                                                                                                  • Instruction Fuzzy Hash: 8791A626A19B8145E7708B15EAC027A7360FFA4BA4F542275F9AEC37D9CF7CD4448B10
                                                                                                                                                  Function 00007FF69E247878 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
                                                                                                                                                  • String ID: bad exception$csm$csm$csm
                                                                                                                                                  • API String ID: 2351602029-820278400
                                                                                                                                                  • Opcode ID: 077fd2b264642ef14ee80e50a2bf0f0a95f9cb7a684c78bb6b51fdef28af1a04
                                                                                                                                                  • Instruction ID: 14666dbd1c969c47fa8b9aed4fd50d25da8503897b57f5742602232eda2691b9
                                                                                                                                                  • Opcode Fuzzy Hash: 077fd2b264642ef14ee80e50a2bf0f0a95f9cb7a684c78bb6b51fdef28af1a04
                                                                                                                                                  • Instruction Fuzzy Hash: CDE1E732A0878286DA709B21A6802BD7791FB64780F444577FE9D87B56EF3CE550C720
                                                                                                                                                  Function 00007FF69E23CAF8 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 158COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Long$ClassHookPropWindow$CallErrorLastNext$AtomGlobalInfoNameUnhookWindows
                                                                                                                                                  • String ID: #32768$AfxOldWndProc423
                                                                                                                                                  • API String ID: 3073514535-2141921550
                                                                                                                                                  • Opcode ID: 7e0134f9c174d19f7243bf16a9a1ba95c95b5b68272c7d0412d4ecf033db0cfd
                                                                                                                                                  • Instruction ID: 789eccdd52dfd441e13bf6fba187b1a66c963385667716dfb517fc818dcb7908
                                                                                                                                                  • Opcode Fuzzy Hash: 7e0134f9c174d19f7243bf16a9a1ba95c95b5b68272c7d0412d4ecf033db0cfd
                                                                                                                                                  • Instruction Fuzzy Hash: 4E51B122A08A4682EA349F11EA851793361FF69F91F5461B1FD1ED77A9CF3CE8418720
                                                                                                                                                  Function 00007FF69E23A430 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 156windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: RectWindow$ClientCopyLongParent$ByteCharMessageMultiPointsSendWide
                                                                                                                                                  • String ID: (
                                                                                                                                                  • API String ID: 1993480526-3887548279
                                                                                                                                                  • Opcode ID: 7b4e3e451b5b8f311195731a0ff5bdd1b6bc49816c2f2282f9145c5a92254a26
                                                                                                                                                  • Instruction ID: 169c110dfc994912f41a5e964450472d9dc57420cead1eb7eaa502f752f598a9
                                                                                                                                                  • Opcode Fuzzy Hash: 7b4e3e451b5b8f311195731a0ff5bdd1b6bc49816c2f2282f9145c5a92254a26
                                                                                                                                                  • Instruction Fuzzy Hash: 33617172A1864287DB24CB29E68852AB761FB94B80F546571FB4EC3B4DDF7DE8048F10
                                                                                                                                                  Function 00007FF69E231174 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 121libraryloaderregistryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$CloseHandleModuleOpenQueryValue
                                                                                                                                                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                                                                                                  • API String ID: 380410164-2424895508
                                                                                                                                                  • Opcode ID: 273cab089abdebca1d84c26c3d658495a1ced300d7e9d3d344999c59ad5ea808
                                                                                                                                                  • Instruction ID: 6fc46cf45e120532096b71e35989a7f55d11d05f18d21a12f98a3a89c59f3036
                                                                                                                                                  • Opcode Fuzzy Hash: 273cab089abdebca1d84c26c3d658495a1ced300d7e9d3d344999c59ad5ea808
                                                                                                                                                  • Instruction Fuzzy Hash: 35517072A09B4296FB348B00E6C437573A0FB64B99F2025B5F64CC6699DF7CE484CB20
                                                                                                                                                  Function 00007FF69E24706C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd$CreateFrameInfo
                                                                                                                                                  • String ID: csm
                                                                                                                                                  • API String ID: 4181383844-1018135373
                                                                                                                                                  • Opcode ID: d0ef45cbf021dded84087f42766807062a89c69f66fe2cd9ff3c3ef94e20bcd9
                                                                                                                                                  • Instruction ID: c048d5bb7ae114cfeeec63365e4012773fc91e026ef64f754337ba2461f302ba
                                                                                                                                                  • Opcode Fuzzy Hash: d0ef45cbf021dded84087f42766807062a89c69f66fe2cd9ff3c3ef94e20bcd9
                                                                                                                                                  • Instruction Fuzzy Hash: 88416D36508B8282D6709F62E6803BE77A4FB95B90F045176FF9D47B96EF38D0918710
                                                                                                                                                  Function 00007FF69E244950 Relevance: 18.1, APIs: 12, Instructions: 82COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$_lock$ErrorFreeHeapLast_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1575098132-0
                                                                                                                                                  • Opcode ID: 94aafd68ceedbe467cad3d0a10a5f815b32d7219a14e45c1b399f6a24f927379
                                                                                                                                                  • Instruction ID: 1f47eeeb30183ca324c858c1bdfa9f8383ce8f810d55203c95b7cf57cc067d8a
                                                                                                                                                  • Opcode Fuzzy Hash: 94aafd68ceedbe467cad3d0a10a5f815b32d7219a14e45c1b399f6a24f927379
                                                                                                                                                  • Instruction Fuzzy Hash: D2311E22B0A55244FF78AFA192E13793395EFA4B80F0415B7FA1E876C6EE1CE4418371
                                                                                                                                                  Function 00007FF69E251230 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                                                                                                                  • String ID: H
                                                                                                                                                  • API String ID: 948315288-2852464175
                                                                                                                                                  • Opcode ID: cbf1eeb200cf63a42efc7e5571501249042e14eb472f694415d5ba9522c98d6f
                                                                                                                                                  • Instruction ID: cb2335855bb24de67407874159098be7e499fe9a8f2f3430a3e694f90cbfbe28
                                                                                                                                                  • Opcode Fuzzy Hash: cbf1eeb200cf63a42efc7e5571501249042e14eb472f694415d5ba9522c98d6f
                                                                                                                                                  • Instruction Fuzzy Hash: E4919232609B8696EB71CF05E68067973A1FB58B84F084179EA4DC7B58EF3CE455C720
                                                                                                                                                  Function 00007FF69E2347B4 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                                                                                                                                                  • API String ID: 667068680-2424895508
                                                                                                                                                  • Opcode ID: aef9dccfcd2fe74392af94baafd07c093bed31b0ade969b6d3f775cc73ce5a25
                                                                                                                                                  • Instruction ID: 3046924eb2aa6658c947ffbb01f79f51f55bcbe2a3f98e8363064a8dbbc5e68b
                                                                                                                                                  • Opcode Fuzzy Hash: aef9dccfcd2fe74392af94baafd07c093bed31b0ade969b6d3f775cc73ce5a25
                                                                                                                                                  • Instruction Fuzzy Hash: 4E018365E0BB07D0EB61DB40ABD417433A4FFA8B54F602AB6E40DC2369DF3CA0559360
                                                                                                                                                  Function 00007FF69E25096C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E2509C2
                                                                                                                                                  • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E2509E1
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250A86
                                                                                                                                                  • malloc.LIBCMT ref: 00007FF69E250A9D
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250AE5
                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250B20
                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250B5C
