Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0438.pdf.exe

Overview

General Information

Sample name:0438.pdf.exe
renamed because original name is a hash value
Original sample name: .pdf.exe
Analysis ID:1545741
MD5:2d11dba46735af1cb1c0a42e9564e20d
SHA1:b2e17960c6d080f7aba7df87f57c08b4bc2e7051
SHA256:e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Connects to many ports of the same IP (likely port scanning)
Enables network access during safeboot for specific services
Enables remote desktop connection
Initial sample is a PE file and has a suspicious name
Uses an obfuscated file name to hide its real file extension (double extension)
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 0438.pdf.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\0438.pdf.exe" MD5: 2D11DBA46735AF1CB1C0A42E9564E20D)
    • msiexec.exe (PID: 7520 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • Acrobat.exe (PID: 7540 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
      • AcroCEF.exe (PID: 7816 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • AcroCEF.exe (PID: 8032 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1604,i,14248424182564037547,2314373854622466325,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
  • msiexec.exe (PID: 7584 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • ROMFUSClient.exe (PID: 6244 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 7220 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8260 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8296 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8316 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start MD5: 63D0964168B927D00064AA684E79A300)
      • ROMServer.exe (PID: 8356 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start MD5: F3D74B072B9697CF64B0B8445FDC8128)
  • svchost.exe (PID: 7888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • ROMServer.exe (PID: 8372 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" MD5: F3D74B072B9697CF64B0B8445FDC8128)
    • ROMFUSClient.exe (PID: 8516 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" MD5: 63D0964168B927D00064AA684E79A300)
    • ROMFUSClient.exe (PID: 8528 cmdline: "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray MD5: 63D0964168B927D00064AA684E79A300)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              9.0.ROMServer.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                8.0.ROMFUSClient.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Suspicious Double Extension File Execution
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine: "C:\Users\user\Desktop\0438.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\0438.pdf.exe, NewProcessName: C:\Users\user\Desktop\0438.pdf.exe, OriginalFileName: C:\Users\user\Desktop\0438.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\0438.pdf.exe", ProcessId: 7428, ProcessName: 0438.pdf.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 111.90.140.76, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Initiated: true, ProcessId: 8372, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 56363
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7888, ProcessName: svchost.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Multi AV Scanner detection for submitted file
                  Source: 0438.pdf.exeReversingLabs: Detection: 44%
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: 0438.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: c:
                  Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C044B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C044B190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C04340BC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C045FCA0 FindFirstFileExA,0_2_00007FF6C045FCA0
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winmm.dll

                  Networking

                  barindex
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 111.90.140.76 ports 5651,8080,1,465,5,6,80
                  Enables network access during safeboot for specific services
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry value created: NULL Service
                  Source: global trafficTCP traffic: 192.168.2.4:56360 -> 111.90.140.76:5651
                  Source: global trafficTCP traffic: 192.168.2.4:56365 -> 65.21.245.7:5555
                  Source: Joe Sandbox ViewIP Address: 96.7.168.138 96.7.168.138
                  Source: Joe Sandbox ViewIP Address: 65.21.245.7 65.21.245.7
                  Source: Joe Sandbox ViewASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
                  Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 96.7.168.138
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 65.21.245.7
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: unknownTCP traffic detected without corresponding DNS query: 111.90.140.76
                  Source: global trafficHTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                  Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
                  Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                  Source: svchost.exe, 00000005.00000002.3369539538.0000024EF0600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF04A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                  Source: edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF04A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF04A8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF04DD000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                  Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                  Source: 503872.rbs.3.dr, Turkish.lg.3.dr, ROMFUSClient.exe.3.drString found in binary or memory: http://litemanager.com/
                  Source: ROMFUSClient.exe, 00000011.00000002.3565595344.0000000002803000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03
                  Source: ROMServer.exe, 0000000E.00000002.3565595494.0000000001693000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/03i
                  Source: ROMFUSClient.exe, 00000011.00000002.3565595344.00000000027FC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://litemanager.com/1
                  Source: ROMFUSClient.exe, 00000008.00000000.1782110715.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1791801540.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.dr, ROMFUSClient.exe.3.drString found in binary or memory: http://litemanager.ru/
                  Source: Ukrainian.lg.3.drString found in binary or memory: http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.
                  Source: ROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://litemanager.ru/noip.txtU
                  Source: AledensoftIpcServer.dll.3.dr, ROMwln.dll.3.drString found in binary or memory: http://ocsp.comodoca.com0
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: http://ocsp.sectigo.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://ocsp.thawte.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://s2.symcb.com0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://sv.symcd.com0&
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                  Source: 503872.rbs.3.drString found in binary or memory: http://www.LiteManagerTeam.com
                  Source: ROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 00000008.00000003.1800618576.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1793938281.0000000002947000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1810819906.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1809303676.0000000002997000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000003.1846423065.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000D.00000003.1842258416.0000000002AA7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000002.3565595494.00000000015F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3565165709.0000000002757000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3565595344.0000000002767000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.3.drString found in binary or memory: http://www.indyproject.org/
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://www.symauth.com/cps0(
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: http://www.symauth.com/rpa00
                  Source: 2D85F72862B55C4EADD9E66E06947F3D0.4.drString found in binary or memory: http://x1.i.lencr.org/
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: https://d.symcb.com/cps0%
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drString found in binary or memory: https://d.symcb.com/rpa0
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF0552000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                  Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF0552000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                  Source: ROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.drString found in binary or memory: https://litemanager.com/romversion.txt
                  Source: ROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.drString found in binary or memory: https://litemanager.com/soft/pro/ROMServer.zip
                  Source: svchost.exe, 00000005.00000003.1714090201.0000024EF0552000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                  Source: edb.log.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                  Source: ROMFUSClient.exe.3.drString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 56266 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56266

                  System Summary

                  barindex
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: 0438.pdf.exe
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C042C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C042C2F0
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\503870.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3D90.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\503873.msiJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\503873.msiJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\503873.msiJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C044B1900_2_00007FF6C044B190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04434840_2_00007FF6C0443484
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043A4AC0_2_00007FF6C043A4AC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04507540_2_00007FF6C0450754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04349280_2_00007FF6C0434928
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C042F9300_2_00007FF6C042F930
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0425E240_2_00007FF6C0425E24
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C044CE880_2_00007FF6C044CE88
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0441F200_2_00007FF6C0441F20
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043F1800_2_00007FF6C043F180
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04421D00_2_00007FF6C04421D0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04272880_2_00007FF6C0427288
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043126C0_2_00007FF6C043126C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C042A3100_2_00007FF6C042A310
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C042C2F00_2_00007FF6C042C2F0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04453F00_2_00007FF6C04453F0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043B5340_2_00007FF6C043B534
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04625500_2_00007FF6C0462550
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04276C00_2_00007FF6C04276C0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C045C8380_2_00007FF6C045C838
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04248400_2_00007FF6C0424840
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04589A00_2_00007FF6C04589A0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043C96C0_2_00007FF6C043C96C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04439640_2_00007FF6C0443964
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C045FA940_2_00007FF6C045FA94
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0442AB00_2_00007FF6C0442AB0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0421AA40_2_00007FF6C0421AA4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0431A480_2_00007FF6C0431A48
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0465AF80_2_00007FF6C0465AF8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043BB900_2_00007FF6C043BB90
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0444B980_2_00007FF6C0444B98
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0435B600_2_00007FF6C0435B60
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0458C1C0_2_00007FF6C0458C1C
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0442D580_2_00007FF6C0442D58
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0448DF40_2_00007FF6C0448DF4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04507540_2_00007FF6C0450754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C043AF180_2_00007FF6C043AF18
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04620800_2_00007FF6C0462080
                  Source: ROMViewer.exe.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.3.drStatic PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                  Source: ROMServer.exe0.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMServer.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMFUSClient.exe.3.drStatic PE information: Number of sections : 11 > 10
                  Source: ROMViewer.exe.3.drStatic PE information: Resource name: RT_RCDATA type: Delphi compiled form 'TfmEditBinaryValue'
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE672000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSetAllUsers.dll< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameISRegSvr.dll vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_IsIcoRes.exe< vs 0438.pdf.exe
                  Source: 0438.pdf.exe, 00000000.00000003.1699116379.000001C7FA729000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcrobat.exe< vs 0438.pdf.exe
                  Source: classification engineClassification label: mal76.troj.evad.winEXE@37/92@1/4
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C042B6D8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF6C042B6D8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0448624 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF6C0448624
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - ServerJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeFile created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journalJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSLocal
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeMutant created: \Sessions\1\BaseNamedObjects\Local\ROMFUSTray
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5256140Jump to behavior
                  Source: Yara matchFile source: 9.0.ROMServer.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.0.ROMFUSClient.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, type: DROPPED
                  Source: 0438.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile read: C:\Windows\win.iniJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 0438.pdf.exeReversingLabs: Detection: 44%
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile read: C:\Users\user\Desktop\0438.pdf.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\0438.pdf.exe "C:\Users\user\Desktop\0438.pdf.exe"
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
                  Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1604,i,14248424182564037547,2314373854622466325,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: unknownProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewallJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1604,i,14248424182564037547,2314373854622466325,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstallJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: dxgidebug.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: riched20.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: usp10.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: dlnashext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: wpdshext.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\msiexec.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: apphelp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: firewallapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dnsapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sxs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dwmapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: propsys.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: edputil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: urlmon.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: iertutil.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: srvcli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wintypes.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: appresolver.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: bcp47langs.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: slc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sppc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: pcacli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: mpr.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: sfc_os.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: avifil32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wsock32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: powrprof.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: netutils.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winmmbase.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: umpdc.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: kernel.appcore.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wtsapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: winsta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: uxtheme.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: security.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: secur32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: sspicli.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: windows.storage.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: wldp.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: fwpuclnt.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: idndl.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iphlpapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: ntmarta.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msxml6.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iccvid.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: iyuv_32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msrle32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msvidc32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: tsbyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: msyuv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: userenv.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: profapi.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeSection loaded: mswsock.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmm.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: avicap32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: version.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: netapi32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msacm32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: dsound.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: msvfw32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\Desktop\0438.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                  Source: Start LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Uninstall LiteManager - Server.lnk.3.drLNK file: ..\..\..\..\..\..\Windows\SysWOW64\msiexec.exe
                  Source: Stop LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Settings for LM-Server.lnk.3.drLNK file: ..\..\..\..\..\..\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 0438.pdf.exeStatic PE information: Image base 0x140000000 > 0x60000000
                  Source: 0438.pdf.exeStatic file information: File size 11654747 > 1048576
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 0438.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Source: 0438.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 0438.pdf.exe
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 0438.pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\0438.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_5256140Jump to behavior
                  Source: 0438.pdf.exeStatic PE information: section name: .didat
                  Source: 0438.pdf.exeStatic PE information: section name: _RDATA
                  Source: ROMViewer.exe.3.drStatic PE information: section name: .didata
                  Source: ROMFUSClient.exe.3.drStatic PE information: section name: .didata
                  Source: ROMwln.dll.3.drStatic PE information: section name: .didata
                  Source: ROMServer.exe.3.drStatic PE information: section name: .didata
                  Source: HookDrv.dll.3.drStatic PE information: section name: .didata
                  Source: ROMServer.exe0.3.drStatic PE information: section name: .didata
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0465166 push rsi; retf 0_2_00007FF6C0465167
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0465156 push rsi; retf 0_2_00007FF6C0465157
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtfJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\romserver.exe
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - ServerJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnkJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnkJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Uses an obfuscated file name to hide its real file extension (double extension)
                  Source: Possible double extension: pdf.exeStatic PE information: 0438.pdf.exe
                  Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\LiteManager\v3.4\Server\Parameters NoIPSettingsJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOGPFAULTERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 2446
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeWindow / User API: threadDelayed 7442
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exeJump to dropped file
                  Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exeJump to dropped file
                  Source: C:\Windows\System32\svchost.exe TID: 7976Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\svchost.exe TID: 8212Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe TID: 9120Thread sleep count: 60 > 30
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8608Thread sleep time: -1223000s >= -30000s
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe TID: 8608Thread sleep time: -3721000s >= -30000s
                  Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeLast function: Thread delayed
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C044B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C044B190
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04340BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C04340BC
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C045FCA0 FindFirstFileExA,0_2_00007FF6C045FCA0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04516A4 VirtualQuery,GetSystemInfo,0_2_00007FF6C04516A4
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\wininet.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winspool.drv
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\COMCTL32.dll
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeFile opened: C:\Windows\SysWOW64\winmm.dll
                  Source: ROMFUSClient.exe, 0000000C.00000002.1851645963.0000000000DF3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: ROMFUSClient.exe, 00000008.00000003.1801349752.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
                  Source: svchost.exe, 00000005.00000002.3368919494.0000024EEB02B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3369679294.0000024EF065B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: ROMFUSClient.exe, 00000008.00000003.1801349752.0000000000B7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                  Source: ROMServer.exe, 0000000E.00000002.3564893821.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3563770467.0000000000B39000.00000004.00000020.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3563690116.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0453170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C0453170
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0460D20 GetProcessHeap,0_2_00007FF6C0460D20
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /startJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0453170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C0453170
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0453354 SetUnhandledExceptionFilter,0_2_00007FF6C0453354
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0452510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6C0452510
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04576D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF6C04576D8
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C044B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C044B190
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qnJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"Jump to behavior
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeProcess created: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe "C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04658E0 cpuid 0_2_00007FF6C04658E0
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF6C044A2CC
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C0450754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF6C0450754
                  Source: C:\Users\user\Desktop\0438.pdf.exeCode function: 0_2_00007FF6C04351A4 GetVersionExW,0_2_00007FF6C04351A4

                  Remote Access Functionality

                  barindex
                  Enables remote desktop connection
                  Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server AllowRemoteRPC

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure1
                  Replication Through Removable Media                  		Windows Management Instrumentation1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		1
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		1
                  Remote Desktop Protocol                  		1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  Windows Service                  		1
                  DLL Side-Loading                  		11
                  Obfuscated Files or Information                  		LSASS Memory11
                  Peripheral Device Discovery                  		Remote Desktop ProtocolData from Removable Media11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		1
                  Software Packing                  		Security Account Manager3
                  File and Directory Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                  Process Injection                  		1
                  DLL Side-Loading                  		NTDS65
                  System Information Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  File Deletion                  		LSA Secrets31
                  Security Software Discovery                  		SSHKeylogging13
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts122
                  Masquerading                  		Cached Domain Credentials2
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Modify Registry                  		DCSync1
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545741 Sample: 0438.pdf.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 76 53 x1.i.lencr.org 2->53 63 Multi AV Scanner detection for submitted file 2->63 65 Sigma detected: Suspicious Double Extension File Execution 2->65 67 Uses an obfuscated file name to hide its real file extension (double extension) 2->67 69 2 other signatures 2->69 9 ROMServer.exe 2->9         started        13 msiexec.exe 99 61 2->13         started        16 0438.pdf.exe 6 9 2->16         started        18 svchost.exe 1 1 2->18         started        signatures3 process4 dnsIp5 55 111.90.140.76, 465, 56360, 56361 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->55 57 65.21.245.7, 5555, 56364, 56365 CP-ASDE United States 9->57 71 Enables remote desktop connection 9->71 73 Enables network access during safeboot for specific services 9->73 20 ROMFUSClient.exe 9->20         started        22 ROMFUSClient.exe 9->22         started        45 C:\Program Files (x86)\...\ROMServer.exe, PE32 13->45 dropped 47 stop_server_51B516...3C56354EA2277C2.exe, PE32 13->47 dropped 49 config_server_B6BD...764F06ADFFD6458.exe, PE32 13->49 dropped 51 9 other files (none is malicious) 13->51 dropped 24 ROMFUSClient.exe 13->24         started        26 ROMFUSClient.exe 13->26         started        28 ROMFUSClient.exe 13->28         started        30 Acrobat.exe 74 16->30         started        32 msiexec.exe 16->32         started        59 127.0.0.1 unknown unknown 18->59 file6 signatures7 process8 process9 34 ROMServer.exe 24->34         started        36 ROMServer.exe 26->36         started        38 ROMServer.exe 28->38         started        40 AcroCEF.exe 106 30->40         started        process10 42 AcroCEF.exe 40->42         started        dnsIp11 61 96.7.168.138, 443, 56266 INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR United States 42->61