                                                                                                                                                  • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250B9C
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E250BAA
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E250BCC
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide$Infofree$malloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1309074677-0
                                                                                                                                                  • Opcode ID: b439475ab88795bfdfecd666706a1ab6d90354482d04c476db8dfd8df19bb127
                                                                                                                                                  • Instruction ID: 0b8cb0dd3eda9cf5f224101e4d55e6ca1972abcfdec4bc2829f87b9a7004f1dd
                                                                                                                                                  • Opcode Fuzzy Hash: b439475ab88795bfdfecd666706a1ab6d90354482d04c476db8dfd8df19bb127
                                                                                                                                                  • Instruction Fuzzy Hash: CD61C332A0868286E7308F259ED057972D5FBA5BA8F144A71FA5EC7BD8DF3CD5418220
                                                                                                                                                  Function 00007FF69E23C968 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 106COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
                                                                                                                                                  • String ID: AfxOldWndProc423
                                                                                                                                                  • API String ID: 3892049428-1060338832
                                                                                                                                                  • Opcode ID: 540ba42f09b14c38a30ce86356e121d6adb24e76f367a953a3f51743cfcaa053
                                                                                                                                                  • Instruction ID: b78f8bde0a18b732942924a072e2b6c5e5b031cd2c768ecfadd51afe3db9da32
                                                                                                                                                  • Opcode Fuzzy Hash: 540ba42f09b14c38a30ce86356e121d6adb24e76f367a953a3f51743cfcaa053
                                                                                                                                                  • Instruction Fuzzy Hash: 54312722B1860242EA34DF16AB9517A73A1FFA5FD0F106175FC0E8B799DE3CE5058720
                                                                                                                                                  Function 00007FF69E24A5E8 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1012874770-0
                                                                                                                                                  • Opcode ID: bcedd188553d887f9c118144bcad7102160e223286cd25713bc49ec19a07ab53
                                                                                                                                                  • Instruction ID: cbfbd9c36809221071045a0a00335c67982770182ac3acb879fe2ec04e24a565
                                                                                                                                                  • Opcode Fuzzy Hash: bcedd188553d887f9c118144bcad7102160e223286cd25713bc49ec19a07ab53
                                                                                                                                                  • Instruction Fuzzy Hash: 5041DD72A1964284EF759F25D6D13BC3364EF68B84F180476EA1D8B295FF2CE891C720
                                                                                                                                                  Function 00007FF69E24D490 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D4F0
                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D502
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D562
                                                                                                                                                  • malloc.LIBCMT ref: 00007FF69E24D5CE
                                                                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D618
                                                                                                                                                  • GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D62F
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24D640
                                                                                                                                                  • GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF69E24D762), ref: 00007FF69E24D6BD
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24D6CD
                                                                                                                                                    • Part of subcall function 00007FF69E25096C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E2509C2
                                                                                                                                                    • Part of subcall function 00007FF69E25096C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E2509E1
                                                                                                                                                    • Part of subcall function 00007FF69E25096C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250AE5
                                                                                                                                                    • Part of subcall function 00007FF69E25096C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF69E250B20
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3804003340-0
                                                                                                                                                  • Opcode ID: 6c56c166fe4fc9b712ba7058dd5fea340bb18936a0daca76172ab0d5081e30e2
                                                                                                                                                  • Instruction ID: 5a320e1e6226e840fcc756ce9f85f0b3e2672a3afccc5b9f402dfd3c8e1179cb
                                                                                                                                                  • Opcode Fuzzy Hash: 6c56c166fe4fc9b712ba7058dd5fea340bb18936a0daca76172ab0d5081e30e2
                                                                                                                                                  • Instruction Fuzzy Hash: CA61C772A0878186D7309F25E6C05783795FB64BE8B540276FE1DD3B98EE3CE8418760
                                                                                                                                                  Function 00007FF69E2518D6 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _cwprintf_s_l
                                                                                                                                                  • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl$m
                                                                                                                                                  • API String ID: 2941638530-3354999808
                                                                                                                                                  • Opcode ID: 5d8984b1fa8d0abd6f5e88a8799aa0dfc132be65ad6f6041f9754578369a0ba9
                                                                                                                                                  • Instruction ID: 12f6725478a47e7a682d86f7a66b9a32d98b35a853b76c969ed4df54c8901892
                                                                                                                                                  • Opcode Fuzzy Hash: 5d8984b1fa8d0abd6f5e88a8799aa0dfc132be65ad6f6041f9754578369a0ba9
                                                                                                                                                  • Instruction Fuzzy Hash: CB218F62A05E4696EB24DF25EA806AC3360FBA4B88F445172FA0EC37A9DF3CD544C750
                                                                                                                                                  Function 00007FF69E25222E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _cwprintf_s_l
                                                                                                                                                  • String ID: %s (%s:%d)$%s (%s:%d)%s$8$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
                                                                                                                                                  • API String ID: 2941638530-2049090729
                                                                                                                                                  • Opcode ID: 80f95b5f0d36581c4cca0b0eee0ce13d3ea253242b7ec5e1725fda09239c439e
                                                                                                                                                  • Instruction ID: 0358e52c6f8d7636a270d3206834d27c5bd7e0c9aa1e4585f47c43434c0f12c5
                                                                                                                                                  • Opcode Fuzzy Hash: 80f95b5f0d36581c4cca0b0eee0ce13d3ea253242b7ec5e1725fda09239c439e
                                                                                                                                                  • Instruction Fuzzy Hash: C4219332A04B4696EB24DF65EA905AC3360FB94B84F945172FA0EC37A9DF3CD545C710
                                                                                                                                                  Function 00007FF69E236620 Relevance: 12.1, APIs: 8, Instructions: 108memoryCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$Leave$AllocLocalValue$Enter
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2344649020-0
                                                                                                                                                  • Opcode ID: 884abebed2084226e104c1bb6877d95f9e5db47cd85808358d18a7cc31e10059
                                                                                                                                                  • Instruction ID: 8ad53ea12a74fb1043a2266ef20ffa3af1d7a95424574e5291012125215afd05
                                                                                                                                                  • Opcode Fuzzy Hash: 884abebed2084226e104c1bb6877d95f9e5db47cd85808358d18a7cc31e10059
                                                                                                                                                  • Instruction Fuzzy Hash: AD41C632A08B4592EB38CF20D6D42387364FB64F64F205575EA2E87799DF3CE8618B50
                                                                                                                                                  Function 00007FF69E24339C Relevance: 12.1, APIs: 8, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2918714741-0
                                                                                                                                                  • Opcode ID: f11a5bb73005a6a69be78780be9095dd133e1a32b36019c93da3d8bbcc0eec16
                                                                                                                                                  • Instruction ID: 1163e5b219fdcc5c36506067a56e7e263415e3c9c2de91386ab1bb0f037e47ce
                                                                                                                                                  • Opcode Fuzzy Hash: f11a5bb73005a6a69be78780be9095dd133e1a32b36019c93da3d8bbcc0eec16
                                                                                                                                                  • Instruction Fuzzy Hash: 0931B66590C60695EA315B11A6800BE7290FFA57A4F704273FA9C877D7EE3CE5408721