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  0438.pdf.exe45%ReversingLabsWin32.Trojan.Generic

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll0%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe3%ReversingLabs
                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe3%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe0%ReversingLabs
                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://x1.i.lencr.org/0%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.thawte.com00%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                  http://www.indyproject.org/0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                  http://www.symauth.com/cps0(0%URL Reputationsafe
                  https://g.live.com/odclientsettings/Prod.C:0%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV20%URL Reputationsafe
                  http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
                  https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c960%URL Reputationsafe
                  http://www.symauth.com/rpa000%URL Reputationsafe
                  https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b60%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  x1.i.lencr.org
                  		unknown
                  		unknownfalse
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://litemanager.ru/ROMFUSClient.exe, 00000008.00000000.1782110715.00000000008E4000.00000002.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1791801540.00000000009FE000.00000002.00000001.01000000.0000000C.sdmp, Ukrainian.lg.3.dr, Russian.lg.3.dr, ROMFUSClient.exe.3.drfalse
                      		unknown
                      http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.4.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0ROMFUSClient.exe.3.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#ROMFUSClient.exe.3.drfalse
                        		unknown
                        https://litemanager.com/romversion.txtROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.drfalse
                          		unknown
                          http://litemanager.com/03iROMServer.exe, 0000000E.00000002.3565595494.0000000001693000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://ocsp.sectigo.com0ROMFUSClient.exe.3.drfalse
                            • URL Reputation: safe
                            		unknown
                            http://litemanager.ru/forum/ru/memberlist.php?mode=viewprofile&u=977.Ukrainian.lg.3.drfalse
                              		unknown
                              http://ocsp.thawte.com00438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              http://litemanager.ru/noip.txtUROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                                		unknown
                                http://crl.ver)svchost.exe, 00000005.00000002.3369539538.0000024EF0600000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://g.live.com/odclientsettings/ProdV2.C:edb.log.5.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sROMFUSClient.exe.3.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.LiteManagerTeam.com503872.rbs.3.drfalse
                                    		unknown
                                    http://www.indyproject.org/ROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMFUSClient.exe, 00000008.00000003.1800618576.00000000028D7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000951000.00000020.00000001.01000000.0000000C.sdmp, ROMServer.exe, 00000009.00000003.1793938281.0000000002947000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000A.00000003.1810819906.00000000028A7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000B.00000003.1809303676.0000000002997000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 0000000C.00000003.1846423065.00000000027F7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000D.00000003.1842258416.0000000002AA7000.00000004.00001000.00020000.00000000.sdmp, ROMServer.exe, 0000000E.00000002.3565595494.00000000015F7000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000010.00000002.3565165709.0000000002757000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe, 00000011.00000002.3565595344.0000000002767000.00000004.00001000.00020000.00000000.sdmp, ROMFUSClient.exe.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#ROMFUSClient.exe.3.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.symauth.com/cps0(0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://litemanager.com/1ROMFUSClient.exe, 00000011.00000002.3565595344.00000000027FC000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://g.live.com/odclientsettings/Prod.C:edb.log.5.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0ROMFUSClient.exe.3.drfalse
                                        		unknown
                                        https://litemanager.com/soft/pro/ROMServer.zipROMFUSClient.exe, 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, ROMServer.exe, 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, ROMFUSClient.exe.3.drfalse
                                          		unknown
                                          http://litemanager.com/03ROMFUSClient.exe, 00000011.00000002.3565595344.0000000002803000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://g.live.com/odclientsettings/ProdV2edb.log.5.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.thawte.com/ThawteTimestampingCA.crl00438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000005.00000003.1714090201.0000024EF0552000.00000004.00000800.00020000.00000000.sdmp, edb.log.5.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.symauth.com/rpa000438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6EC000.00000004.00000020.00020000.00000000.sdmp, 0438.pdf.exe, 00000000.00000003.1694197998.000001C7FE6AE000.00000004.00000020.00020000.00000000.sdmp, pdf.msi.0.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0zROMFUSClient.exe.3.drfalse
                                              		unknown
                                              http://litemanager.com/503872.rbs.3.dr, Turkish.lg.3.dr, ROMFUSClient.exe.3.drfalse
                                                		unknown
                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000005.00000003.1714090201.0000024EF0552000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#ROMFUSClient.exe.3.drfalse
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  96.7.168.138
                                                  		unknownUnited States
                                                  		262589INTERNEXABRASILOPERADORADETELECOMUNICACOESSABRfalse
                                                  111.90.140.76
                                                  		unknownMalaysia
                                                  		45839SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYtrue
                                                  65.21.245.7
                                                  		unknownUnited States
                                                  		199592CP-ASDEfalse

                                                  Private

                                                  IP
                                                  127.0.0.1

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1545741
                                                  Start date and time:2024-10-30 22:45:13 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 4s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Run name:Run with higher sleep bypass
                                                  Number of analysed new started processes analysed:21
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:0438.pdf.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name: .pdf.exe
                                                  Detection:MAL
                                                  Classification:mal76.troj.evad.winEXE@37/92@1/4
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 69
                                                  • Number of non-executed functions: 93
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 184.28.88.176, 2.19.126.149, 2.19.126.143, 52.5.13.197, 52.202.204.11, 23.22.254.206, 54.227.187.23, 172.64.41.3, 162.159.61.3, 184.28.90.27, 2.23.197.184, 23.32.184.135, 93.184.221.240, 2.19.11.122, 2.19.11.117
                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, e4578.dscb.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, wu.azureedge.net, ocsp.digicert.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net, fs.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, p13n.adobe.io, fe3cr.delivery.mp.microsoft.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, geo2.adobe.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: 0438.pdf.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  17:46:54API Interceptor75177x Sleep call for process: ROMFUSClient.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  96.7.168.138401K .pdfGet hashmaliciousHTMLPhisherBrowse
                                                    http://assets.website-files.com/65f02117700897a29c49fb10/65f7c129cb837c2310c7044e_tisamijujute.pdfGet hashmaliciousUnknownBrowse
                                                      Oakville_Service_Update_d76b33a1-3420-40be-babd-e82e253ad25c.pdfGet hashmaliciousHTMLPhisherBrowse
                                                        2025+Policies_645622_929-5.pdfGet hashmaliciousUnknownBrowse
                                                          https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                            Sars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                                              tue.batGet hashmaliciousUnknownBrowse
                                                                https://dl.dropboxusercontent.com/scl/fi/kzw07ghqs05mfyhu8o3ey/BestellungVRG020002.zip?rlkey=27cmmjv86s5ygdnss2oa80i1o&st=86cnbbyp&dl=0Get hashmaliciousUnknownBrowse
                                                                  111.90.140.76gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                    65.21.245.7J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                      J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                        FPPhfkcDCh.exeGet hashmaliciousRemcosBrowse
                                                                          gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                            044f.pdf.scrGet hashmaliciousRMSRemoteAdminBrowse

                                                                              Domains

                                                                              No context

                                                                              ASNs

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMYJ4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                              • 111.90.140.34
                                                                              J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                              • 111.90.140.34
                                                                              FPPhfkcDCh.exeGet hashmaliciousRemcosBrowse
                                                                              • 101.99.93.169
                                                                              gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                              • 111.90.140.76
                                                                              b.cmdGet hashmaliciousUnknownBrowse
                                                                              • 101.99.92.203
                                                                              INTERNEXABRASILOPERADORADETELECOMUNICACOESSABR401K .pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 96.7.168.138
                                                                              http://assets.website-files.com/65f02117700897a29c49fb10/65f7c129cb837c2310c7044e_tisamijujute.pdfGet hashmaliciousUnknownBrowse
                                                                              • 96.7.168.138
                                                                              Oakville_Service_Update_d76b33a1-3420-40be-babd-e82e253ad25c.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                              • 96.7.168.138
                                                                              2025+Policies_645622_929-5.pdfGet hashmaliciousUnknownBrowse
                                                                              • 96.7.168.138
                                                                              https://dl.dropboxusercontent.com/scl/fi/95is2w1ywjvorzayt88dp/DKM-0192PDF.zip?rlkey=svoej4s4tb5lwbnvthtgrmokl&st=d99zdn1k&dl=0Get hashmaliciousAbobus ObfuscatorBrowse
                                                                              • 96.7.168.138
                                                                              Sars Urgent Notice.pdfGet hashmaliciousUnknownBrowse
                                                                              • 96.7.168.138
                                                                              la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                                                              • 200.220.206.173
                                                                              tue.batGet hashmaliciousUnknownBrowse
                                                                              • 96.7.168.138
                                                                              CP-ASDEJ4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                              • 65.21.245.7
                                                                              J4zGPhVRV3.exeGet hashmaliciousRMSRemoteAdminBrowse
                                                                              • 65.21.245.7
                                                                              FPPhfkcDCh.exeGet hashmaliciousRemcosBrowse
                                                                              • 65.21.245.7
                                                                              gBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                              • 65.21.245.7
                                                                              SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                              • 65.21.196.90

                                                                              JA3 Fingerprints

                                                                              No context

                                                                              Dropped Files

                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dllgBYz86HSwI.msiGet hashmaliciousUnknownBrowse
                                                                                C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dllgBYz86HSwI.msiGet hashmaliciousUnknownBrowse

                                                                                  Created / dropped Files

                                                                                  C:\Config.Msi\503872.rbs

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:modified
                                                                                  Size (bytes):25210
                                                                                  Entropy (8bit):5.137975751443757
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:6S75t8t+CqZ+oNbynfBytjj3ItCgCVOVv:6S1t8t+CqZ+oNbynfEtItpAMv
                                                                                  MD5:932E9DB62A7E4BB81C9A0D77523E1C6F
                                                                                  SHA1:4D62330936B1B90BE5332F82619234FD11550A9F
                                                                                  SHA-256:A02435E5F86ED1D73B632A072C845AFF1E4DC63ABEC3801DFCBC31D6E068794B
                                                                                  SHA-512:AC400FF7B88AAA80E2F83F65C28AECF8A92B415E138055CD9D63CB93ED682E50874B3DAF6D61F56914AB1CD5CA9EC74902C0257B8E063A6241DC17B15286A53B
                                                                                  Malicious:false
                                                                                  Preview:...@IXOS.@.....@.^Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3244CDE6-6414-4399-B0D5-424562747210}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{A3DC5A2F-2249-4674-B

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\AledensoftIpcServer.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):132032
                                                                                  Entropy (8bit):6.10195829980833
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:sh/1J7RYdzZU4Z5tegH1q888888888888W888888888882zgP:sh/jIZPZ5tJ8888888888888W888888s
                                                                                  MD5:C40455A478E0B76521130D9DAAAADC4B
                                                                                  SHA1:42DE923D5E36A9F56B002DD66DB245BC44480089
                                                                                  SHA-256:308085BC357BF3A3BEE0D662FCC01628E9EE2FFD478AE0F1E7140939AD99B892
                                                                                  SHA-512:76ED6D763F603BCAA7FE186C0A7449E614DCDB18036F7587C6E5A11C3F3269E400E3D2062856CC280AC20C094617924783B6C360F25AF66767DCC53C2F3045C9
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....xK............................p........ ..........................................................................\.......\...............................x#...................................................................................text...$........................... ..`.itext.............................. ..`.data...0.... ......................@....bss....xN...@...........................idata..\...........................@....edata..\............&..............@..@.reloc..x#.......$...(..............@..B.rsrc................L..............@..@....................................@..@........................................................................................................................................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\EULA.rtf

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Rich Text Format data, version 1, ANSI, code page 1251, default language ID 1049
                                                                                  Category:dropped
                                                                                  Size (bytes):58679
                                                                                  Entropy (8bit):4.738446173390891
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:bkJC7UF9eVWSlBY8Aq9CBGDtD8gX1ZDCZjewbAsCw1vPDQuJPQzusxxeCNHnPPsT:htwqueMZYU
                                                                                  MD5:BAED4E7AF33F77350D454B69317EE63B
                                                                                  SHA1:2B598774F0C73850A36117F29EA8DAC57BE1C138
                                                                                  SHA-256:671D65183C39E53FC1759C45B105A0FBE2D3A216E4099B66D5FCF274EA625E07
                                                                                  SHA-512:E740997BDECB8F907A000D01BF3E823898A1289D1DBFAE5BF342D4BCB6FF09D258317955F4FD858FF6B239E5BA08E49E90CDEC06E24DABDB18C1CF2D8943590C
                                                                                  Malicious:false
                                                                                  Preview:{\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch37\stshfhich37\stshfbi37\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f37\fswiss\fcharset204\fprq2{\*\panose 020f0502020204030204}Calibri;}{\f211\froman\fcharset0\fprq2 Times New Roman{\*\falt Times New Roman};}..{\f209\froman\fcharset238\fprq2 Times New Roman CE{\*\falt Times New Roman};}{\f212\froman\fcharset161\fprq2 Times New Roman Greek{\*\falt Times New Roman};}{\f213\froman\fcharset162\fprq2 Times New Roman Tur{\*\falt Times New Roman};}..{\f214\froman\fcharset177\fprq2 Times New Roman (Hebrew){\*\falt Times New Roman};}{\f215\froman\fcharset178\fprq2 Time

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\English.lg

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):89220
                                                                                  Entropy (8bit):3.469297258214741
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:YvozCzKUNNfMnuQhgdXT0Z2BPshK+4aCWpQJ3OEInKDcbztlXnpQbbMv3PI:Yvoz4TXTI2pQCWOJvgXnpQbS3PI
                                                                                  MD5:B1C96EF24061BF294CAC6C4C9CBF7757
                                                                                  SHA1:5D1B1934091E257B5F1C69B13F5FC1E424348584
                                                                                  SHA-256:20DB884523DA62C20F80B8A3BB71E11091B90A443B83C06D8FE2A1BBC00C1C33
                                                                                  SHA-512:6E90562FD804F91DDADEF2310551063D34B859FF1CC6E58A41667E9CDA062DCA851C8455882EF47CF3E1A8EC21EBD9F0761F15E54174CC4A95427238CB39BA14
                                                                                  Malicious:false
                                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.3.3.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .Q.u.e.s.t.i.o.n.....e.r.r.o.r. .=. .E.r.r.o.r.....i.n.f.o.r.m.a.t.i.o.n. .=. .I.n.f.o.r.m.a.t.i.o.n.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .N.o.t.i.f.i.c.a.t.i.o.n.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .C.a.n. .n.o.t. .r.e.a.d. .s.e.r.v.i.c.e. .c.o.n.f.i.g.u.r.a.t.i.o.n...\.n.;.R.e.i.n.s.t.a.l.l. .L.i.t.e.M.a.n.a.g.e.r. .s.e.r.v.i.c.e.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .C.a.n. .n.o.t. .s.e.t. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r. .s.e.r.v.i.c.e. .s.t.a.r.t.u.p. .m.o.d.e...\.n.;.R.e.b.o.o.t. .s.y.s.t.e.m.,. .p.l.e.a.s.e.......

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\HookDrv.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):201728
                                                                                  Entropy (8bit):6.3607488106285075
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:rmqdVRkbN1G3OKtVLqKc3IuQquARCASmShKJ:rmyTmNw3zqKcFLRs
                                                                                  MD5:1D4F8CFC7BBF374CCC3AAE6045B2133D
                                                                                  SHA1:802EDF0B0ED1D0305BCD6688EE3301366FEC1337
                                                                                  SHA-256:C04885562F17BAEEFBCD2D4FC29F054EB8A66C44BD015750498C69A912D94C1F
                                                                                  SHA-512:68643A30FEA87B2B61AF546F42BF32A25459152C1BCCE5A8A881714139CE828DFE4237874FF1E9CC3B78D6CDBEF7DD45C9F3459C3337D83693C704C274AFFF3E
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Joe Sandbox View:
                                                                                  • Filename: gBYz86HSwI.msi, Detection: malicious, Browse
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...|..[.................\...........v............@.................................................................. ...................@...................@...G..................................................$................................text....S.......T.................. ..`.itext..D....p.......X.............. ..`.data...<............`..............@....bss....<Y...............................idata...............z..............@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc...G...@...H..................@..B.rsrc....@.......@..................@..@....................................@..@........................................................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Taiwan.lg

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):61034
                                                                                  Entropy (8bit):4.429529654892776
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:nebbtdP4XFsh6HWiIZTYp7JtMLG54ttg2kGPyWtvQTznCKDMlV2f:ne3KOhTTocL8HnMlV2f
                                                                                  MD5:7303B5AE0B8911CEB238DC01419695BE
                                                                                  SHA1:22B89BDB8FAEC62BA3E66639E38E6271B593944A
                                                                                  SHA-256:88155FB3F0E198AA4A24F9CFECBB83C5A4E081C6EA362BC50294410CB2FB5C50
                                                                                  SHA-512:8AE802616AF60BAF214E254F6A55D312DC46B6E3F8BEE5F50E30E372FF38103776278B5FB07A562C2149EEA58107CB427A03B1629F72044AB69D3507E5DFAB15
                                                                                  Malicious:false
                                                                                  Preview:[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.2.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .OUL.....e.r.r.o.r. .=. ./.......i.n.f.o.r.m.a.t.i.o.n. .=. ........n.o.t.i.f.i.c.a.t.i.o.n. .=. ....w....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .!q.l...S.g.RD}Ka.0\.n.;...e.[. .L.i.t.e.M.a.n.a.g.e.r. ..g.R?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .!q.l-..[ .L.i.t.e.M.a.n.a.g.e.r. .:O.ghV.g.R_U.R!j._.0\.n.;....e.._j.|q}.0....f.m._.s.e.t.t.i.n.g.s._.r.e.s.t.a.r.t._.s.e.r.v.i.c.e._.t.o._.a.p.p.l.y. .=. ....e_U.R .L.M. .:O.ghV.a(u.z._.NWY(u...f.0....f.m._.s.e.c.u.r.i.t.y._.f.o.r.c.e._.g.u.e.s.t. .=. .7_6R.O.(Wdk.|q}.N-..[.....asTW.@b.g.}..O(u.....S.g.O.X[.S.kP..0 .!q.l.O(u.07_

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Turkish.lg

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):58794
                                                                                  Entropy (8bit):3.642324420313977
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:D+XPobz4qFlRiiXc0HwgHSSxnrKT7nke7GShFBy/x97fuTLY57aC7I/Fj:yPQMw1ZOT7kef1y/X7fuTq4j
                                                                                  MD5:606DC375E898D7221CCB7CEB8F7C686B
                                                                                  SHA1:26DCF93876C89283623B8150C1B79EDB24B6A7EC
                                                                                  SHA-256:F442E440580EA35040E35BF1D85A118E7C182FDE0B9BA2A3C1816DEAB5F822BB
                                                                                  SHA-512:9FBC42165B51A2020D2DA2FFE33287A4F3AA33639126813B290D329D47C4F4DA8F297A47AF3C1F63AF6F9E1BA47ACE840BC1660D603E17589E5DB6DDA0E1E5B1
                                                                                  Malicious:false
                                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.5.5.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...c.o.m./.....q.u.e.s.t.i.o.n. .=. .S.o.r.u.....e.r.r.o.r. .=. .H.a.t.a.....i.n.f.o.r.m.a.t.i.o.n. .=. .B.i.l.g.i.....n.o.t.i.f.i.c.a.t.i.o.n. .=. .B.i.l.d.i.r.i.m.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. .H.i.z.m.e.t. .y.a.p.1.l.a.n.d.1.r.m.a.s.1. .o.k.u.n.a.m.1.y.o.r...\.n.;.L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t.i.n.i. .y.e.n.i.d.e.n. .y...k.l.e.m.e.k. .m.i. .i.s.t.i.y.o.r.s.u.n.u.z.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. .L.i.t.e.M.a.n.a.g.e.r. .h.i.z.m.e.t. .b.a._.l.a.n.g.1... .m.o.d.u.n.u. .a.y.a.r.l.a.y.a.m.1.y.o.r...\.n.;.S.i.s.t.e.m.i. .y.e.n.i.d.e.n. .b.a._.l.

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Lang\Ukrainian.lg

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (305), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):87912
                                                                                  Entropy (8bit):4.303374267443204
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:VUlHxa/yEOYEJNHWjlUu1pZ26ER2nkUTbfk74Q:aNxWREb4lUu1P29R2JbfC4Q
                                                                                  MD5:3FC082E8F516EAD9FC26AC01E737F9EF
                                                                                  SHA1:3B67EBCE4400DDCF6B228E5668F3008561FB8F21
                                                                                  SHA-256:3DC0CEAE11F445B57B17B7C35A90B5133E313CF6B61550AB418252C5B8089C99
                                                                                  SHA-512:9A9D20AF2F8C27056F58AB5A9C687F5124CE5F6D563E396C9558331FB8BE48E88E148B1FDC548A5EBDEDB451E3D89F2F96856F3BBFD695691D5687599F376421
                                                                                  Malicious:false
                                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d. .=. .1.0.5.8.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...8.B.0.=.=.O.....e.r.r.o.r. .=. ...>.<.8.;.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.V.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...>.2.V.4.>.<.;.5.=.=.O.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.<.>.6.;.8.2.>. .?.@.>.G.8.B.0.B.8. .:.>.=.D.V.3.C.@.0.F.V.N. .A.;.C.6.1.8...\.n.;...5.@.5.2.A.B.0.=.>.2.8.B.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.<.>.6.;.8.2.>. .2.A.B.0.=.>.2.8.B.8. .@.5.6.8.<. .7.0.?.C.A.:.C. .A.;.C.6.1.8. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):6307408
                                                                                  Entropy (8bit):6.5944937257467116
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:NwiA/GmKEt3LQ7V8z3uHWkd49GMdqOxaB:NOGmKEt31kd2dqwaB
                                                                                  MD5:63D0964168B927D00064AA684E79A300
                                                                                  SHA1:B4B9B0E3D92E8A3CBE0A95221B5512DED14EFB64
                                                                                  SHA-256:33D1A34FEC88CE59BEB756F5A274FF451CAF171A755AAE12B047E678929E8023
                                                                                  SHA-512:894D8A25E9DB3165E0DAAE521F36BBD6F9575D4F46A2597D13DEC8612705634EFEA636A3C4165BA1F7CA3CDC4DC7D4542D0EA9987DE10D2BC5A6ED9D6E05AECB
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................C..F........C.......C...@.......................... i.......`..........@................... N.......M..A...@T...............`.P"...PN.<............................@N.......................M.......N......................text.....C.......C................. ..`.itext...0....C..2....C............. ..`.data... 3....C..4....C.............@....bss........0E..........................idata...A....M..B....E.............@....didata.......N......LE.............@....edata....... N......ZE.............@..@.tls....X....0N..........................rdata..]....@N......\E.............@..@.reloc..<....PN......^E.............@..B.rsrc........@T......DK.............@..@............. i.......`.............@..@................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7753808
                                                                                  Entropy (8bit):6.615075046955521
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:D4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCAFIqOx9N:DXQ7SIEXeMBk2V4N/Nq2Iqw9N
                                                                                  MD5:F3D74B072B9697CF64B0B8445FDC8128
                                                                                  SHA1:8408DA5AF9F257D12A8B8C93914614E9E725F54C
                                                                                  SHA-256:70186F0710D1402371CE2E6194B03D8A153443CEA5DDB9FC57E7433CCE96AE02
                                                                                  SHA-512:004054EF8CDB9E2FEFC3B7783574BFF57D6D5BF9A4624AD88CB7ECCAE29D4DFD2240A0DC60A14480E6722657132082332A3EC3A7C49D37437644A31E59F551AF
                                                                                  Malicious:true
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...w#.f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g.. ............v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.... ....g.. ....^.............@..@............. ........v.............@..@................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\ROMwln.dll

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):999944
                                                                                  Entropy (8bit):6.626732213066839
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:SA9+TVJdg0YMgqAahyv0jKdTq4lrBhqSq/rt8VwGFrt:SRho0lgqA6yvnrBhq/rQDt
                                                                                  MD5:ED32E23322D816C3FE2FC3D05972689E
                                                                                  SHA1:5EEA702C9F2AC0A1AADAE25B09E7983DA8C82344
                                                                                  SHA-256:7F33398B98E225F56CD287060BEFF6773ABB92404AFC21436B0A20124919FE05
                                                                                  SHA-512:E505265DD9D88B3199EB0D4B7D8B81B2F4577FABD4271B3C286366F3C1A58479B4DC40CCB8F0045C7CD08FD8BF198029345EEF9D2D2407306B73E5957AD59EDF
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...`.-\.................J...........X.......`....@.................................................................. ...................@...........0.......@.. O...................................................................................text...0?.......@.................. ..`.itext..8....P.......D.............. ..`.data....:...`...<...N..............@....bss.....]...............................idata..............................@....didata.............................@....edata....... ......................@..@.rdata..E....0......................@..@.reloc.. O...@...P..................@..B.rsrc....@.......@..................@..@.....................0..............@..@........................................................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\Russian.lg

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):94772
                                                                                  Entropy (8bit):4.284840986247552
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:r1kyTyZFOTb6QeZGJXYbFAMrKARuZk7FRwZoFTa2n:rn+2iZGhYbK4KARpAoFTa2n
                                                                                  MD5:0E204FABE68B4B65ED5E0834651FB732
                                                                                  SHA1:B338A6E54AA18F3F8A573580520F16C74A51F3D2
                                                                                  SHA-256:302373D81F0AE15589206420CB01A266804C9FD1C1FF0D6E09CE6BA3FEF92B64
                                                                                  SHA-512:AAD76F6A76DC693D959389CE471BC585D0DA72737FED99F42F219FDC7C71617C00E8003A467092E12820A359D672C6FB80D99772F3F6433923B2ABB7EEA40F08
                                                                                  Malicious:false
                                                                                  Preview:..[._.s.y.s.t.e.m.].....l.a.n.g.u.a.g.e._.i.d.=.1.0.4.9.........[._.m.e.s.s.a.g.e.s.].....w.e.b._.s.i.t.e. .=. .h.t.t.p.:././.l.i.t.e.m.a.n.a.g.e.r...r.u./.....q.u.e.s.t.i.o.n. .=. ...>.?.@.>.A.....e.r.r.o.r. .=. ...H.8.1.:.0.....i.n.f.o.r.m.a.t.i.o.n. .=. ...=.D.>.@.<.0.F.8.O.....n.o.t.i.f.i.c.a.t.i.o.n. .=. ...?.>.2.5.I.5.=.8.5.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.r.e.a.d._.c.o.n.f.i.g.u.r.a.t.i.o.n. .=. ...5.2.>.7.<.>.6.=.>. .?.@.>.G.8.B.0.B.L. .:.>.=.D.8.3.C.@.0.F.8.N. .A.;.C.6.1.K...\.n.;...5.@.5.C.A.B.0.=.>.2.8.B.L. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.?.....f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r.......f.m._.s.e.t.t.i.n.g.s._.u.n.a.b.l.e._.s.e.t._.s.t.a.r.t.u.p._.m.o.d.e._.r.e.s.t.a.r.t. .=. ...5.2.>.7.<.>.6.=.>. .C.A.B.0.=.>.2.8.B.L. .@.5.6.8.<. .7.0.?.C.A.:.0. .A.;.C.6.1.K. .L.i.t.e.M.a.n.a.g.e.r. .S.e.r.v.e.r...\.n.

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMServer.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):7752272
                                                                                  Entropy (8bit):6.615186281886958
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:y4/WZQ7lc63BJGS1VFeIEll251o7+YcMBk2VVyN/RTfCEFIqOxJn:yXQ7SIEXeMBk2V4N/NqiIqwJn
                                                                                  MD5:84FB34E529BEDE393A3F604EAA8137B2
                                                                                  SHA1:195EA03B7BD086454A13C0D8357E0A9E447D9EC9
                                                                                  SHA-256:1E396C4066AC8F421A54893442A0D76C4F8D4146E63825D67DFC0DA782E73EE5
                                                                                  SHA-512:A48A80D62E588667B4C891CDED279BABFFA5FB4FDF092F345212F81D29A9ACAA06E6DB27B49DC601909409A3C82AA9272BCDF90D0AE1738E83E80D9FCA4D93E6
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................ZU... ......qU.......U...@.......................... ........v..........@...................._......`_..K....g..............(v.P"...._.4............................._..................... m_.|....._......................text....&U......(U................. ..`.itext..$1...@U..2...,U............. ..`.data....@....U..B...^U.............@....bss....0.....V..........................idata...K...`_..L....V.............@....didata......._.......V.............@....edata........_.......V.............@..@.tls....`....._..........................rdata..]....._.......V.............@..@.reloc..4....._.......V.............@..B.rsrc.........g.......^.............@..@............. .......(v.............@..@................