                                                                                                                                                  Function 00007FF69E24BF38 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __doserrno_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 921712934-0
                                                                                                                                                  • Opcode ID: 940b2b342285c19acda56a35508d0195beccc6959e26f694d2e18830da3a9b62
                                                                                                                                                  • Instruction ID: 7bdb3b04222bae5344da03941d891b0cd2b4e9088ca13e8d61ab3b4601f20faf
                                                                                                                                                  • Opcode Fuzzy Hash: 940b2b342285c19acda56a35508d0195beccc6959e26f694d2e18830da3a9b62
                                                                                                                                                  • Instruction Fuzzy Hash: 1A31C361A1824155F3225B25AA8263D3650EBA0BB0F615772FE7D4B7D3EE3DA4018720
                                                                                                                                                  Function 00007FF69E24C7D0 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __doserrno_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 921712934-0
                                                                                                                                                  • Opcode ID: 924894aea720fb12dd3236d9d8118a1f99c5690fafeb794eae440aa5a2ee960c
                                                                                                                                                  • Instruction ID: f7d4d3023022ab4d3b765a0f98da570fd9e83288a9a960ec41bc7753c255cb2d
                                                                                                                                                  • Opcode Fuzzy Hash: 924894aea720fb12dd3236d9d8118a1f99c5690fafeb794eae440aa5a2ee960c
                                                                                                                                                  • Instruction Fuzzy Hash: 57312672E1824651F3325F25AAC267D3650FBA07A0F614677FA698B7D3EE3DE4014720
                                                                                                                                                  Function 00007FF69E250CB0 Relevance: 12.1, APIs: 8, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __doserrno_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 921712934-0
                                                                                                                                                  • Opcode ID: 06a6d5694e03058a6c3b65e2dd3af650642b5fbd6dbf7e45db357b7798aace56
                                                                                                                                                  • Instruction ID: 568058d9bb619bc4dd9e3ee0a64af465df94065480428ad2495859711729c27a
                                                                                                                                                  • Opcode Fuzzy Hash: 06a6d5694e03058a6c3b65e2dd3af650642b5fbd6dbf7e45db357b7798aace56
                                                                                                                                                  • Instruction Fuzzy Hash: 9531D532A0864285E3315F25AEC167D3550FFA2760F6042B6F969C76C7DE3CE4018720
                                                                                                                                                  Function 00007FF69E23254C Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$AtomDeleteGlobal
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 622211665-0
                                                                                                                                                  • Opcode ID: 32155b6753ba06189378d357347ac45b9a04fc3c56724ac4d563f58d6a253cf7
                                                                                                                                                  • Instruction ID: ca14cf9d0b8e75030a4fce47daea8483c2cd98b27bb578957f8ad78d5fc868e6
                                                                                                                                                  • Opcode Fuzzy Hash: 32155b6753ba06189378d357347ac45b9a04fc3c56724ac4d563f58d6a253cf7
                                                                                                                                                  • Instruction Fuzzy Hash: 69416F33609A8180EB209F21D6903B97365FF98F84F555272EA5E877A5DF2DE881C720
                                                                                                                                                  Function 00007FF69E24DF34 Relevance: 10.6, APIs: 7, Instructions: 79COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2918714741-0
                                                                                                                                                  • Opcode ID: e6db5971b835fbbfdee1c365ce2c141584fc6d282243e34c4ecf0aa909da554e
                                                                                                                                                  • Instruction ID: f99240025d801f518f877975e6184e03c35d8861fc0721c693415f01ac30a1b6
                                                                                                                                                  • Opcode Fuzzy Hash: e6db5971b835fbbfdee1c365ce2c141584fc6d282243e34c4ecf0aa909da554e
                                                                                                                                                  • Instruction Fuzzy Hash: 6631E422F0864241F7325F24AAC177D3640EFA0754F5516BBFA6D8F6D6EE7CA4008620
                                                                                                                                                  Function 00007FF69E251620 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _cwprintf_s_l
                                                                                                                                                  • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
                                                                                                                                                  • API String ID: 2941638530-1547102704
                                                                                                                                                  • Opcode ID: 7425f000f610251bddbb8a1cd526128b4cb96b25e8d00865f21713d1e90c0898
                                                                                                                                                  • Instruction ID: f921640f87cefc7fabd70f043b5032886052b968ca31b44dd08204c14470573d
                                                                                                                                                  • Opcode Fuzzy Hash: 7425f000f610251bddbb8a1cd526128b4cb96b25e8d00865f21713d1e90c0898
                                                                                                                                                  • Instruction Fuzzy Hash: 3621DF22A04E4696EB20DF25DA805BC3361FBA4B88F645132FA0DC37A9DF3CD985C750
                                                                                                                                                  Function 00007FF69E244060 Relevance: 10.6, APIs: 7, Instructions: 70memoryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Heap_errno$AllocDecodeErrorInformationLastPointerQuerySize
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3929725371-0
                                                                                                                                                  • Opcode ID: 9afc4f919ab21b7d9edc95f2d2fe53a8eb8b930ba7ea4db90c7d2838a21f74d0
                                                                                                                                                  • Instruction ID: 2ead64475aaab338a77d870b501af33f93e6926cf54e493b6ce04c65cc69ac94
                                                                                                                                                  • Opcode Fuzzy Hash: 9afc4f919ab21b7d9edc95f2d2fe53a8eb8b930ba7ea4db90c7d2838a21f74d0
                                                                                                                                                  • Instruction Fuzzy Hash: B621A761A0864285FB309B61E78027972A1FFA4BD4F584676FA5CC7BD9EF7CD4008710
                                                                                                                                                  Function 00007FF69E251FD9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _cwprintf_s_l
                                                                                                                                                  • String ID: %s (%s:%d)$%s (%s:%d)%s$Exception thrown in destructor$f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
                                                                                                                                                  • API String ID: 2941638530-49975270
                                                                                                                                                  • Opcode ID: 7a6d1e17cc8d12b9917e16a73bc18acecfb2c1d81305a41c997ce7f2a210d50e
                                                                                                                                                  • Instruction ID: 3b48583e13bbf5c15bb8be6f132cde7711eb48e02b503572ec6e2886d771798d
                                                                                                                                                  • Opcode Fuzzy Hash: 7a6d1e17cc8d12b9917e16a73bc18acecfb2c1d81305a41c997ce7f2a210d50e
                                                                                                                                                  • Instruction Fuzzy Hash: 8221C362605B4796EB24DF65DA802AC3360FB64B44F405036FA0EC37A9EF7CD544C750
                                                                                                                                                  Function 00007FF69E24717D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd$ExceptionRaise
                                                                                                                                                  • String ID: csm
                                                                                                                                                  • API String ID: 2255768072-1018135373
                                                                                                                                                  • Opcode ID: 8dfcf0e640377a4461490d2d3863c947f65182ca897fb928965367dd135d0338
                                                                                                                                                  • Instruction ID: f26f4fa0b8221d90c7b7334f07da862a3fb1cfb997a7eddff0c254c519de2c66
                                                                                                                                                  • Opcode Fuzzy Hash: 8dfcf0e640377a4461490d2d3863c947f65182ca897fb928965367dd135d0338
                                                                                                                                                  • Instruction Fuzzy Hash: 0C315E36608642C2D670CF51E1806697365FB65B61F044273EF9E43B95DF7DE885CB10
                                                                                                                                                  Function 00007FF69E237B08 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: System$Metrics$ByteCharInfoMultiParametersWide
                                                                                                                                                  • String ID: $DISPLAY
                                                                                                                                                  • API String ID: 1415089127-3074206054
                                                                                                                                                  • Opcode ID: fc2714e30d3f57ef9cdcb424ab9ba0758a352abd3e8a9f21d964608893f8c602
                                                                                                                                                  • Instruction ID: 320b3c1d1c97efe0b8f4786c826ec0fb7c56dcaa8be0d07acc0fe1db53a6ff98