                                                                                  C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):11361360
                                                                                  Entropy (8bit):6.496049600782297
                                                                                  Encrypted:false
                                                                                  SSDEEP:98304:AshiRp5hPI7N9sSA5wbZXJOu/0uOXZYfmQYanSjS+cWuNOlQpgfYLyPsd+QgBBP5:Al5hPwgvyAjDjS+igfgym+bHJxmK
                                                                                  MD5:B0E355EC3453C8FFAEE08CD4257E96F2
                                                                                  SHA1:0FA023CA8F1C1ECDADDE3DD3BD551870C2D965E2
                                                                                  SHA-256:60248BA026064B116E4F94020DABB74DF519F5B4C41379CA19A38D725692CA8E
                                                                                  SHA-512:B6004F83FD78EED84BF21611EFA45F2FFADF3625E0A2FDCDAE531B4734A4B886EBFE5EBE990DA42302B7368282D83DFFEF19E71DA8EC4C155EE5C8619AD028DD
                                                                                  Malicious:false
                                                                                  Yara Hits:
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe, Author: Joe Security
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................v..67.......v...... v...@..........................0...................@...................p...........L...p....+..........:..P"...................................................................`.......................text.....u.......u................. ..`.itext...6....u..8....u............. ..`.data....R... v..T....v.............@....bss.........w..........................idata...L.......N...Xw.............@....didata......`........w.............@....edata.......p........w.............@..@.tls....`................................rdata..].............w.............@..@.reloc................w.............@..B.rsrc.....+..p....+.................@..@.............0.......:..............@..@................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):8192
                                                                                  Entropy (8bit):0.363788168458258
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
                                                                                  MD5:0E72F896C84F1457C62C0E20338FAC0D
                                                                                  SHA1:9C071CC3D15E5BD8BF603391AE447202BD9F8537
                                                                                  SHA-256:686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
                                                                                  SHA-512:AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
                                                                                  Malicious:false
                                                                                  Preview:*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):1.3107848872158971
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrn:KooCEYhgYEL0In
                                                                                  MD5:0E1CB12D1B5028D32C64A528C76059C9
                                                                                  SHA1:BD0C7B712F10E05A4CF4007A6DA9279E35D4F1A0
                                                                                  SHA-256:900AA385255B17E11DE47AF48238415A52BF58883CE03E6594BF6A9C407B335D
                                                                                  SHA-512:FD07B8C3C47C1154B90BD98D7F22F34CE8B0A84BD3CA10C7CD1EFAD2440F17E0F73DA4EE4141CF15466F5B2B14A2CF3043AF55F2B06CB9087B7FE7A4973B03E9
                                                                                  Malicious:false
                                                                                  Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x1a33c34f, page size 16384, Windows version 10.0
                                                                                  Category:dropped
                                                                                  Size (bytes):1310720
                                                                                  Entropy (8bit):0.4221250569506558
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:/SB2ESB2SSjlK/uedMrSU0OrsJzvqYkr3g16f2UPkLk+ku4/Iw4KKazAkUk1k2DO:/azag03A2UrzJDO
                                                                                  MD5:E3C0E42937424928E4460874E8B23A68
                                                                                  SHA1:C5E7A0F1DC1D949DFDE854A2A425398BB5043E67
                                                                                  SHA-256:BE6B63BFD9584928A977F9C6538FB45E3E85B4711ED606D9C0868758BFDAD27A
                                                                                  SHA-512:197D9E45D2685100F548A4896E1BD606D9877CAF007B4364EB488FAF09CEE1F60304E1CEB821ABEA070177B251D5B9ACF7837CB2CDBF9A98CC98E2A42684F7B5
                                                                                  Malicious:false
                                                                                  Preview:.3.O... .......Y.......X\...;...{......................n.%......0...|.......|..h.#......0...|..n.%.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{....................................pr.0...|...................*.4.0...|...........................#......n.%.....................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):16384
                                                                                  Entropy (8bit):0.07573553367450145
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:UXSllWetYebSG9wgXlHa7gcvZWXlAVw7gXlAllOE/tlnl+/rTc:UEzbSs1HaEcBW1wwE1ApMP
                                                                                  MD5:FA82F0124AF87BE96D4B35974C97549D
                                                                                  SHA1:6800DEF28F1C96B03DD62E13B86C124C18B5E552
                                                                                  SHA-256:9133DE3CAEF68900BA02EF55270C687385201295E41ACAE48F0265D2B30F68D5
                                                                                  SHA-512:8C835D5C144E6FAD0E24FCAF3CD0E2CF25A7EDF522E1A1A0D4DFB6D87522F2DB6662EC55A78F4FA520257B0F821A958E4FCF2637726C8A27A7B902F91F39A1A0
                                                                                  Malicious:false
                                                                                  Preview:>........................................;...{.......|...0...|...........0...|...0...|...,.\.0...|...................*.4.0...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Settings for LM-Server.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Wed Oct 30 20:46:14 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):2167
                                                                                  Entropy (8bit):3.923866114021259
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:8l2VsdOpzEHQUZd5Y+d5YsP5qoZkmrSUp8JWqoZkmtYz:8lazEHK9O5qoZbcJWqoZbt
                                                                                  MD5:97F806B4F8D63B7E8EC7C73142B288C6
                                                                                  SHA1:B5DBA5A1312D69E8D51E7496C51D9A4B572D631D
                                                                                  SHA-256:5A74BA47EC72136B3C7A924CF47F7857AB1318F04098C8D33B81BDAF932347BB
                                                                                  SHA-512:22D72C2C1484CD2AF05A312DD0914655F5D6B4D2822606A42977DE9FBBAEE56FE14F0BC1974BF98A4F34437C10B9069C7D0724954F5D6D5BC9B5FFA876F27B79
                                                                                  Malicious:false
                                                                                  Preview:L..................F.@.. .....>.....W.r$.+....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....^Y...PROGRA~2.........O.I^Y.....................V.....$.!.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....^Y...LITEMA~1..b......^Y.^Y...........................9...L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.^Y...............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k............-.......C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.c.o.n.f.i.g.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Start LM-Server.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1890
                                                                                  Entropy (8bit):3.1573107695942624
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:8ddOEPLqd5Y+d5YcCP5q2DT2S0Wq2DTKX7:85LJ9cM5qUoWqUE
                                                                                  MD5:5FC67E19699B3F0B2AB7B4B89B0B3F1A
                                                                                  SHA1:6F6380DF2EB8C5D30452A846864F001A8B0E473A
                                                                                  SHA-256:45451F933B472FA53301D46B7C072AF67E51EC60172E6E9C01E0B308DF78A2F4
                                                                                  SHA-512:81C7A9F5683DB54893BD26A6EC1BCBDB17983037668CD996E03934E7708331594195DBF2CCE9EB2B0C0567A9E8B24DD629D40866D49E55C9DF77A864D15744E5
                                                                                  Malicious:false
                                                                                  Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................z.1...........Program Files (x86).X............................................P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)..."...1...........LiteManager Pro - Server..b............................................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r...(.h.2...........ROMServer.exe.L............................................R.O.M.S.e.r.v.e.r...e.x.e.......L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.a.r.t.n.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.R.O.M.S.e.r.v.e.r...e.x.e._.9.D.0.9.B.2.B.C.2.5.A.2.4.1.4.C.B.D.8.4.8.E.2.B.7.5.8.9.8.6.7.6...e.x.e.........%SystemRoot%\In

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Stop LM-Server.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Aug 22 17:41:10 2024, mtime=Wed Oct 30 20:46:14 2024, atime=Thu Aug 22 17:41:10 2024, length=7753808, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):2159
                                                                                  Entropy (8bit):3.9052367955304583
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:8+2VsdOmJW5UZd5Y+d5Ys5qcxFWT84SslWqcxFWT8cYz:8+7JWd9s5qcxYT8SWqcxYT8c
                                                                                  MD5:10805EC97F0086CA32DFD6E51FDAAC97
                                                                                  SHA1:D79BEC0ADD0538F4CC2F951CAEF8A8DD62592716
                                                                                  SHA-256:DA3C1043DB13DE4000EF19902E0F95ACD6B12AD1D8C100BCF9B70DDDE49FD011
                                                                                  SHA-512:D301B00D1C17C8BC251F2E5C02DAF80BABB9338EA37AC7CFAF4EEC5901A92E0C8BE7CB84B09785EE66A601DFBA2A15C20C05D322076C5049BBF755EF439ACF68
                                                                                  Malicious:false
                                                                                  Preview:L..................F.@.. .....>......9i$.+....>.....PPv..........................P.O. .:i.....+00.../C:\.....................1.....^Y...PROGRA~2.........O.I^Y.....................V.....$.!.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....z.1.....^Y...LITEMA~1..b......^Y.^Y...............................L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.....h.2.PPv..Y%. .ROMSER~1.EXE..L.......Y%.^Y...............................R.O.M.S.e.r.v.e.r...e.x.e.......l...............-.......k............-.......C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe..L.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.R.O.M.S.e.r.v.e.r...e.x.e.0.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.L.i.t.e.M.a.n.a.g.e.r. .P.r.o. .-. .S.e.r.v.e.r.\.../.s.t.o.p.l.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.s.t

                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LiteManager Pro - Server\Uninstall LiteManager - Server.lnk

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Sat Dec 7 08:10:02 2019, mtime=Wed Oct 4 09:56:56 2023, atime=Sat Dec 7 08:10:02 2019, length=59904, window=hide
                                                                                  Category:dropped
                                                                                  Size (bytes):1953
                                                                                  Entropy (8bit):3.8801422945484
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:8WnJ+DAvws3ebTAyPwB+sHyjv/+MTyjvejIKZDUHwGS7ke4WTyjvejIKZDUHwwcs:8WnuAvob0dHOn5qmjlt6ScWqmjltZxD
                                                                                  MD5:0C3FCEB1782B1F3601DFE7B293D0B55F
                                                                                  SHA1:EA75913536F71C5D4A3115924DDBE78A5142B107
                                                                                  SHA-256:1ACA4468818222046B4F70753EC84600E1D399B42337B438E85066B6D470D6E1
                                                                                  SHA-512:C43C164006C8A3208B6EC494BE92EAD4E31247C0573864CC3B3BA6E2B1CCA2922A89FB820160FA425B01B7F153EB3B360EAD744157A81C9844D1B43175DC89B8
                                                                                  Malicious:false
                                                                                  Preview:L..................F.@.. ...25.....1>.~....25.............................A....P.O. .:i.....+00.../C:\...................V.1.....DWP`..Windows.@......OwH^Y.....3.......................9.W.i.n.d.o.w.s.....Z.1.....^Y....SysWOW64..B......O.I^Y.....Y.........................S.y.s.W.O.W.6.4.....b.2......OBI .msiexec.exe.H......OBIDW.V................|.............m.s.i.e.x.e.c...e.x.e.......N...............-.......M............-.......C:\Windows\SysWOW64\msiexec.exe........\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e.)./.x. .{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.s.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.7.1.F.F.A.4.7.5.-.2.4.D.5.-.4.4.F.B.-.A.5.1.F.-.3.9.B.6.9.9.E.3.D.8.2.C.}.\.U.N.I.N.S.T._.U.n.i.n.s.t.a.l.l._.L._.7.8.A.A.5.B.6.6.6.2.5.1.4.D.9.4.A.8.4.7.D.6.C.6.0.3.A.F.0.8.9.5...e.x.e.........%SystemRoot%\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C6