                                                                                                                                                  • Opcode Fuzzy Hash: fc2714e30d3f57ef9cdcb424ab9ba0758a352abd3e8a9f21d964608893f8c602
                                                                                                                                                  • Instruction Fuzzy Hash: D421A572A0874282EB348F25E68467AB3B2FB64F54F546175E60AC2688EF3CD544CB24
                                                                                                                                                  Function 00007FF69E2481AC Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _FF_MSGBANNER.LIBCMT ref: 00007FF69E2481D3
                                                                                                                                                    • Part of subcall function 00007FF69E245D84: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69E245FE0,?,?,?,?,00007FF69E2481D8,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E245E47
                                                                                                                                                    • Part of subcall function 00007FF69E242D64: ExitProcess.KERNEL32 ref: 00007FF69E242D73
                                                                                                                                                    • Part of subcall function 00007FF69E244B0C: malloc.LIBCMT ref: 00007FF69E244B2B
                                                                                                                                                    • Part of subcall function 00007FF69E244B0C: Sleep.KERNEL32(?,?,00000000,00007FF69E24820D,?,?,00000000,00007FF69E2482B7,?,?,?,?,?,?,00000000,00007FF69E244900), ref: 00007FF69E244B42
                                                                                                                                                  • _errno.LIBCMT ref: 00007FF69E248215
                                                                                                                                                  • _lock.LIBCMT ref: 00007FF69E248229
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24824B
                                                                                                                                                  • _errno.LIBCMT ref: 00007FF69E248250
                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF69E2482B7,?,?,?,?,?,?,00000000,00007FF69E244900,?,?,00000018,00007FF69E243731), ref: 00007FF69E248276
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1024173049-0
                                                                                                                                                  • Opcode ID: 17aa08c80ac4924f9b5dac7d0955edbd2936ca39cdcadfdff7568a290e5a119d
                                                                                                                                                  • Instruction ID: e5c508ed7faa1a038a3d7d5367375c651141776a31fa82d07251fbb8b52f9bf8
                                                                                                                                                  • Opcode Fuzzy Hash: 17aa08c80ac4924f9b5dac7d0955edbd2936ca39cdcadfdff7568a290e5a119d
                                                                                                                                                  • Instruction Fuzzy Hash: 3B217421E1DA4292F678AB51E6843797294FFA4BC0F0440B6F94DD76C6EF7CE4404760
                                                                                                                                                  Function 00007FF69E231618 Relevance: 10.6, APIs: 7, Instructions: 56memorystringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreePrinter.Unlocklstrcmp
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 992435789-0
                                                                                                                                                  • Opcode ID: 2f44552411f88aca56f8e61f5c06e8e01f5120cb3dfdceb722db363670b9c7a9
                                                                                                                                                  • Instruction ID: d4539b99f38f6f9b493340c1dc06f31a91a39418ff6e1d2cd26b885f781bdd7f
                                                                                                                                                  • Opcode Fuzzy Hash: 2f44552411f88aca56f8e61f5c06e8e01f5120cb3dfdceb722db363670b9c7a9
                                                                                                                                                  • Instruction Fuzzy Hash: 3C21A122A18A8181EB209B51E29537D7360FF94FC8F145174FE4EC768EDF6DC4008A10
                                                                                                                                                  Function 00007FF69E2341BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseCreate$Open
                                                                                                                                                  • String ID: software
                                                                                                                                                  • API String ID: 1740278721-2010147023
                                                                                                                                                  • Opcode ID: fcd5d7f1d6209d7139d2136b25764c87d0362e2dd07c69c02dc8bd9f13e50501
                                                                                                                                                  • Instruction ID: 45fa09d8567970d1cc8b9c4a0cfd1b586f80129f294b4e2d41daaee255e91742
                                                                                                                                                  • Opcode Fuzzy Hash: fcd5d7f1d6209d7139d2136b25764c87d0362e2dd07c69c02dc8bd9f13e50501
                                                                                                                                                  • Instruction Fuzzy Hash: 41218372618B8182EB708F50F18476EB3A4FB94BA8F505275EA8D86B5DDF7CC148CB10
                                                                                                                                                  Function 00007FF69E23EEC4 Relevance: 10.5, APIs: 7, Instructions: 27COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Color$Brush
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2798902688-0
                                                                                                                                                  • Opcode ID: f82c14046a70f39e7b237c6f7bd5e01599ffb7f4922cfc186590c04b1addacae
                                                                                                                                                  • Instruction ID: 76d743ef5f92da5f206552e67a34c5d20a5427a5b3963d07d29d9f45fa1ff7a7
                                                                                                                                                  • Opcode Fuzzy Hash: f82c14046a70f39e7b237c6f7bd5e01599ffb7f4922cfc186590c04b1addacae
                                                                                                                                                  • Instruction Fuzzy Hash: F4F0E275D14B02C3EB685FB0E6982383765FB58B05F202179DA0A8739EEF3D94958724
                                                                                                                                                  Function 00007FF69E24AFB0 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • _getptd.LIBCMT ref: 00007FF69E24AFCF
                                                                                                                                                    • Part of subcall function 00007FF69E24ACA8: GetOEMCP.KERNEL32 ref: 00007FF69E24ACD2
                                                                                                                                                    • Part of subcall function 00007FF69E244B0C: malloc.LIBCMT ref: 00007FF69E244B2B
                                                                                                                                                    • Part of subcall function 00007FF69E244B0C: Sleep.KERNEL32(?,?,00000000,00007FF69E24820D,?,?,00000000,00007FF69E2482B7,?,?,?,?,?,?,00000000,00007FF69E244900), ref: 00007FF69E244B42
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24B05B
                                                                                                                                                    • Part of subcall function 00007FF69E242650: HeapFree.KERNEL32(?,?,00000000,00007FF69E244914,?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018), ref: 00007FF69E242666
                                                                                                                                                    • Part of subcall function 00007FF69E242650: _errno.LIBCMT ref: 00007FF69E242670
                                                                                                                                                    • Part of subcall function 00007FF69E242650: GetLastError.KERNEL32(?,?,00000000,00007FF69E244914,?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018), ref: 00007FF69E242678
                                                                                                                                                  • _lock.LIBCMT ref: 00007FF69E24B093
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24B143
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24B173
                                                                                                                                                  • _errno.LIBCMT ref: 00007FF69E24B178
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2878544890-0
                                                                                                                                                  • Opcode ID: 04ed03a77e4904041f3c86f9440d6158281d67953310ec834fd1a24f5371818f
                                                                                                                                                  • Instruction ID: 0237c30db71d77c2332d5c04d1a325c77063957c6cb96e68e2ef873bba4609db
                                                                                                                                                  • Opcode Fuzzy Hash: 04ed03a77e4904041f3c86f9440d6158281d67953310ec834fd1a24f5371818f
                                                                                                                                                  • Instruction Fuzzy Hash: 7251D57290864286E7759B21AAC0279B7A1FFA4B54F184277F65EC3391EF7CE441C720
                                                                                                                                                  Function 00007FF69E2375A4 Relevance: 9.1, APIs: 6, Instructions: 113threadwindowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Enable$ParentProcess$ActiveCurrentEnabledFileLastLongMessageModuleNamePopupSendThread
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1819874647-0
                                                                                                                                                  • Opcode ID: 29e7d749c7b5575fa2549e76b58d0a0067ac2721427c4bf8d1b94c24ed136574
                                                                                                                                                  • Instruction ID: 34743ee416cb20e9adeda4b7e13ca6a9b4d2683e26c0f324cd246e242cfadda5
                                                                                                                                                  • Opcode Fuzzy Hash: 29e7d749c7b5575fa2549e76b58d0a0067ac2721427c4bf8d1b94c24ed136574
                                                                                                                                                  • Instruction Fuzzy Hash: DE410622A0954246EB705B25A6A077B7390FF54F98F583175FA0EC7B89EE3CE4418F20
                                                                                                                                                  Function 00007FF69E2374A0 Relevance: 9.1, APIs: 6, Instructions: 80COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 670545878-0
                                                                                                                                                  • Opcode ID: f9da2b90201a446115d8ec36cf9cfd6fcb2b2ffed53d03dbf4bbf8cf1d9227c3
                                                                                                                                                  • Instruction ID: f14db4deb087c3f930f63bd9a69f967d4588875b5818643e504ff5349fcbebaa
                                                                                                                                                  • Opcode Fuzzy Hash: f9da2b90201a446115d8ec36cf9cfd6fcb2b2ffed53d03dbf4bbf8cf1d9227c3
                                                                                                                                                  • Instruction Fuzzy Hash: 58310F11B09A4381EE795F16A7D037A7290EF68F90F1C65B5EE0EC7799FE2CE4014A20
                                                                                                                                                  Function 00007FF69E24E4E4 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2210154019-0
                                                                                                                                                  • Opcode ID: 835fd107f12a2cadf71fadafbfc4cfeb61f0681a6f43c773b894d5aa6967bc05
                                                                                                                                                  • Instruction ID: d371a866b489c43e12614442760b3aaa82fc085c75a3a931406d4ffeb5657510
                                                                                                                                                  • Opcode Fuzzy Hash: 835fd107f12a2cadf71fadafbfc4cfeb61f0681a6f43c773b894d5aa6967bc05
                                                                                                                                                  • Instruction Fuzzy Hash: AE313E62A08A4282F7349B14E6943757360FB65B78F600376F56ECA5E8FF7CD4448720
                                                                                                                                                  Function 00007FF69E2448A8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018,00007FF69E23113C), ref: 00007FF69E2448B2
                                                                                                                                                  • FlsGetValue.KERNEL32(?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018,00007FF69E23113C), ref: 00007FF69E2448C0
                                                                                                                                                  • SetLastError.KERNEL32(?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018,00007FF69E23113C), ref: 00007FF69E244918
                                                                                                                                                    • Part of subcall function 00007FF69E244B78: Sleep.KERNEL32(?,?,?,00007FF69E2448DB,?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018), ref: 00007FF69E244BBD
                                                                                                                                                  • FlsSetValue.KERNEL32(?,?,00000018,00007FF69E243731,?,?,?,?,00007FF69E242636,?,?,00000018,00007FF69E23113C), ref: 00007FF69E2448EC
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24490F
                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00007FF69E244900
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ErrorLastValue_lock$CurrentSleepThreadfree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3106088686-0
                                                                                                                                                  • Opcode ID: 2e3289ac19499285390fa9b381bb303fec5814b533067668926b675fd7d0f859
                                                                                                                                                  • Instruction ID: 26e37c4e65dfd5bd4f51f4b5e09f8515e9621b8c958e2ad8f10e96b7f1069454
                                                                                                                                                  • Opcode Fuzzy Hash: 2e3289ac19499285390fa9b381bb303fec5814b533067668926b675fd7d0f859
                                                                                                                                                  • Instruction Fuzzy Hash: 8C015221E0970296FB359F7596C40383251EF68BA0B1882B5E91DC73D9EE3CE8458230
                                                                                                                                                  Function 00007FF69E236194 Relevance: 9.0, APIs: 6, Instructions: 37COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Rect$ClientCtrlLongScreen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1315500227-0
                                                                                                                                                  • Opcode ID: d7f280698443c86e7d394f399478f662a1ee6aa8b5dda9c19ec40a9a38eec839
                                                                                                                                                  • Instruction ID: 4c95f0827f54e636db1635e8670a50d9771b978d04d38abeb922ca5c7c76e0ab
                                                                                                                                                  • Opcode Fuzzy Hash: d7f280698443c86e7d394f399478f662a1ee6aa8b5dda9c19ec40a9a38eec839
                                                                                                                                                  • Instruction Fuzzy Hash: 2B018F10A1964382EF348F15AA8413A7364EFA5F80F6425B5ED5EC67ADDF3CD4498A20
                                                                                                                                                  Function 00007FF69E23715C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseEnumOpenQueryValue
                                                                                                                                                  • String ID: Software\
                                                                                                                                                  • API String ID: 3984146545-964853688
                                                                                                                                                  • Opcode ID: 7d9e05ced0d81706e0806ed2ebb93e2e55f3a68bf396e2d40514a487a37be0c9
                                                                                                                                                  • Instruction ID: 3394e315fd2f56022e2741f3e902b13551f9aeb528825cb46680ebe25bdabbb8
                                                                                                                                                  • Opcode Fuzzy Hash: 7d9e05ced0d81706e0806ed2ebb93e2e55f3a68bf396e2d40514a487a37be0c9
                                                                                                                                                  • Instruction Fuzzy Hash: 8951A522708A4282EB60DB25D98076E73A1FB95FA4F046231FA6EC76D9DF7CD445CB10
                                                                                                                                                  Function 00007FF69E236FA4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 112registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseDeleteEnumOpen
                                                                                                                                                  • String ID: Software\Classes\
                                                                                                                                                  • API String ID: 4142876296-1121929649
                                                                                                                                                  • Opcode ID: 694245f09d7d282aea9a9abc1486e4d122d271f5aeb06a9b7a3303ad07505061
                                                                                                                                                  • Instruction ID: 15006de2a1498b0909420754a2bd3f09cc3402d236687dc00e94522e8e4d0f34
                                                                                                                                                  • Opcode Fuzzy Hash: 694245f09d7d282aea9a9abc1486e4d122d271f5aeb06a9b7a3303ad07505061
                                                                                                                                                  • Instruction Fuzzy Hash: A1417322618F4282DA209B29D98026A73A0FB98FB4F505372EA6DC37D9DF6CD545CB10
                                                                                                                                                  Function 00007FF69E23AC84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 2178440468-2766056989
                                                                                                                                                  • Opcode ID: a55c3c42c3dfcb7661e7a0441b5c7045dd2eb3f6458e3bdc09c21f08640208dd
                                                                                                                                                  • Instruction ID: a1920bc570d128abee6b354d9817d97a1e2fa6de81383e9e32542ca9e5ddc313
                                                                                                                                                  • Opcode Fuzzy Hash: a55c3c42c3dfcb7661e7a0441b5c7045dd2eb3f6458e3bdc09c21f08640208dd
                                                                                                                                                  • Instruction Fuzzy Hash: 85418D62608A4682EB799F25D2843B833A0FFA4F85F145175EB0D87796DF3EE854C720
                                                                                                                                                  Function 00007FF69E24D3F8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: free$ErrorFreeHeapLast_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1012874770-0
                                                                                                                                                  • Opcode ID: 54a8a6f47ac82d1c33f153ce1c9d0b99bc9c760372c0122d527d8e47aa1ca497
                                                                                                                                                  • Instruction ID: 2486a31f56af856ddebdbec37bf611f259d38d487bebea0eafbedb6d21b357ec
                                                                                                                                                  • Opcode Fuzzy Hash: 54a8a6f47ac82d1c33f153ce1c9d0b99bc9c760372c0122d527d8e47aa1ca497
                                                                                                                                                  • Instruction Fuzzy Hash: 7C01B723A0840691EB74EF52E6E51353364EFA8B44F4401B3F61EC7592EE2CF8C182B2
                                                                                                                                                  Function 00007FF69E246D50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd
                                                                                                                                                  • String ID: MOC$csm
                                                                                                                                                  • API String ID: 3186804695-1389381023
                                                                                                                                                  • Opcode ID: efe0e1eab320b91b7cf9eff17f81a3f58deb7dcbe0be553b9dbea5d5bfeaef3a
                                                                                                                                                  • Instruction ID: 112728496b27ab5e60b7e4a2c966394c6535b2cc99e88b6d6fe7f9e757caa001
                                                                                                                                                  • Opcode Fuzzy Hash: efe0e1eab320b91b7cf9eff17f81a3f58deb7dcbe0be553b9dbea5d5bfeaef3a
                                                                                                                                                  • Instruction Fuzzy Hash: 7FE0ED3AD14102C5E7353B6086853BC35A0FB68706F8595B6E54887382EFBC64849662
                                                                                                                                                  Function 00007FF69E242210 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Pointer$Encode$Decode$Sleep_errnorealloc
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1310268301-0