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):292
                                                                                  Entropy (8bit):5.20993132547282
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVpr+q2Pwkn2nKuAl9OmbnIFUt8vxVFZmw+vxVpVkwOwkn2nKuAl9OmbjLJ:6xevYfHAahFUt8vxH/+vxV5JfHAaSJ
                                                                                  MD5:0C720A8681A606420C6D70E6170B42B6
                                                                                  SHA1:B0EE1A2A4DDF40EDE957A816E8DC23324B92D914
                                                                                  SHA-256:C4ABAF2533ABD4506DF028445639316172EC074B9654CF8C79532043B6AF440F
                                                                                  SHA-512:6873F939FA7AE64697848F77CA8AAD3F12A01BA3387407FFCDAAFD82A8DCA15A5F4A84743AD3524EF6E9BD272336D999F290C16951A886E6AB122565DB6A89DA
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.685 1ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/30-17:46:08.704 1ea8 Recovering log #3.2024/10/30-17:46:08.704 1ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):292
                                                                                  Entropy (8bit):5.20993132547282
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVpr+q2Pwkn2nKuAl9OmbnIFUt8vxVFZmw+vxVpVkwOwkn2nKuAl9OmbjLJ:6xevYfHAahFUt8vxH/+vxV5JfHAaSJ
                                                                                  MD5:0C720A8681A606420C6D70E6170B42B6
                                                                                  SHA1:B0EE1A2A4DDF40EDE957A816E8DC23324B92D914
                                                                                  SHA-256:C4ABAF2533ABD4506DF028445639316172EC074B9654CF8C79532043B6AF440F
                                                                                  SHA-512:6873F939FA7AE64697848F77CA8AAD3F12A01BA3387407FFCDAAFD82A8DCA15A5F4A84743AD3524EF6E9BD272336D999F290C16951A886E6AB122565DB6A89DA
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.685 1ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/10/30-17:46:08.704 1ea8 Recovering log #3.2024/10/30-17:46:08.704 1ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):336
                                                                                  Entropy (8bit):5.1792027450512155
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVm3Vq2Pwkn2nKuAl9Ombzo2jMGIFUt8vxVouzgZmw+vxVWc0IkwOwkn2nKuAlx:6x43VvYfHAa8uFUt8vxfg/+vxczI5Jfg
                                                                                  MD5:707F53CF73E11859EA01A73435EC8387
                                                                                  SHA1:35189FBD19754EAAD993BE79655060D2C7EC7D21
                                                                                  SHA-256:F8DFEF41315E7E6FE89C479EF57DA7D958A9F3841843A14C132A6E212CF79E66
                                                                                  SHA-512:5E6C72A70C3934BBB7FF71D177DE23B6AD8B9453E3D173D2273C4EFF05A6FFCAAB350241F4FD93BF45668BB247F3C332849AE04BD3B98189516100430FC2554C
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.802 1fe4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/30-17:46:08.803 1fe4 Recovering log #3.2024/10/30-17:46:08.804 1fe4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):336
                                                                                  Entropy (8bit):5.1792027450512155
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVm3Vq2Pwkn2nKuAl9Ombzo2jMGIFUt8vxVouzgZmw+vxVWc0IkwOwkn2nKuAlx:6x43VvYfHAa8uFUt8vxfg/+vxczI5Jfg
                                                                                  MD5:707F53CF73E11859EA01A73435EC8387
                                                                                  SHA1:35189FBD19754EAAD993BE79655060D2C7EC7D21
                                                                                  SHA-256:F8DFEF41315E7E6FE89C479EF57DA7D958A9F3841843A14C132A6E212CF79E66
                                                                                  SHA-512:5E6C72A70C3934BBB7FF71D177DE23B6AD8B9453E3D173D2273C4EFF05A6FFCAAB350241F4FD93BF45668BB247F3C332849AE04BD3B98189516100430FC2554C
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.802 1fe4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/10/30-17:46:08.803 1fe4 Recovering log #3.2024/10/30-17:46:08.804 1fe4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\8012a098-7e4f-4008-b5d8-2a7ee2b4d12d.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:JSON data
                                                                                  Category:modified
                                                                                  Size (bytes):475
                                                                                  Entropy (8bit):4.9537402263162695
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:YH/um3RA8sqlhsBdOg2H/Zcaq3QYiubInP7E4T3y:Y2sRdsNdMH/g3QYhbG7nby
                                                                                  MD5:694DB18A09E6DDCC8279BC6D3BCC230A
                                                                                  SHA1:7D1B9D584FE1EB22F272D8996BA09AD0CA06A4ED
                                                                                  SHA-256:83A8F757725570F570BC8CEADA4249432DFBB043D514A6D8A6C6BBE9C99C2C47
                                                                                  SHA-512:DFB9B587B5D0BEC0863D3ED35EE72FE1A4D67829F29DC402B391CA38D5BEB29FB894BDA18425401997B2584CF3D74CEC22990F9A8D863E1F2BE43FB470033889
                                                                                  Malicious:false
                                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374884774551714","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":257713},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):475
                                                                                  Entropy (8bit):4.9537402263162695
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:YH/um3RA8sqlhsBdOg2H/Zcaq3QYiubInP7E4T3y:Y2sRdsNdMH/g3QYhbG7nby
                                                                                  MD5:694DB18A09E6DDCC8279BC6D3BCC230A
                                                                                  SHA1:7D1B9D584FE1EB22F272D8996BA09AD0CA06A4ED
                                                                                  SHA-256:83A8F757725570F570BC8CEADA4249432DFBB043D514A6D8A6C6BBE9C99C2C47
                                                                                  SHA-512:DFB9B587B5D0BEC0863D3ED35EE72FE1A4D67829F29DC402B391CA38D5BEB29FB894BDA18425401997B2584CF3D74CEC22990F9A8D863E1F2BE43FB470033889
                                                                                  Malicious:false
                                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13374884774551714","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":257713},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4320
                                                                                  Entropy (8bit):5.258648322369581
                                                                                  Encrypted:false
                                                                                  SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7gXlr:etJCV4FiN/jTN/2r8Mta02fEhgO73goK
                                                                                  MD5:03EECA2BD954DE67FF232D2126C2478B
                                                                                  SHA1:59B860B5CB5D79FC0038523FCC7B26EDD926FA6E
                                                                                  SHA-256:181B826A7EF7E16D231BA9ADCE7F30A373AFAF6C488AF3F339C147AD0CF4D765
                                                                                  SHA-512:BE05D3E2AEF41C165864075864B1B4B0629F4596B8F802760942A0ABFE16FA464A9A2C54C79A510E9DD0C1D89B5B98D085E57DE154254F67D47B75AF9D7483DA
                                                                                  Malicious:false
                                                                                  Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):324
                                                                                  Entropy (8bit):5.207728006136993
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVVlSVq2Pwkn2nKuAl9OmbzNMxIFUt8vxVAgZmw+vxVAIkwOwkn2nKuAl9OmbzE:6xcVvYfHAa8jFUt8vx6g/+vx6I5JfHAo
                                                                                  MD5:B763976C0783AB2C043CDA4FBCEEA2B7
                                                                                  SHA1:2A0BCB23CA448BC042D837442EF064AAB7BEB103
                                                                                  SHA-256:359959CBACF5F15631D442A8C2F2B5C7E4267B4A009CD8B9E32832C1D5A16621
                                                                                  SHA-512:106E2A6BBC39F8A4FF52625419D6525B6D57E10DF6B90B05F247D9E11FA05A7CD1949A39AA46A00F18E6C4E2F331ED8833AE3F6D6A6265ADC1C42DF1212C53D8
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.839 1fe4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/30-17:46:08.842 1fe4 Recovering log #3.2024/10/30-17:46:08.842 1fe4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:ASCII text
                                                                                  Category:dropped
                                                                                  Size (bytes):324
                                                                                  Entropy (8bit):5.207728006136993
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:6xVVlSVq2Pwkn2nKuAl9OmbzNMxIFUt8vxVAgZmw+vxVAIkwOwkn2nKuAl9OmbzE:6xcVvYfHAa8jFUt8vx6g/+vx6I5JfHAo
                                                                                  MD5:B763976C0783AB2C043CDA4FBCEEA2B7
                                                                                  SHA1:2A0BCB23CA448BC042D837442EF064AAB7BEB103
                                                                                  SHA-256:359959CBACF5F15631D442A8C2F2B5C7E4267B4A009CD8B9E32832C1D5A16621
                                                                                  SHA-512:106E2A6BBC39F8A4FF52625419D6525B6D57E10DF6B90B05F247D9E11FA05A7CD1949A39AA46A00F18E6C4E2F331ED8833AE3F6D6A6265ADC1C42DF1212C53D8
                                                                                  Malicious:false
                                                                                  Preview:2024/10/30-17:46:08.839 1fe4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/10/30-17:46:08.842 1fe4 Recovering log #3.2024/10/30-17:46:08.842 1fe4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                  Category:dropped
                                                                                  Size (bytes):86016
                                                                                  Entropy (8bit):4.444927360052521
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:yezci5toiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rPs3OazzU89UTTgUL
                                                                                  MD5:254BC797C7784FBFE360747CDA8C63B8
                                                                                  SHA1:35FB1185ABE55DA86C4CFDF35508C01ABCCEF88D
                                                                                  SHA-256:4AA14F748CA472C553B8B762D492581BA42543582642D23EFB6D9DCB7DDA469B
                                                                                  SHA-512:AC21B706E00530DF9137B618B0C64C035C2BEB3D131DB47A4BA5A29ACECC13C901F1CB23F7C217C9ADE5EF4FCFA81276BBC2EC1A3F9309DF44FA6158DB8A3328
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):3.7721743218905592
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:7Mnp/E2ioyVfJKioy9oWoy1Cwoy1MJ5KOioy1noy1AYoy1Wioy1hioybioyeJzoA:7wpju4F/XKQ7Mb9IVXEBodRBku
                                                                                  MD5:3A6EC371C35CA86EC49A4ADC3210A661
                                                                                  SHA1:5CBD3B9C79B16A16E44EC919AA07602EFA7F8AE4
                                                                                  SHA-256:06614F179E828F3E2F1049A198224EAB8FA1D07331197CACADFCAEA88BE5CD24
                                                                                  SHA-512:B5A76D69665E1E21A23E5778B92E05338DCBFB77703AE82F43A60EBD17E5016EEBB75A42B33BAC4378841DBA9BF89D3D8163B5145C93EAEC3280B29E00138366
                                                                                  Malicious:false
                                                                                  Preview:.... .c.....H.q5...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Certificate, Version=3
                                                                                  Category:dropped
                                                                                  Size (bytes):1391
                                                                                  Entropy (8bit):7.705940075877404
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                  Malicious:false
                                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                  Category:dropped
                                                                                  Size (bytes):71954
                                                                                  Entropy (8bit):7.996617769952133
                                                                                  Encrypted:true
                                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                  Malicious:false
                                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):192
                                                                                  Entropy (8bit):2.756901573172974
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:kkFklS6VPNvfllXlE/HT8kX/h1NNX8RolJuRdxLlGB9lQRYwpDdt:kKLkPmT8QJ7NMa8RdWBwRd
                                                                                  MD5:FBBB24AB20020124935DE70FA870BC2A
                                                                                  SHA1:2EFA15AE0CE71C2B2972CD8124265FCA4AAE2A0B
                                                                                  SHA-256:1D3EA86D687587D0AD04F3DE0F7B03C6D134F5EEBCAFE65E1939B1EAC9A5FECB
                                                                                  SHA-512:D2FD67FA159D8C83F44406DAD86C78CE777160D0E8E906729129E5FD11F0B8F03486E6E8DCF9E465370F4846E7B9B3B1D5E5C5A05E4B935E11FAA00FB0862290
                                                                                  Malicious:false
                                                                                  Preview:p...... ........._.(.+..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):328
                                                                                  Entropy (8bit):3.150184159866505
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:kK78AF9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:D8ZDnLNkPlE99SNxAhUe/3
                                                                                  MD5:E04C1B9706363A415F53771431A2EA4B
                                                                                  SHA1:8665A02248D7573BA20CE7140ED3B694EF5DCCDC
                                                                                  SHA-256:0F6822538046C0ED26C22699CEEFA8E970FD273F56BFF3D427487D9378017DE2
                                                                                  SHA-512:9A4ED327EC11209721B7919EE9CB789BB63A6AC78C56F8CAFE544D574A80E5D0F528655439D92335805234F9E306B2A93CFF6A8B53D3C0E7FA2F4E3594AE1174
                                                                                  Malicious:false
                                                                                  Preview:p...... ........g.).+..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7664

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):185099
                                                                                  Entropy (8bit):5.182478651346149
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:PostScript document text
                                                                                  Category:dropped
                                                                                  Size (bytes):185099
                                                                                  Entropy (8bit):5.182478651346149
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:JsVoWFMWQNk1KUQII5J5lZRT95tFiQibVJDS+Stu/3IVQBrp3Mv9df0CXLhNHqTM:bViyFXE07ZmandGCyN2mM7IgOP0gC
                                                                                  MD5:94185C5850C26B3C6FC24ABC385CDA58
                                                                                  SHA1:42F042285037B0C35BC4226D387F88C770AB5CAA
                                                                                  SHA-256:1D9979A98F7C4B3073BC03EE9D974CCE9FE265A1E2F8E9EE26A4A5528419E808
                                                                                  SHA-512:652657C00DD6AED1A132E1DFD0B97B8DF233CDC257DA8F75AC9F2428F2F7715186EA8B3B24F8350D409CC3D49AFDD36E904B077E28B4AD3E4D08B4DBD5714344
                                                                                  Malicious:false
                                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Reg.FamilyName:Agency FB.StyleName:Regular.MenuName:Agency FB.StyleBits:0.WeightClass:400.WidthClass:3.AngleClass:0.FullName:Agency FB.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB.FileLength:58920.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:AgencyFB-Bold.FamilyName:Agency FB.StyleName:Bold.MenuName:Agency FB.StyleBits:2.WeightClass:700.WidthClass:3.AngleClass:0.FullName:Agency FB Bold.WritingScript:Roman.hasSVG:no.hasCOLR:no.VariableFontType:NonVariableFont.WinName:Agency FB Bold.FileLength:60656.NameArray:0,Win,1,Agency FB.NameArray:0,Mac,4,Agency FB Bold.NameArray:0,Win,1,Agency FB.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Algerian.FamilyName:Algerian.StyleName:Regular.MenuName:Algerian.StyleBits:0.We

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):295
                                                                                  Entropy (8bit):5.333920741364324
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJM3g98kUwPeUkwRe9:YvXKXAkhcZEZc0vQGMbLUkee9
                                                                                  MD5:876D78741B40B658A1E64D60EFA79F85
                                                                                  SHA1:C635E88C3B1BA74F59EA314D226EA00957094267
                                                                                  SHA-256:D443EB3EF7C29B4EE1D83A12D30368BD107C0C54A409868D17A64824C907A1E5
                                                                                  SHA-512:EE9B292B36D689D84F715373511928CC8E924D2CA35813508F4C74D8243DDEFEA79C9DEEF1F7E79980B3FCA52612E2AC4029036C33A0CB8D4A65560D20EE0ABE
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.280789064471989
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfBoTfXpnrPeUkwRe9:YvXKXAkhcZEZc0vQGWTfXcUkee9
                                                                                  MD5:465DF141B12059EB3D87CE01636BC9B0
                                                                                  SHA1:2328C98550EA4163EE8A6C36FE6D24D50616EC4B
                                                                                  SHA-256:88263B9C34C2A20B56C58BC755176DFE3E99CFE61C708E7FF10C5D39FF69BBF2
                                                                                  SHA-512:59FE0791E5525953F628AEFE07F45D19A73572E4E9A362E2CCFF0A0F85D80CDF17EF3E1BC38B9E05786BB0D2BC9C94A91EEE8C6DA2D1D2993A75A3005F5335A7
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):294
                                                                                  Entropy (8bit):5.260315247546021
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfBD2G6UpnrPeUkwRe9:YvXKXAkhcZEZc0vQGR22cUkee9
                                                                                  MD5:344539AF18517F246D6E82E94879E7CF
                                                                                  SHA1:6846B1F2B67D86F9EB8DD90794BBABB193069641
                                                                                  SHA-256:12DF5FD37CC4D4D02CF3D70CF5B25560572A949C4F7C42A0DB6A578F55B09C9F
                                                                                  SHA-512:FFBB428D4E38165252741CD62BB78B09DF74EC57EFEA121E63BA95EA211904EFB302D5708584A6D46113400D4890D41181A2D8CA91714BC15BED91E192EADA23
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):285
                                                                                  Entropy (8bit):5.319898172297978
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfPmwrPeUkwRe9:YvXKXAkhcZEZc0vQGH56Ukee9
                                                                                  MD5:8C95973BBF78DAD1EC967AF693ACF004
                                                                                  SHA1:2197F8F47B829658A8F8DEAA69C67B6FD428696A
                                                                                  SHA-256:43CE8D7B5310E6F3B26794A4301E13DAA4565DA2C776C5AC54ACF5C9616597C7
                                                                                  SHA-512:35488B644A6D37A6CC464C2EB80D5BCDA2FC651F88DA7EEA7CCCECBC6542BC032A009250BC227950C0512F14817324FEC7F6B8E513735F190A32D220D219E306
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1055
                                                                                  Entropy (8bit):5.654384638588982
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zvNpLgEscLf7nnl0RCmK8czOCCSE:YvEVhgGzaAh8cv/E
                                                                                  MD5:5DA167567FC465EDD507BC11A9FC810C
                                                                                  SHA1:D56037E5D5A42A4C062DD7051773D773852AE9A4
                                                                                  SHA-256:5A62CD77DF23E4578D0B22C14F99F1928EBE983197DF7194ACE16DAD35CFB3C2
                                                                                  SHA-512:A0304DDF1C0A59BC5C02103F9636F8CADA718A6FAB87E8F66DD06AA8A4E03D3734E9A38F5B8D478A41BB05E97B3F54F91CA22EBA88A217A1E97D08FC8496FBC2
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"92038_285529ActionBlock_1","campaignId":92038,"containerId":"1","controlGroupId":"","treatmentId":"eb1a4bce-8215-46f1-b44c-154b21a85d60","variationId":"285529"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNhdElkIjpudWxsfQ==","dataType":"application\/json","encodingScheme":tr

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1050
                                                                                  Entropy (8bit):5.644556245962282
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zvRVLgEF0c7sbnl0RCmK8czOCYHflEpwiV1:YvE5Fg6sGAh8cvYHWpwE
                                                                                  MD5:9A91A3091609B3DA5B7AB48BB3ED5E60
                                                                                  SHA1:C01C9796ED73C93D9EDEFE3434FA00AA4883C52B
                                                                                  SHA-256:C8AA217D767CD98B9BAB45BDC829121D2571485FA4B0E9F36140461F99769CFD
                                                                                  SHA-512:78DC5E5851FD98FD549B86D9932F402D1C560E5EAD78944D96787B2944F17CBFC483E50765384FC95941E70B88690162B2A6FDE6BF3BAC78322B1E4F2CBB99CF
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Disc_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85534_264855ActionBlock_0","campaignId":85534,"containerId":"1","controlGroupId":"","treatmentId":"0924134e-3c59-4f53-b731-add558c56fec","variationId":"264855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Disc_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkNvbnZlcnQsIGVkaXQgYW5kIGUtc2lnblxuZm9ybXMgJiBhZ3JlZW1lbnRzLiJ9LCJ0Y2F0SWQiOm51bGx9","dataType":"application\/json","encodingScheme":true},"

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):292
                                                                                  Entropy (8bit):5.2675984582679405
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfQ1rPeUkwRe9:YvXKXAkhcZEZc0vQGY16Ukee9
                                                                                  MD5:7F6086AD1C7FD13FC092EC331FCA3143
                                                                                  SHA1:0760727D462D89F26FF3EAECC8CEFFA5B787198A
                                                                                  SHA-256:288D41A7A59FCB9B18E171967780F14933DFFA8D1E7B16949C5200382FE26F18
                                                                                  SHA-512:1BDA56374DBF3C5D223800627630121A67E1C33A7AF45ED996C7B2011BEDDFA510B3FA8714BB7DF5AD942E2FF8E35B6E5526F81E8DBB90BE20B686503DFE7B48
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1038
                                                                                  Entropy (8bit):5.636037490209418
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zvA2LgEF7cciAXs0nl0RCmK8czOCAPtciB1:YvEoogc8hAh8cvAH
                                                                                  MD5:139857709FC79ABBAE21D6943203A802
                                                                                  SHA1:C22CB98238D2FEFA5128906AFAADB1EDB2627C42
                                                                                  SHA-256:3E32B86E2F43A3460F734CFC440B89C04B38C2A04A30311EF49BD4E7EC8217FA
                                                                                  SHA-512:35AAEE45F12630FABF4FB003DA8934ABE6B596304E6AC2DA79FCA2FDE69B3B6D73BA19CCD8D6B6AF4C1AA8898AD3346AE491BD9ABE73365420FD38BB3FB32F0A
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Edit_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85534_264855ActionBlock_1","campaignId":85534,"containerId":"1","controlGroupId":"","treatmentId":"49d2f713-7aa9-44db-aa50-0a7a22add459","variationId":"264855"},"containerId":1,"containerLabel":"JSON for DC_Reader_Edit_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVkaXQgdGV4dCwgaW1hZ2VzLCBwYWdlcywgYW5kIG1vcmUuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"application\/json","encodingScheme":true},"endDTS":1744

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1164
                                                                                  Entropy (8bit):5.691696349964183
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zvIKLgEfIcZVSkpsn264rS514ZjBrwloJTmcVIsrSK51:YvEgEgqprtrS5OZjSlwTmAfSKD
                                                                                  MD5:D44AB3D7632EFD3220CBB6EBAD5D40E9
                                                                                  SHA1:81A091EC6F2E7AC4522A6D4F2D865F30F4F127A1
                                                                                  SHA-256:39AB0F24D59DDDF554C6E9B80392A25A1873356F4E589C1B2F5ADE105EF0F428
                                                                                  SHA-512:1553CA6D8A6A8DAD6020B420557E7BF1D23A3F81C05A557C83298A3583CD5C7B2677825EE27BFF86608FAA2D55FFB89CF8DFF20B2387802BE985C1E5285F47A2
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Home_LHP_Trial_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"85531_264848ActionBlock_0","campaignId":85531,"containerId":"1","controlGroupId":"","treatmentId":"ee1a7497-76e7-43c2-bb63-9a0551e11d73","variationId":"264848"},"containerId":1,"containerLabel":"JSON for DC_Reader_Home_LHP_Trial_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IlRyeSBBY3JvYmF0IFBybyJ9LCJ1aSI6eyJ0aXRsZV9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjE1cHgiLCJmb250X3N0eWxlIjoiMCJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEzcHgiLCJmb250X3N0eWxlIjoiLTEifSwidGl0bGUiOiJGcmVlIHRyaWFsIiwiZGVzY3JpcHRpb24iOiJHZXQgdW5saW1pdGVkIGFjY2VzcyB0b1xucHJlbWl1bSBQREYgYW5kIGUtc2lnbmluZ1xudG9vbHMuIn0sImJhbm5lcl9zdHlsaW5nIjo

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):289
                                                                                  Entropy (8bit):5.268277471360464
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfYdPeUkwRe9:YvXKXAkhcZEZc0vQGg8Ukee9
                                                                                  MD5:348958EDC7973BE1EE3FC2240B381132
                                                                                  SHA1:81A95A37F205E795EE26A143DB1F37D3F7FFD03A
                                                                                  SHA-256:2D6D76790DFF044A94DE3263545E0FBBBD31C32EB90C29E57F1FFC95A0D5A445
                                                                                  SHA-512:063C50158DDFBD7B944C234F2A5DF05F3A6441D153783344479918C4FC72843CD8ED2D9B68B479F195018B6A9CF20C674F21D77B3423710E0EB69BFD86CCC148
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1395
                                                                                  Entropy (8bit):5.772042343361548
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zvnrLgEGOc93W2JeFmaR7CQzttgBcu141CjrWpHfRzVCV9FJN9:YvEvHgDv3W2aYQfgB5OUupHrQ9FJD
                                                                                  MD5:5FCB5F6C723115EF17F7ABEBB82E2225
                                                                                  SHA1:DFFB45C6B5A588F83CC507BB9F74645EF734CC8A
                                                                                  SHA-256:2948DF1336FEFDCB06076149B5B7879E147BE40C2E759D2492FB8123B7F27445
                                                                                  SHA-512:E0C1ACA18933199421101F7FE901A24906F700FFC1B08BCDB15DF2CE5AC33844859F5DD3383663522F437840DA8434A75BC2BED9435AF913389824643EEA5D62
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_RHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"57802_176003ActionBlock_0","campaignId":57802,"containerId":"1","controlGroupId":"","treatmentId":"d0374f2d-08b2-49b9-9500-3392758c9e2e","variationId":"176003"},"containerId":1,"containerLabel":"JSON for Reader DC RHP Banner","content":{"data":"eyJjdGEiOnsidHlwZSI6ImJ1dHRvbiIsInRleHQiOiJGcmVlIDctRGF5IFRyaWFsIiwiZ29fdXJsIjoiaHR0cHM6Ly9hY3JvYmF0LmFkb2JlLmNvbS9wcm94eS9wcmljaW5nL3VzL2VuL3NpZ24tZnJlZS10cmlhbC5odG1sP3RyYWNraW5naWQ9UEMxUFFMUVQmbXY9aW4tcHJvZHVjdCZtdjI9cmVhZGVyIn0sInVpIjp7InRpdGxlX3N0eWxpbmciOnsiZm9udF9zaXplIjoiMTQiLCJmb250X3N0eWxlIjoiMyJ9LCJkZXNjcmlwdGlvbl9zdHlsaW5nIjp7ImZvbnRfc2l6ZSI6IjEyIiwiZm9udF9zdHlsZSI6IjMifSwidGl0

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):291
                                                                                  Entropy (8bit):5.252042593286146
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfbPtdPeUkwRe9:YvXKXAkhcZEZc0vQGDV8Ukee9
                                                                                  MD5:D40AE26AF2178DAF2F4A0EC221311774
                                                                                  SHA1:188BC4E41D4CDA3F7A161550D71A882AC8C24F1A
                                                                                  SHA-256:9CB87F9539684588885046CFF5EB4139875033C57BD492308896D6315FF4F8F6
                                                                                  SHA-512:42C9C896A14AF80AC068E35DF884DA50B812B8CD3B790DF0DA7D7789351D63003D00681E62BE99D7EFC3A8BAD2CD513F41AFEA64EED64DBE309E55AB45150B8E
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):287
                                                                                  Entropy (8bit):5.257094926840532
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJf21rPeUkwRe9:YvXKXAkhcZEZc0vQG+16Ukee9
                                                                                  MD5:43C3F01CCF9B25BB682225A41103655C
                                                                                  SHA1:45756C7D92D9873C786C1C14CE2366FF5B736CFD
                                                                                  SHA-256:A5CA5699FE6EA19EB90C270B59144CC45212C577E787C0D1C8A80B52AE284414
                                                                                  SHA-512:A6DBB0A6277FA1851A893A6E123405E37E1D1D22F798BF999BBFD780C4CAC529F30A48A36D9D8F580B3EE19EA027149D60152AC90B056D465C0EC726A1708624
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):1026
                                                                                  Entropy (8bit):5.625024976076591
                                                                                  Encrypted:false
                                                                                  SSDEEP:24:Yv6XAqc6zv1amXayLgE7cMCBNaqnl0RCmK8czOC/BSE:YvEhBgACBOAh8cvME
                                                                                  MD5:D9EF4BCC4AC57A28880611EFD133391C
                                                                                  SHA1:48F8F78741F58F6B4095A16EF20E33F973A17DF1
                                                                                  SHA-256:8740C9598527EC266F5D4362F658C52D5A9046AE69C917E15C70392104E2CF8E
                                                                                  SHA-512:C0352B927A8EF2CA44C53883C61BC83FDD2DD83F5CD45F115F12B0F1ABAF1280FE6A7AFD97556A640E4BD99D8AFE892EAB695B71F49F871743EEABF7B0AA8AED
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"92038_285529ActionBlock_0","campaignId":92038,"containerId":"1","controlGroupId":"","treatmentId":"6291f52b-6cb0-4d31-bc46-37ce85e9eb25","variationId":"285529"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"application\/json","encodingScheme":true},"endDTS":1751323379000,"s

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):286
                                                                                  Entropy (8bit):5.232330618810849
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:YEQXJ2HXD4ViXhclEc9VoZcg1vRcR0Yh2xoAvJfshHHrPeUkwRe9:YvXKXAkhcZEZc0vQGUUUkee9
                                                                                  MD5:028BF6935DBD02450287F35E8F477E2D
                                                                                  SHA1:35124BF6AE9DEC4785C162B2C188D910E2B1F4F5
                                                                                  SHA-256:74EDB50921C284194AA2169A45A4B9ECE555DB4E55380A809F88721A5A8040D0
                                                                                  SHA-512:D75FE9DF0069E68B616ADF5B2A2CFC6BD1001E611C7FD85A3F54D86C27024A3EFA86B356A66B6579DFBC87D39A987DFF7F0AA9542127BD6623B35C8DC9A6E193
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):782
                                                                                  Entropy (8bit):5.357232349707505
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:YvXKXAkhcZEZc0vQGTq16Ukee1+3CEJ1KXd15kcyKMQo7P70c0WM6ZB/uhWx:Yv6XAqc6zvG168CgEXX5kcIfANhE
                                                                                  MD5:B9AF8E7358CEF762D39943C73F446D63
                                                                                  SHA1:EE446FA654894306DE2C250876C08D5D50D2FA83
                                                                                  SHA-256:11D41F95AC517BAC0A8BCA72A821B8FBA26E459D5565B0B745EE18CAA97FA52D
                                                                                  SHA-512:627F8E72D749B961858FCA68F69B841FCD28E089097652E32250DF1E368F98E3ECC867FD3F3A3C9AF8CAF2B2DBCE0383595751143B4EDF463FE86E0FF56247F1
                                                                                  Malicious:false
                                                                                  Preview:{"analyticsData":{"responseGUID":"440517ac-0e07-48e3-a4a5-4b9ee08adfad","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1730498130612,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"Edit_InApp_Aug2020"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"20360_57769ActionBlock_0","campaignId":20360,"containerId":"1","controlGroupId":"","treatmentId":"3c07988a-9c54-409d-9d06-53885c9f21ec","variationId":"57769"},"containerId":1,"containerLabel":"JSON for switching in-app test","content":{"data":"eyJ1cHNlbGxleHBlcmltZW50Ijp7InRlc3RpZCI6IjEiLCJjb2hvcnQiOiJicm93c2VyIn19","dataType":"application\/json","encodingScheme":true},"endDTS":1735804679000,"startDTS":1730324775652}}}}

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):4
                                                                                  Entropy (8bit):0.8112781244591328
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:e:e
                                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                  Malicious:false
                                                                                  Preview:....

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):2818
                                                                                  Entropy (8bit):5.143808960267192
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:YvFvplNk7aCF06d8mD4ZAQmL3dgMuj9lA:uvjNkb06amD4ZRm5gM8lA
                                                                                  MD5:898FC4EEFA45AB6AC08869D6737741F6
                                                                                  SHA1:C392940AC0D8FC76A25ADBB44F459C17F12929B3
                                                                                  SHA-256:3E3D0FDD4B656E8C20909ABE3CEC64021F9F835E3553C9C9AA551116465F756B
                                                                                  SHA-512:8521C8817D192FFFB2F2645FEFE90C60CA0051E91B504BC35C9F37E028E30AC5BD6ABAEF48AD89B91EBC17CE00841F32878435185FCD07521F0533190890A145
                                                                                  Malicious:false
                                                                                  Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"2b3a3b264036d1bf8ab6f421041cb435","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1050,"ts":1730324775000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"3d3abf63ca4cdb57e29fc1fde7d2bf20","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":1164,"ts":1730324775000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"43847b7fcc8fd661590cb2fcf92e62bc","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1026,"ts":1730324775000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"f61883c56fdf21de335f1b1e7b49231e","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1055,"ts":1730324775000},{"id":"DC_Reader_Edit_LHP_Banner","info":{"dg":"cbc6604f3a3276f47f3aee62a722ecf3","sid":"DC_Reader_Edit_LHP_Banner"},"mimeType":"file","size":1038,"ts":1730324775000},{"id":"Edit_InApp_Aug2020","info":{"dg":"91736647a48f747403f2a91e7a51ee09","sid":"Edit_InApp_Aug2020"},"mimeType":"file","size":782,"ts":17

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                  Category:dropped
                                                                                  Size (bytes):12288
                                                                                  Entropy (8bit):1.1881595810725065
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:TGufl2GL7msEHUUUUUUUU0oSvR9H9vxFGiDIAEkGVvpYG:lNVmswUUUUUUUUR+FGSItV
                                                                                  MD5:7C83CE2D5F9C355F3373A0ABFF7272FD
                                                                                  SHA1:4EC952AE27B03FC68A995C359FC47E75DD44C4F3
                                                                                  SHA-256:2E30610F1E175E4244C3D0A65AF915D34BE3F1720CC69AC95CBD9315CEA87441
                                                                                  SHA-512:F5932D4FF6EEF1621EB6D926C019E13153183049A6B54E1F9C845A7380D5164F53144BB820F126195B1ADCCEF64CC7E278CE6687A35581323A60E99C5B1D437A
                                                                                  Malicious:false
                                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:SQLite Rollback Journal
                                                                                  Category:dropped
                                                                                  Size (bytes):8720
                                                                                  Entropy (8bit):1.6079818744904641
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:7MQ4KUUUUUUUUUU0qvR9H9vxFGiDIAEkGVvRqFl2GL7msr:7/UUUUUUUUUU9FGSItTKVmsr
                                                                                  MD5:D04D482FFAA521DB5BE4256685AB2F84
                                                                                  SHA1:92775EF6E34E5254CF2C6E7245D1892F49D25F6B
                                                                                  SHA-256:6FB94F4487C0C487C53091FB0BE0180E95C5E7BEB4E2E0C1E274F5D0A8993255
                                                                                  SHA-512:8BCF60246215A086458D8882335B5905F21C6B066ABF8E2CBB5E332960628ED31DBACDAEBDC272B8651478CF4685BDB840FCAAF0F25C0A18BDFA13E97C82DCB6
                                                                                  Malicious:false
                                                                                  Preview:.... .c.....).......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Doc.pdf