                                                                                                                                                  • Opcode ID: 2101eb9dd293b5b8fb109d778ac67e882262ba7d2eafc39ba6c7784a8187a5eb
                                                                                                                                                  • Instruction ID: ff97adf6f16e100d58a11f2e162f24a5c4818938f16550e0fc33b79d0715c844
                                                                                                                                                  • Opcode Fuzzy Hash: 2101eb9dd293b5b8fb109d778ac67e882262ba7d2eafc39ba6c7784a8187a5eb
                                                                                                                                                  • Instruction Fuzzy Hash: 62218312B0968640EA25EB52F7C506AB291FF69BC4B4448B7F90EDB755EE7CE081C360
                                                                                                                                                  Function 00007FF69E247634 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd$CallTranslator
                                                                                                                                                  • String ID: MOC
                                                                                                                                                  • API String ID: 3569367362-624257665
                                                                                                                                                  • Opcode ID: 1f2844dd612262c2e804efabf849f1e68305002bafc480d791b3b16b0cfd78e8
                                                                                                                                                  • Instruction ID: 43f8fbe7d81d6ee5c7a9d4b21c23904b3bfe240683edda7b5dc8596c1075d3fc
                                                                                                                                                  • Opcode Fuzzy Hash: 1f2844dd612262c2e804efabf849f1e68305002bafc480d791b3b16b0cfd78e8
                                                                                                                                                  • Instruction Fuzzy Hash: 0D61D232A08AC696DB30CB15E2C07ADB7A1FB94B88F044576EB5D83699EF7CE151C710
                                                                                                                                                  Function 00007FF69E23C314 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$AddressEnterFreeInitializeLeaveLibraryProc
                                                                                                                                                  • String ID: HtmlHelpW$hhctrl.ocx
                                                                                                                                                  • API String ID: 3379933665-3773518134
                                                                                                                                                  • Opcode ID: 9011be6d44bea953180041d051d80abb8b07fd8ca292febcbc9d4c195b899fb7
                                                                                                                                                  • Instruction ID: 982f1d2ab23eb7da190fd89cda3cee575ab48d9be6a87e3ff386acf1db669f14
                                                                                                                                                  • Opcode Fuzzy Hash: 9011be6d44bea953180041d051d80abb8b07fd8ca292febcbc9d4c195b899fb7
                                                                                                                                                  • Instruction Fuzzy Hash: 34216321A19B4281EB24DB11E68537873A0FFA4F84F5864B5FA0D8B799DF3CE454C760
                                                                                                                                                  Function 00007FF69E23A714 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31libraryloaderCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                                  • String ID: InitCommonControls
                                                                                                                                                  • API String ID: 310444273-2489084829
                                                                                                                                                  • Opcode ID: 34e00195b03789d750061e4fe21ec52f6ecc12302716564cf0b44a130aa663ab
                                                                                                                                                  • Instruction ID: 8434e90a4911650e26965225f5168a4035a85edf7c0d93a82054f89563a42b49
                                                                                                                                                  • Opcode Fuzzy Hash: 34e00195b03789d750061e4fe21ec52f6ecc12302716564cf0b44a130aa663ab
                                                                                                                                                  • Instruction Fuzzy Hash: 07014B22605B4681DF618F25E6C432873B0FB68F88F289075DA4C86368EF39D8A5C750
                                                                                                                                                  Function 00007FF69E242D28 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF69E242D71,?,?,00000000,00007FF69E2481EA,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E242D37
                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,000000FF,00007FF69E242D71,?,?,00000000,00007FF69E2481EA,?,?,00000000,00007FF69E2482B7), ref: 00007FF69E242D4C
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                  • API String ID: 1646373207-1276376045
                                                                                                                                                  • Opcode ID: bcaea34c61b18261dd50ccd992700b536865da5f235a7737798a043be2cec37e
                                                                                                                                                  • Instruction ID: 3ca530e19ee011115053e23d978eace01c3b60bea70c340f121eb519bbcffdec
                                                                                                                                                  • Opcode Fuzzy Hash: bcaea34c61b18261dd50ccd992700b536865da5f235a7737798a043be2cec37e
                                                                                                                                                  • Instruction Fuzzy Hash: FFE0EC11F45602C1EF295B51AAC41743290DF6C710B4860B9D81EC63A9EE7CA99A8220
                                                                                                                                                  Function 00007FF69E2406CC Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 226stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: lstrlen
                                                                                                                                                  • String ID: 1$1
                                                                                                                                                  • API String ID: 1659193697-2061416233
                                                                                                                                                  • Opcode ID: 1e7a4d2ac3227375b840109a769c55b42bbac9575ae34d0260f045baeeb3b9ef
                                                                                                                                                  • Instruction ID: 6d7a617916b11cf154ecc479e4ab2635b0b9f4d4726e362e669ed571d3e42a15
                                                                                                                                                  • Opcode Fuzzy Hash: 1e7a4d2ac3227375b840109a769c55b42bbac9575ae34d0260f045baeeb3b9ef
                                                                                                                                                  • Instruction Fuzzy Hash: 56813426E08A42C1EB34AB2586C047D7390FF64B94F544173FA9D87699EF7CE9C18622
                                                                                                                                                  Function 00007FF69E233DD0 Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: BitmapMenu$BitmapsCheckCreateDimensionsItemLoadMark
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 527726921-0
                                                                                                                                                  • Opcode ID: 7a3857a07e041aaeef39ab085653e52d718c2b0a9ce5ecb273192836bad251b7
                                                                                                                                                  • Instruction ID: 0373a4ac23bba50191fcd1cdccfdf23e7882ea31d09d23b0eacf9681a6422596
                                                                                                                                                  • Opcode Fuzzy Hash: 7a3857a07e041aaeef39ab085653e52d718c2b0a9ce5ecb273192836bad251b7
                                                                                                                                                  • Instruction Fuzzy Hash: 27510F32B14B8686EB20DF20E58476837A1FB68F44F945176EA5D83B45EF3CE911CB50
                                                                                                                                                  Function 00007FF69E246D9C Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd$BaseImage
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2482573191-0
                                                                                                                                                  • Opcode ID: 0e83c518ffec1899eff44f3c724b7b0a0385505f04836b0ad99794c77a6b9910
                                                                                                                                                  • Instruction ID: 9f7a6562de5f16ee00a8989fab28c2f050b1a1086bf5afed61c7e6f72c9127de
                                                                                                                                                  • Opcode Fuzzy Hash: 0e83c518ffec1899eff44f3c724b7b0a0385505f04836b0ad99794c77a6b9910
                                                                                                                                                  • Instruction Fuzzy Hash: 9F419523B0894281EA309756D6C15BD7690EFA8B98F458177FE1DC37E2EF3CE5458620
                                                                                                                                                  Function 00007FF69E23BDFC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$MessageSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1496643700-0
                                                                                                                                                  • Opcode ID: 6b1653e9777c72f736b7c1c74882a074512a3a128bbac899dadbd26eafe5deb6
                                                                                                                                                  • Instruction ID: b0c9d3b99f2c60b6d3a1e603955bf7a4bc79c66e10a2e54f7a16934cb086a05d
                                                                                                                                                  • Opcode Fuzzy Hash: 6b1653e9777c72f736b7c1c74882a074512a3a128bbac899dadbd26eafe5deb6
                                                                                                                                                  • Instruction Fuzzy Hash: 5A114F36A0974187EA209F16A68016AB7A0FF99F90F181176FF4D87759DF3CE8448F50
                                                                                                                                                  Function 00007FF69E23CFB4 Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: MessageSend$Capture
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1665607226-0
                                                                                                                                                  • Opcode ID: 7db35a37592a700ebb30daef33799dfce80c11e00d36cf162902f72693386e8d
                                                                                                                                                  • Instruction ID: c6f1555dbe1b19ab29d7392bd42d65a82abd11503d841a15b9dddaf9f4dbf3a8