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\0438.pdf.exe
                                                                                  File Type:PDF document, version 1.7, 1 pages (zip deflate encoded)
                                                                                  Category:dropped
                                                                                  Size (bytes):125552
                                                                                  Entropy (8bit):7.579988719622451
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:N0N5xSlECZcbZ42IlWpy67H/AvLpMpBXCF4KMvX6UkMZdEMLHMgifPdEoLIeLA+6:CNPSiJZ4xy8DlivXREMBOlEoMeLjCiQ
                                                                                  MD5:7827620BA2CD12D54B41C006BA4D686C
                                                                                  SHA1:F6B40CB23006AD0E1AFD4C08CA943A75258FAB34
                                                                                  SHA-256:9DAA46F8D84B0E65E2D5FDF7FCD80FF6CA922278C32A2B5C9425C0C5EF7D2096
                                                                                  SHA-512:9782FB4DBA6F62A589BF213AE5CCE3F66514319363F499B584DC854ACC1DCD94221102BDDAC982AA9DB36C5B7696BD1ABACF7C15771CDECC317B2F3421CCA321
                                                                                  Malicious:false
                                                                                  Preview:%PDF-1.7..%......1 0 obj..<</Type/Catalog/Pages 2 0 R/Lang(en) /StructTreeRoot 11 0 R/MarkInfo<</Marked true>>/Metadata 22 0 R/ViewerPreferences 23 0 R>>..endobj..2 0 obj..<</Type/Pages/Count 1/Kids[ 3 0 R] >>..endobj..3 0 obj..<</Type/Page/Parent 2 0 R/Resources<</Font<</F1 5 0 R>>/ExtGState<</GS7 7 0 R/GS8 8 0 R>>/XObject<</Image9 9 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 612 792] /Contents 4 0 R/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>/Tabs/S/StructParents 0>>..endobj..4 0 obj..<</Filter/FlateDecode/Length 188>>..stream..x.E.K..@.......R..!.4 .|$FB.."ZH.+............x.h..!/."..f....X.Q.8M.D0aGK..+.J{x.....(.kJ.FBJ&|.7J...H..f..%..Nory..M'...m9%g.......4.(AV&............2...H..B...Z..o.V#.c.....6k..endstream..endobj..5 0 obj..<</Type/Font/Subtype/TrueType/Name/F1/BaseFont/BCDEEE+Calibri/Encoding/WinAnsiEncoding/FontDescriptor 6 0 R/FirstChar 32/LastChar 32/Widths 20 0 R>>..endobj..6 0 obj..<</Type/FontDescriptor/FontName/BCDEEE+Calibri/Flags 3

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-10-30 17-46-10-833.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with very long lines (393)
                                                                                  Category:dropped
                                                                                  Size (bytes):16525
                                                                                  Entropy (8bit):5.345946398610936
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                                  MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                                  SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                                  SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                                  SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                                  Malicious:false
                                                                                  Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):15114
                                                                                  Entropy (8bit):5.336971251821874
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:pC2D2mHwdrMkp7HYywXiCBaI5XYoucwSUCdRz3Dv6edRLxsyQli4I5IpQnVucZhG:Am8
                                                                                  MD5:4155B09F6331D883485E79A7246B1328
                                                                                  SHA1:991AE24E3D9D509EA52CA7B3B6015400DFF50A69
                                                                                  SHA-256:6D526096CBFF72BAC6D78C34FEA0B3605F56451F7A388FE37458CCE8576B7A2D
                                                                                  SHA-512:CB6FDC86DA2180276A4469E3AB74EBB922C104B9BD3BC4F882D71F68E752B249F517970AAF7E75C520283420F3757374D026DEBF50F336A708B866A91CFA739B
                                                                                  Malicious:false
                                                                                  Preview:SessionID=8bde57c7-7043-40f5-a25b-31d1a8468f83.1730324770844 Timestamp=2024-10-30T17:46:10:844-0400 ThreadID=7352 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=8bde57c7-7043-40f5-a25b-31d1a8468f83.1730324770844 Timestamp=2024-10-30T17:46:10:845-0400 ThreadID=7352 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=8bde57c7-7043-40f5-a25b-31d1a8468f83.1730324770844 Timestamp=2024-10-30T17:46:10:845-0400 ThreadID=7352 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=8bde57c7-7043-40f5-a25b-31d1a8468f83.1730324770844 Timestamp=2024-10-30T17:46:10:845-0400 ThreadID=7352 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=8bde57c7-7043-40f5-a25b-31d1a8468f83.1730324770844 Timestamp=2024-10-30T17:46:10:845-0400 ThreadID=7352 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):29752
                                                                                  Entropy (8bit):5.3890325324560155
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rz:n
                                                                                  MD5:3DABF7AC63CF081A2D079DEDE24405EF
                                                                                  SHA1:998F8E2474E2FB8BB4614F90AF3712B38F9A71C1
                                                                                  SHA-256:3DF950C4D09C8ED78FECF715BBACE5E7C5A381C58F252361E37170BC07119ED4
                                                                                  SHA-512:A5C4A3AB4F1187BBDFF754B93F750BDB63920C9B03F0825CC80E1D4C0B37197E6A88CBDDD6EEE44CD201DC97CD4014275C22F9A7D5A808C003C4CD3EE243253C
                                                                                  Malicious:false
                                                                                  Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\108229d1-2931-49b7-986c-c055cba311a7.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                  Category:dropped
                                                                                  Size (bytes):386528
                                                                                  Entropy (8bit):7.9736851559892425
                                                                                  Encrypted:false
                                                                                  SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                  MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                  SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                  SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                  SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                  Malicious:false
                                                                                  Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\1e945f66-0fe4-4ac4-b405-e3112b3c2e9a.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                  Category:dropped
                                                                                  Size (bytes):758601
                                                                                  Entropy (8bit):7.98639316555857
                                                                                  Encrypted:false
                                                                                  SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                  MD5:3A49135134665364308390AC398006F1
                                                                                  SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                  SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                  SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                  Malicious:false
                                                                                  Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\6047f729-2554-49c7-b027-11d6aedf2d7b.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                  Category:dropped
                                                                                  Size (bytes):1407294
                                                                                  Entropy (8bit):7.97605879016224
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZ7wYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs03WLaGZw
                                                                                  MD5:8B9FA2EC5118087D19CFDB20DA7C4C26
                                                                                  SHA1:E32D6A1829B18717EF1455B73E88D36E0410EF93
                                                                                  SHA-256:4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
                                                                                  SHA-512:662F8664CC3F4E8356D5F5794074642DB65565D40AC9FEA323E16E84EBD4F961701460A1310CC863D1AB38849E84E2142382F5DB88A0E53F97FF66248230F7B9
                                                                                  Malicious:false
                                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\73cb08e8-44be-4f78-bae0-658de012e55f.tmp

                                                                                  Download File
                                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                  Category:dropped
                                                                                  Size (bytes):1419751
                                                                                  Entropy (8bit):7.976496077007677
                                                                                  Encrypted:false
                                                                                  SSDEEP:24576:/VRaWL07oXGZ4YIGNPJNdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:tRaWLxXGZ4ZGh3mlind9i4ufFXpAXkru
                                                                                  MD5:41034A6B023B6BB9C723DA146E190954
                                                                                  SHA1:22C95166FF8A1C4D2AAC25B75D804CEBAAA6ACF2
                                                                                  SHA-256:52BB8B0CA62248721986D650004C11ACCB0C988B6FBA645D9B4E3557CA87A15D
                                                                                  SHA-512:6F8CD54BBB750E32FEBD78895F433CCF0C553C56E6B7DDEA03E3EA36ED283084CF6EA6FA8999162999D184B0F04B6E6DAB7F6FC27648EE517F744D7E8DBC8AAD
                                                                                  Malicious:false
                                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                  C:\Users\user\AppData\Local\Temp\pdf.msi

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\0438.pdf.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                  Category:dropped
                                                                                  Size (bytes):11554816
                                                                                  Entropy (8bit):7.9382387394429115
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                                  Malicious:false
                                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                  C:\Windows\Installer\503870.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                  Category:dropped
                                                                                  Size (bytes):11554816
                                                                                  Entropy (8bit):7.9382387394429115
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                                  Malicious:false
                                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                  C:\Windows\Installer\503873.msi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: LiteManager - Server 5.0 installation package, Comments: This installer contains the logic and data to install LiteManager Pro - Server 5.0, Keywords: Installer,MSI,Database, Subject: LiteManager Pro - Server, Author: LiteManagerTeam, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Thu Aug 22 15:43:08 2024, Create Time/Date: Thu Aug 22 15:43:08 2024, Last Printed: Thu Aug 22 15:43:08 2024, Revision Number: {9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}, Code page: 0, Template: Intel;0,1033,1049
                                                                                  Category:dropped
                                                                                  Size (bytes):11554816
                                                                                  Entropy (8bit):7.9382387394429115
                                                                                  Encrypted:false
                                                                                  SSDEEP:196608:9Jg0ovdgTGOk/J1yr/A9ODMlWyFISx8/191nYHiT88o8En03yEoH8WkJDFa:bAJoLA9OIlWy58/19J+iYNPEoHg0
                                                                                  MD5:0C88F651EEA7EBD95DF08F6A492FCB38
                                                                                  SHA1:93E622BB18056BB61DD11805D91AB1F9267CBD67
                                                                                  SHA-256:A1FAAE4E2B695C7DF3846179192F4E67BD8DD05E7E5C6D0B4B72DB175F629076
                                                                                  SHA-512:41F69CFCDA6EBB6DD6984D21B19E952BA25C78404B138FF25A8E16283D9080B5E2A85AF4973EC25A4F45F8D402163CCE96906F06F3FBA2068571F1F1ACBEA86C
                                                                                  Malicious:false
                                                                                  Preview:......................>...................................8........6..................}.................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........<................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...@...M...:...;...=...........?...N...A...B...C...D...E...F...G...H...I...J...O...L...N...D.......P...Q...R...S...T...Z...V...W...X...Y....X..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                  C:\Windows\Installer\MSI3D90.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):294216
                                                                                  Entropy (8bit):4.850811114045699
                                                                                  Encrypted:false
                                                                                  SSDEEP:3072:nzoy2KjcC2jcmFDX/vjcJGUjcmFDX/rjcmFDX/dZ+oNbynfk:nzoy25DXmNDXLDXX+oNbynfk
                                                                                  MD5:8BEF72B05B3C4F607A8A19D025085F14
                                                                                  SHA1:AE8F48F200CF4E59955F7D305820875F92591359
                                                                                  SHA-256:653352B59079E5ABDFDE72AA4F61AEED60463EB17E75E7C423A2A843749F2293
                                                                                  SHA-512:FF1AC5FE6001EE3249CE8403B8844C94C71C6341BD746A7C1791FC442CF1CC00C21D5E879BCF430E1BA58540AD32C1593A69364834968C07C5CE7DA9B15D1EDF
                                                                                  Malicious:false
                                                                                  Preview:...@IXOS.@.....@.^Y.@.....@.....@.....@.....@.....@......&.{71FFA475-24D5-44FB-A51F-39B699E3D82C}..LiteManager Pro - Server..pdf.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{9EF586E9-112B-4AAE-B439-5B62B7A0B1DE}.....@.....@.....@.....@.......@.....@.....@.......@......LiteManager Pro - Server......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3244CDE6-6414-4399-B0D5-424562747210}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{4D4D18AA-F74D-4291-B5A9-93C3CC48B75F}5.C:\Program Files (x86)\LiteManager Pro - Server\Lang\.@.......@.....@.....@......&.{641F154A-FEEF-4FA7-B5BF-414DB1DB8390}C.C:\Program Files (x86)\LiteManager Pro - Server\files\ROMViewer.exe.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}0.C:\Program Files (x86)\LiteManager Pro - Server\.@.......@.....@.....@......&.{596F4636-5D51-49

                                                                                  C:\Windows\Installer\SourceHash{71FFA475-24D5-44FB-A51F-39B699E3D82C}

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.1622879140215452
                                                                                  Encrypted:false
                                                                                  SSDEEP:12:JSbX72FjSQAGiLIlHVRpqh/7777777777777777777777777vDHFGpZl0i8Q:JMQQI56dF
                                                                                  MD5:8099B778F57842AE9C6800315D49EF73
                                                                                  SHA1:1FB8A9F69F7B999FA824EFFA902332A4FB083C20
                                                                                  SHA-256:3CBBD8E41A3C4B36A8737FD5CDE72220076867E7AAC086E245D72EBA714CAA6A
                                                                                  SHA-512:8C11940965E9B3FBAE154EA89229C0D66B6FBEA51DDE066FEDA6189F307511AF665E6C96D85B5B0C47E5593A868094EAA451E832E484CCF22BDE4A3E2030B3C4
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.786966154456378
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:N8Ph+uRc06WXJMnT5SlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:wh+1vnT0wurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:664BDAD03857943DF9992B2FCC2ED413
                                                                                  SHA1:4BD3268B5820AB24FB63B5DA58C481EAB91E5043
                                                                                  SHA-256:E3266CCF168D3FAB43854CDF55FAF9BC38CD9BF3C653F8598B28D73B14F17D8E
                                                                                  SHA-512:FB02A7302BB74F9B5ADC603FA657F6C25081B2036E0AE42BA968EF78EC006392538FEA0647747FF23DC81F49F1129E0006397D399D436AEB3F804C3EE6391811
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ARPPRODUCTICON.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):53248
                                                                                  Entropy (8bit):4.351781833522881
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:AvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZUNeLNek+vDFNe+TNy:+MAyYdTmPJbgqcnDcCNy
                                                                                  MD5:CA680899D9330BEB85E6351E6DC0D27B
                                                                                  SHA1:41E89E582F58FB2A4ED06FA3BF796A1DAAC5CB6C
                                                                                  SHA-256:EAB5DC45781E92CD5CF953016757B1E6F2ED7A0B5A97CC0945B19A8FBC1A85F2
                                                                                  SHA-512:3817BD6EC345F96631E6CBF6C8DD384ACB17D912B1EC69D959F3AA15C05226D5FE3B5E9807D42D0E63589AABCEADFBE8BD5F293D8069DF689D12498E05842286
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(........0...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\ROMServer.exe_9D09B2BC25A2414CBD848E2B75898676.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.774504587732323
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\UNINST_Uninstall_L_78AA5B6662514D94A847D6C603AF0895.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):49152
                                                                                  Entropy (8bit):4.31126714354722
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:EvFMAyDNOdTdFCxfrwntajXjDWLi9Y+C5vy/Q1nDcZMwQE3vGYksuektm6yysZc8:SMAyYdTmPJbgqcnDcmwQE/RkHRRNS
                                                                                  MD5:6A4AFFF2CD33613166B37A0DAB99BD41
                                                                                  SHA1:FBC0F1696213B459D099A5809D79CFC01253880F
                                                                                  SHA-256:53C1AE4962663E82D3AAC7C4A6CBE3D53E05D6948ADAE6391A2748396ACF98FE
                                                                                  SHA-512:7B61D32E4AD38BC21E86559BFFA49A334CCB6184E595CB43F2D60A2A77C86B31D07B1A9D1F8FBE69E9AAD7E096952D765404BEBC494E73BD992642EB6B82E3A7
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...p...............P....@.........................................................................4T..(........+...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....+.......0..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\config_server_B6BD2967C67B44649764F06ADFFD6458.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.774504587732323
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Installer\{71FFA475-24D5-44FB-A51F-39B699E3D82C}\stop_server_51B516B87C64408FA3C56354EA2277C2.exe