                                                                                                                                                  • Opcode Fuzzy Hash: 7db35a37592a700ebb30daef33799dfce80c11e00d36cf162902f72693386e8d
                                                                                                                                                  • Instruction Fuzzy Hash: EA118E36B0464283EB309F25E599B6A77A0EFD8F88F146071EE0D87B59DE7DD0018B10
                                                                                                                                                  Function 00007FF69E234334 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Close$CreatePrivateProfileStringValueWriteswprintf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2653322536-0
                                                                                                                                                  • Opcode ID: d4c8f30fbcc9d49fe8e4e9296e83c15d763cf598e5a85de10d70df44f06f9ab0
                                                                                                                                                  • Instruction ID: c32ae2018f1237e129ca1c3d7deb6f3eae5c6169ca45de49e0dc6aa184cd88a9
                                                                                                                                                  • Opcode Fuzzy Hash: d4c8f30fbcc9d49fe8e4e9296e83c15d763cf598e5a85de10d70df44f06f9ab0
                                                                                                                                                  • Instruction Fuzzy Hash: 3311C422B1978182EB609B51AB855BEB354EF68FD4F541072FE4E87B59DE3CD0418B10
                                                                                                                                                  Function 00007FF69E236000 Relevance: 6.1, APIs: 4, Instructions: 52stringCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: TextWindow$lstrcmplstrlen
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 330964273-0
                                                                                                                                                  • Opcode ID: e71bfe1c4bf8935055ee1c40b17a6dcc7d19fc67077c1d26b33959d3b530dc5e
                                                                                                                                                  • Instruction ID: fa996e995fd3f4183400dfb0d1f4ae8d9b18162e01cbe9dc76a19a97dee7fded
                                                                                                                                                  • Opcode Fuzzy Hash: e71bfe1c4bf8935055ee1c40b17a6dcc7d19fc67077c1d26b33959d3b530dc5e
                                                                                                                                                  • Instruction Fuzzy Hash: CF110422B0C54281EA34DB61A7D437A7391FFACFC4F541070FA4DC765ADE6CE5408A20
                                                                                                                                                  Function 00007FF69E23AED8 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$Item
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 369458955-0
                                                                                                                                                  • Opcode ID: 8d81f997e2d2d0c7209cb1eaf0de41a04f7efde46ee1304133d0b7c2ac39518b
                                                                                                                                                  • Instruction ID: ac900418f85f284ff93272c98e90cf2e5747422c9ece724f9408784d72aa3685
                                                                                                                                                  • Opcode Fuzzy Hash: 8d81f997e2d2d0c7209cb1eaf0de41a04f7efde46ee1304133d0b7c2ac39518b
                                                                                                                                                  • Instruction Fuzzy Hash: 3B115495B1E74241EE759B1667801357290EFA8F80F1871B9FD4EC375AEE3EE4014A20
                                                                                                                                                  Function 00007FF69E233BE8 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: EnableFocusItemMenuMessageParentSend
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 2297321873-0
                                                                                                                                                  • Opcode ID: 268c74aafb7dda967ae5fc0c745cb77fd9eda25a018b58730452302bbaefac38
                                                                                                                                                  • Instruction ID: 5d6be59e36dd83659c772cc787cdbfcf1eefab2383a85970c88aa68eca97fdae
                                                                                                                                                  • Opcode Fuzzy Hash: 268c74aafb7dda967ae5fc0c745cb77fd9eda25a018b58730452302bbaefac38
                                                                                                                                                  • Instruction Fuzzy Hash: 39119322A1465282EB74DF21D6957383330FBA4F48F206575EA5D87A49CF39D5818B50
                                                                                                                                                  Function 00007FF69E2447CC Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • FlsFree.KERNEL32(?,?,?,?,00007FF69E244B01,?,?,00000000,00007FF69E242497), ref: 00007FF69E2447DB
                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF69E244B01), ref: 00007FF69E248146
                                                                                                                                                  • free.LIBCMT ref: 00007FF69E24814F
                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF69E244B01), ref: 00007FF69E24816F
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalDeleteSection$Freefree
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1250194111-0
                                                                                                                                                  • Opcode ID: 5b3060b5ec1db0b65fe1912ef2869f7e01b199523c7db2aac15954a7cfb57df3
                                                                                                                                                  • Instruction ID: 02e1c340d7ccca126c73eefb06066390fdb3c655bcd820d1091942796d428d30
                                                                                                                                                  • Opcode Fuzzy Hash: 5b3060b5ec1db0b65fe1912ef2869f7e01b199523c7db2aac15954a7cfb57df3
                                                                                                                                                  • Instruction Fuzzy Hash: 5D119071E18A8296FB288B11A6801793360FF24F90F5C46B3F65DC3699DF3CE4528720
                                                                                                                                                  Function 00007FF69E24DE30 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: DecodePointer_errno_flush_freebuf
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 1889905870-0
                                                                                                                                                  • Opcode ID: 0d236cc6a0e1417cb02400c5aad59cda1dc7087f7a6a1f4985be53c40cfb7b21
                                                                                                                                                  • Instruction ID: d1aeded4e4fe111d74878f552e6273dba7671cf49698bd418730453caa18754d
                                                                                                                                                  • Opcode Fuzzy Hash: 0d236cc6a0e1417cb02400c5aad59cda1dc7087f7a6a1f4985be53c40cfb7b21
                                                                                                                                                  • Instruction Fuzzy Hash: 23019223F1964241FB34AB799AD17397151DFB5764F680671FA19C72C2EE2CE4018260
                                                                                                                                                  Function 00007FF69E24E390 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: __doserrno_errno
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 921712934-0
                                                                                                                                                  • Opcode ID: 6fb6459eacf1421176aab87a8aa3125b831d16f12416385c3da72f55c70d097e
                                                                                                                                                  • Instruction ID: 33ccb0cfa8e75e4d501579988a9551c1625dc4f6f5f95cefd2d1876c67ca97a2
                                                                                                                                                  • Opcode Fuzzy Hash: 6fb6459eacf1421176aab87a8aa3125b831d16f12416385c3da72f55c70d097e
                                                                                                                                                  • Instruction Fuzzy Hash: 09019262F1854541FA355B68D6D137C3690DFB0B25F6043B7F96D8F2D2DE2D60008630
                                                                                                                                                  Function 00007FF69E23C58C Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ParentWindow$Long
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 941798831-0
                                                                                                                                                  • Opcode ID: d88deac57c03fd25cec48a5304665cbeb6560d2971ce6904e7e7caafd1668805
                                                                                                                                                  • Instruction ID: ff9d44f124363c986a981d105cea3a3cc3e5233c2f79910ea88ff9f69a91a96c
                                                                                                                                                  • Opcode Fuzzy Hash: d88deac57c03fd25cec48a5304665cbeb6560d2971ce6904e7e7caafd1668805
                                                                                                                                                  • Instruction Fuzzy Hash: 85F08152A0864282EA345B66E3C50383360EFA5F80F1425B1FA1FD338ACE2CE4404730
                                                                                                                                                  Function 00007FF69E247DF8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd
                                                                                                                                                  • String ID: csm$csm
                                                                                                                                                  • API String ID: 3186804695-3733052814
                                                                                                                                                  • Opcode ID: 9603d3a59ed98a97fd4294645089434ce4903f955c5aa9c1f4fb3c57e3aafa99
                                                                                                                                                  • Instruction ID: 86e5c79b1823750d80016c5e4414bbee41f49c64627f0da3e0ea2d4734aa3873
                                                                                                                                                  • Opcode Fuzzy Hash: 9603d3a59ed98a97fd4294645089434ce4903f955c5aa9c1f4fb3c57e3aafa99
                                                                                                                                                  • Instruction Fuzzy Hash: 6551A433A186828AEB748E25928037D7691FB65B84F444176FA5DC7B85EF3CE890CB11
                                                                                                                                                  Function 00007FF69E24CD20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno
                                                                                                                                                  • String ID: 1
                                                                                                                                                  • API String ID: 2918714741-2212294583
                                                                                                                                                  • Opcode ID: e978c71282cd5847d77167f3c8f6ec9f03b4de788a3c5c40030d97145878aad9
                                                                                                                                                  • Instruction ID: 449e3a3f77ab88f08c46c2a166e5b6bd00097de10771550a1d3c139a8b61fe6b
                                                                                                                                                  • Opcode Fuzzy Hash: e978c71282cd5847d77167f3c8f6ec9f03b4de788a3c5c40030d97145878aad9
                                                                                                                                                  • Instruction Fuzzy Hash: F121D362A1C2C2D5F776AA2CCA9237C3F90DF65740F5484B3E649976C3FE2D99008721
                                                                                                                                                  Function 00007FF69E238738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: Window$CtrlRect$ClientLongMessageScreenSend
                                                                                                                                                  • String ID: @
                                                                                                                                                  • API String ID: 1956310361-2766056989
                                                                                                                                                  • Opcode ID: 5080bbafc96bd8ee083738183e4419053a56c5b1a9234ac59f1ffcc9378e53e8
                                                                                                                                                  • Instruction ID: 87fc78352ecbb220c0a60d51e7bc9a7b9ab5ced402bf831bb0e0ad6eb2ea00ca
                                                                                                                                                  • Opcode Fuzzy Hash: 5080bbafc96bd8ee083738183e4419053a56c5b1a9234ac59f1ffcc9378e53e8
                                                                                                                                                  • Instruction Fuzzy Hash: 4F018236619B8182EB288F25A5851297661EB50FF4F185334FA7D8B7D9CF3CD4518B10
                                                                                                                                                  Function 00007FF69E2432FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _errno
                                                                                                                                                  • String ID: Settings
                                                                                                                                                  • API String ID: 2918714741-473154195
                                                                                                                                                  • Opcode ID: 97982ef28cb6b9a4ad15ba015f7434a801bc32c4adf441f9bab93c2402869613
                                                                                                                                                  • Instruction ID: 1722336ec7f815c1b26d3d8c90a814d03920e2f194ebce2c66ad5d1b7148747b
                                                                                                                                                  • Opcode Fuzzy Hash: 97982ef28cb6b9a4ad15ba015f7434a801bc32c4adf441f9bab93c2402869613
                                                                                                                                                  • Instruction Fuzzy Hash: 7201B572908A4194EB305B65E68017E7691EFA5BD4F744272FAACC7AD7EE2CD4004614
                                                                                                                                                  Function 00007FF69E25273B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: _getptd
                                                                                                                                                  • String ID: csm
                                                                                                                                                  • API String ID: 3186804695-1018135373
                                                                                                                                                  • Opcode ID: 9835e863b25e3545cb9d4688d5328d1f210ea7eb98db5c3d7bee7848c0ee566f
                                                                                                                                                  • Instruction ID: bae40b00eec1b2f249f6aa2c2507525967031fe370727b4891e864464dff9cdc
                                                                                                                                                  • Opcode Fuzzy Hash: 9835e863b25e3545cb9d4688d5328d1f210ea7eb98db5c3d7bee7848c0ee566f
                                                                                                                                                  • Instruction Fuzzy Hash: 30016D2790464285DB30DF2186802B83364EB6C759F4851BAE94E8A689DF28D481C310
                                                                                                                                                  Function 00007FF69E232174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  • GetModuleFileNameW.KERNEL32 ref: 00007FF69E2321A1
                                                                                                                                                  • PathFindExtensionW.SHLWAPI ref: 00007FF69E2321B9
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: GetModuleHandleW.KERNEL32 ref: 00007FF69E231E60
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: GetProcAddress.KERNEL32 ref: 00007FF69E231E73
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: ConvertDefaultLocale.KERNEL32 ref: 00007FF69E231EA2
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: ConvertDefaultLocale.KERNEL32 ref: 00007FF69E231EAE
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: GetProcAddress.KERNEL32 ref: 00007FF69E231EC6
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: ConvertDefaultLocale.KERNEL32 ref: 00007FF69E231EF0
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: ConvertDefaultLocale.KERNEL32 ref: 00007FF69E231EFC
                                                                                                                                                    • Part of subcall function 00007FF69E231E14: GetModuleFileNameW.KERNEL32 ref: 00007FF69E231FC8
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindHandlePath
                                                                                                                                                  • String ID: %s%s.dll
                                                                                                                                                  • API String ID: 288242826-1649984862
                                                                                                                                                  • Opcode ID: 3617adedbeb8805e58fc525f248407e61c9ad3bc77ecdc3eda23b26c6bfed20c
                                                                                                                                                  • Instruction ID: 7910ea5fa86fc33e980a1ef4de561de9f4544d0f65fcf947eb32d09e7cc4fb6b
                                                                                                                                                  • Opcode Fuzzy Hash: 3617adedbeb8805e58fc525f248407e61c9ad3bc77ecdc3eda23b26c6bfed20c
                                                                                                                                                  • Instruction Fuzzy Hash: C5016122608A4291EB318B14EED43797370FBA8F88F601172E69CC3369DE3DD546C710
                                                                                                                                                  Function 00007FF69E2342C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Strings
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CloseCreate$Open
                                                                                                                                                  • String ID: Settings
                                                                                                                                                  • API String ID: 1740278721-473154195
                                                                                                                                                  • Opcode ID: 7312c1b7393e4a7dc78af1cc6eb1438135aff2bb84dc56b33a2ad6777ef174bf
                                                                                                                                                  • Instruction ID: 75bb5a55c6ee6307668d7c88fbf0d834796ef5499400a4dd625fa6b84c50a923
                                                                                                                                                  • Opcode Fuzzy Hash: 7312c1b7393e4a7dc78af1cc6eb1438135aff2bb84dc56b33a2ad6777ef174bf
                                                                                                                                                  • Instruction Fuzzy Hash: B2F04F32A18B4183EB108B15F58432AB6E0FB98BD4F641234FB8D06B69DF3CC0448F00
                                                                                                                                                  Function 00007FF69E236258 Relevance: 5.0, APIs: 4, Instructions: 32COMMONLIBRARYCODE
                                                                                                                                                  Download Yara Rule
                                                                                                                                                  APIs
                                                                                                                                                  Memory Dump Source
                                                                                                                                                  • Source File: 00000013.00000002.3228005652.00007FF69E231000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF69E230000, based on PE: true
                                                                                                                                                  • Associated: 00000013.00000002.3227710282.00007FF69E230000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228044953.00007FF69E253000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E260000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228074067.00007FF69E265000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  • Associated: 00000013.00000002.3228131039.00007FF69E269000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                  • Snapshot File: hcaresult_19_2_7ff69e230000_wizveraregsvr.jbxd
                                                                                                                                                  Similarity
                                                                                                                                                  • API ID: CriticalSection$Leave$EnterValue
                                                                                                                                                  • String ID:
                                                                                                                                                  • API String ID: 3969253408-0
                                                                                                                                                  • Opcode ID: 6af63ece1ed5b6eb7520ecea4c08e1b1bd606d1b120bcc2bde6ca84b2e96deeb
                                                                                                                                                  • Instruction ID: f88e0d3cf23380997bea101e4808c93711a5159a3c9af9cddd3508dbcd30064f
                                                                                                                                                  • Opcode Fuzzy Hash: 6af63ece1ed5b6eb7520ecea4c08e1b1bd606d1b120bcc2bde6ca84b2e96deeb
                                                                                                                                                  • Instruction Fuzzy Hash: 4B014F21A18B4292EB74CF52F6C41397360EFA8F50B1564B5EA4E87669CE2DE485CB10