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Category:dropped
                                                                                  Size (bytes):57344
                                                                                  Entropy (8bit):4.774504587732323
                                                                                  Encrypted:false
                                                                                  SSDEEP:768:SMAyYdTmPJbgqcnDcZTw0gpEeO4tZZz+0pQTk/N0:S1U81cmpjDX/N0
                                                                                  MD5:5EBCB54B76FBE24FFF9D3BD74E274234
                                                                                  SHA1:6CD72F044F36B7A3A79B7D77AAE59F274A66CE95
                                                                                  SHA-256:504AEB909BBA186D4298AA97DCD6A09CCDD42217AF1F6210BC5EBD23B3DFCCBF
                                                                                  SHA-512:5FF61D724B77B6EDC67D33B0F1EE1C3CB01F2A03251D0BE83FF10A80A99DBA08E3A0E0F985DEED6358E467B2E9B6A837E894513D1B5E68AF253C0BBDD68539D0
                                                                                  Malicious:false
                                                                                  Antivirus:
                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L...J&uU.................@...................P....@.........................................................................4T..(.......xC...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...xC.......P..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                  Category:dropped
                                                                                  Size (bytes):432221
                                                                                  Entropy (8bit):5.375173287975219
                                                                                  Encrypted:false
                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaui:zTtbmkExhMJCIpErr
                                                                                  MD5:93ECE654207406D3F2099086A88D7B3F
                                                                                  SHA1:4659D94BB41C74D9A576EA9B0FAE877B4197D5A7
                                                                                  SHA-256:76CCF6ADFC776D5AA5F25BC0E92855D857C864EFD738BB473ADAD1BDB8C445C1
                                                                                  SHA-512:096BA43729D801798009EBC2F6237D0F0142BAD3987B22371A2B2C7A860BD3654A2C5A2A3E00971C2B8FB73F49E508A5D6AEE4CBDFD2733B446C3A6B7B17AE80
                                                                                  Malicious:false
                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                  File Type:JSON data
                                                                                  Category:dropped
                                                                                  Size (bytes):55
                                                                                  Entropy (8bit):4.306461250274409
                                                                                  Encrypted:false
                                                                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                  Malicious:false
                                                                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                  C:\Windows\Temp\~DF045F6D29164BEA95.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):73728
                                                                                  Entropy (8bit):0.221724417966281
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:PHwmFSB29lOd5YpRXd5YNd5YGd5YMd5Yu9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad9:PH5FqC0WlfVm0WlfPunCiY
                                                                                  MD5:ACBA2F92AC3EE1BACD8AD4740D5E07F8
                                                                                  SHA1:4D4CCD9A9B63367876C7EC16DA626204DFB0A21B
                                                                                  SHA-256:67183AF23FC26266026BEC73128F0A6D11C6E1E326EC4F3B71F51A3822852268
                                                                                  SHA-512:62715C497F2E7509A992023060311767EF57E50187E36E9FCAE8E5A81E1F3D522589D4DD0B876350D1CDA683072F913F88E99010837BFB759926F1B9018E505C
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF28245C8D906300D2.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4157586403444926
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:5ZlWuDM+CFXJjT55qXlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:JWZ7T3cwurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:0F73EE27EFBA7E7549041C1E340C4BF4
                                                                                  SHA1:63346080779568E8733A7635C64403C7F22B0CF3
                                                                                  SHA-256:75C2F62679B02B31FD7F5702C31B8D99763AF6810AB6461DFB7818FC6C4BB8D4
                                                                                  SHA-512:B02AD11B65DBA2685C9FECD622F104C2328A49614A36ADBCA4BE6AD14876C41DDF7550179B36BA7A2A7852320F0D467E4C707D8D2CB93E866F918B1669F62639
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF3E9D1B8B739CE9D1.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):0.06823846717123914
                                                                                  Encrypted:false
                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOYYbmc6Vky6lZ:2F0i8n0itFzDHFTZ
                                                                                  MD5:43121AF9C0468049B811D5DE9EE986C6
                                                                                  SHA1:3D65F87A3C467D0DE2BF8F07A60621B947A9CE4C
                                                                                  SHA-256:592C5B6D2ADD44B5EFCE1D5A353279925147188A1C15B56B1189E89FE97374E0
                                                                                  SHA-512:0B09D5648F1374083996F24FF71AE87B22F152D907C91B84567CA27B985F05C447AF27527A3E760F44817300DB8680F73F5D86A36B9DC157AA3E6C5BB6BC6831
                                                                                  Malicious:false
                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF3F87AB64C16B0331.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.786966154456378
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:N8Ph+uRc06WXJMnT5SlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:wh+1vnT0wurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:664BDAD03857943DF9992B2FCC2ED413
                                                                                  SHA1:4BD3268B5820AB24FB63B5DA58C481EAB91E5043
                                                                                  SHA-256:E3266CCF168D3FAB43854CDF55FAF9BC38CD9BF3C653F8598B28D73B14F17D8E
                                                                                  SHA-512:FB02A7302BB74F9B5ADC603FA657F6C25081B2036E0AE42BA968EF78EC006392538FEA0647747FF23DC81F49F1129E0006397D399D436AEB3F804C3EE6391811
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF437719EDE9910C56.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF578AEE3EF53C1712.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4157586403444926
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:5ZlWuDM+CFXJjT55qXlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:JWZ7T3cwurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:0F73EE27EFBA7E7549041C1E340C4BF4
                                                                                  SHA1:63346080779568E8733A7635C64403C7F22B0CF3
                                                                                  SHA-256:75C2F62679B02B31FD7F5702C31B8D99763AF6810AB6461DFB7818FC6C4BB8D4
                                                                                  SHA-512:B02AD11B65DBA2685C9FECD622F104C2328A49614A36ADBCA4BE6AD14876C41DDF7550179B36BA7A2A7852320F0D467E4C707D8D2CB93E866F918B1669F62639
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF76604B3D0163EF41.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF80F3692C37C55AFB.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):32768
                                                                                  Entropy (8bit):1.4157586403444926
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:5ZlWuDM+CFXJjT55qXlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:JWZ7T3cwurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:0F73EE27EFBA7E7549041C1E340C4BF4
                                                                                  SHA1:63346080779568E8733A7635C64403C7F22B0CF3
                                                                                  SHA-256:75C2F62679B02B31FD7F5702C31B8D99763AF6810AB6461DFB7818FC6C4BB8D4
                                                                                  SHA-512:B02AD11B65DBA2685C9FECD622F104C2328A49614A36ADBCA4BE6AD14876C41DDF7550179B36BA7A2A7852320F0D467E4C707D8D2CB93E866F918B1669F62639
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DF8A070A31F4CC314A.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFB6533660C7B796BA.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFCA82EF531E697040.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):512
                                                                                  Entropy (8bit):0.0
                                                                                  Encrypted:false
                                                                                  SSDEEP:3::
                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                  Malicious:false
                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Windows\Temp\~DFCEC3E934ED492C2D.TMP

                                                                                  Download File
                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                  Category:dropped
                                                                                  Size (bytes):20480
                                                                                  Entropy (8bit):1.786966154456378
                                                                                  Encrypted:false
                                                                                  SSDEEP:48:N8Ph+uRc06WXJMnT5SlF9galrV9mSvOd5YpRXd5YNd5YGd5YMd5YP6Ad5YYo9ISR:wh+1vnT0wurGm0WlfPu2qC0WlfIF/
                                                                                  MD5:664BDAD03857943DF9992B2FCC2ED413
                                                                                  SHA1:4BD3268B5820AB24FB63B5DA58C481EAB91E5043
                                                                                  SHA-256:E3266CCF168D3FAB43854CDF55FAF9BC38CD9BF3C653F8598B28D73B14F17D8E
                                                                                  SHA-512:FB02A7302BB74F9B5ADC603FA657F6C25081B2036E0AE42BA968EF78EC006392538FEA0647747FF23DC81F49F1129E0006397D399D436AEB3F804C3EE6391811
                                                                                  Malicious:false
                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                  Entropy (8bit):7.9367051756500695
                                                                                  TrID:
                                                                                  • Win64 Executable GUI (202006/5) 92.65%
                                                                                  • Win64 Executable (generic) (12005/4) 5.51%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                  • DOS Executable Generic (2002/1) 0.92%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:0438.pdf.exe
                                                                                  File size:11'654'747 bytes
                                                                                  MD5:2d11dba46735af1cb1c0a42e9564e20d
                                                                                  SHA1:b2e17960c6d080f7aba7df87f57c08b4bc2e7051
                                                                                  SHA256:e19477a56b247e6cc435fee367abcf6e0c3db21de91ae2514b4a6b1807233c53
                                                                                  SHA512:f053c18333c256c87492e7e74832f2ba695c1633cc80d59e4d426eda82d27d7402a22803e439bb2453f4fa12f00697de355edd61c300b7624c66723d7e54dad0
                                                                                  SSDEEP:196608:tqwvI8YbsGBCEfbi57P6mCRTMFCxZ9zzvHLbax3QS+hbEPjwDhZzczDlUxMUd:ZIRwGjfbi5DCRoOPzzvfaEAPgOHm5d
                                                                                  TLSH:42C6331BFF5D04EAF1AF99F899415022D7B57CC51720868F23B43E4AED736A1AA35302
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                                                                  File Icon

                                                                                  Icon Hash:3570b080889388e1

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x140032ee0
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x140000000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x66409723 [Sun May 12 10:17:07 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:2
                                                                                  File Version Major:5
                                                                                  File Version Minor:2
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:2
                                                                                  Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  dec eax
                                                                                  sub esp, 28h
                                                                                  call 00007FA754C3A7E8h
                                                                                  dec eax
                                                                                  add esp, 28h
                                                                                  jmp 00007FA754C3A17Fh
                                                                                  int3
                                                                                  int3
                                                                                  dec eax
                                                                                  mov eax, esp
                                                                                  dec eax
                                                                                  mov dword ptr [eax+08h], ebx
                                                                                  dec eax
                                                                                  mov dword ptr [eax+10h], ebp
                                                                                  dec eax
                                                                                  mov dword ptr [eax+18h], esi
                                                                                  dec eax
                                                                                  mov dword ptr [eax+20h], edi
                                                                                  inc ecx
                                                                                  push esi
                                                                                  dec eax
                                                                                  sub esp, 20h
                                                                                  dec ebp
                                                                                  mov edx, dword ptr [ecx+38h]
                                                                                  dec eax
                                                                                  mov esi, edx
                                                                                  dec ebp
                                                                                  mov esi, eax
                                                                                  dec eax
                                                                                  mov ebp, ecx
                                                                                  dec ecx
                                                                                  mov edx, ecx
                                                                                  dec eax
                                                                                  mov ecx, esi
                                                                                  dec ecx
                                                                                  mov edi, ecx
                                                                                  inc ecx
                                                                                  mov ebx, dword ptr [edx]
                                                                                  dec eax
                                                                                  shl ebx, 04h
                                                                                  dec ecx
                                                                                  add ebx, edx
                                                                                  dec esp
                                                                                  lea eax, dword ptr [ebx+04h]
                                                                                  call 00007FA754C39603h
                                                                                  mov eax, dword ptr [ebp+04h]
                                                                                  and al, 66h
                                                                                  neg al
                                                                                  mov eax, 00000001h
                                                                                  sbb edx, edx
                                                                                  neg edx
                                                                                  add edx, eax
                                                                                  test dword ptr [ebx+04h], edx
                                                                                  je 00007FA754C3A313h
                                                                                  dec esp
                                                                                  mov ecx, edi
                                                                                  dec ebp
                                                                                  mov eax, esi
                                                                                  dec eax
                                                                                  mov edx, esi
                                                                                  dec eax
                                                                                  mov ecx, ebp
                                                                                  call 00007FA754C3C327h
                                                                                  dec eax
                                                                                  mov ebx, dword ptr [esp+30h]
                                                                                  dec eax
                                                                                  mov ebp, dword ptr [esp+38h]
                                                                                  dec eax
                                                                                  mov esi, dword ptr [esp+40h]
                                                                                  dec eax
                                                                                  mov edi, dword ptr [esp+48h]
                                                                                  dec eax
                                                                                  add esp, 20h
                                                                                  inc ecx
                                                                                  pop esi
                                                                                  ret
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  dec eax
                                                                                  sub esp, 48h
                                                                                  dec eax
                                                                                  lea ecx, dword ptr [esp+20h]
                                                                                  call 00007FA754C28B93h
                                                                                  dec eax
                                                                                  lea edx, dword ptr [00025747h]
                                                                                  dec eax
                                                                                  lea ecx, dword ptr [esp+20h]
                                                                                  call 00007FA754C3B3E2h
                                                                                  int3
                                                                                  jmp 00007FA754C415C4h
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000x5f334.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000x970.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x4676e0x46800f06bb06e02377ae8b223122e53be35c2False0.5372340425531915data6.47079645411382IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x480000x128c40x12a002de06d4a6920a6911e64ff20000ea72fFalse0.4499003775167785data5.273999097784603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0x5b0000xe75c0x1a000dbdb901a7d477980097e42e511a94fbFalse0.28275240384615385data3.2571023907881185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .pdata0x6a0000x306c0x3200b0ce0f057741ad2a4ef4717079fa34e9False0.483359375data5.501810413666288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .didat0x6e0000x3600x4001fcc7b1d7a02443319f8fcc2be4ca936False0.2578125data3.0459938492946015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  _RDATA0x6f0000x15c0x2003f331ec50f09ba861beaf955b33712d5False0.408203125data3.3356393424384843IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .rsrc0x700000x5f3340x5f400ac83509a9abddcfebcee4527be350f1aFalse0.06483503526902887data2.1781366278912278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0xd00000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  PNG0x706440xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                                                                                  PNG0x7118c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                                                                                  RT_ICON0x727380x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m0.023615261709619195
                                                                                  RT_ICON0xb47600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.3191489361702128
                                                                                  RT_ICON0xb4bc80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.11867219917012448
                                                                                  RT_ICON0xb71700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.17284240150093808
                                                                                  RT_ICON0xb82180x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.04436294806577547
                                                                                  RT_ICON0xc8a400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.08644307982994803
                                                                                  RT_DIALOG0xccc680x286dataEnglishUnited States0.5092879256965944
                                                                                  RT_DIALOG0xccef00x13adataEnglishUnited States0.60828025477707
                                                                                  RT_DIALOG0xcd02c0xecdataEnglishUnited States0.6991525423728814
                                                                                  RT_DIALOG0xcd1180x12edataEnglishUnited States0.5927152317880795
                                                                                  RT_DIALOG0xcd2480x338dataEnglishUnited States0.45145631067961167
                                                                                  RT_DIALOG0xcd5800x252dataEnglishUnited States0.5757575757575758
                                                                                  RT_STRING0xcd7d40x1e2dataEnglishUnited States0.3900414937759336
                                                                                  RT_STRING0xcd9b80x1ccdataEnglishUnited States0.4282608695652174
                                                                                  RT_STRING0xcdb840x1b8dataEnglishUnited States0.45681818181818185
                                                                                  RT_STRING0xcdd3c0x146dataEnglishUnited States0.5153374233128835
                                                                                  RT_STRING0xcde840x46cdataEnglishUnited States0.3454063604240283
                                                                                  RT_STRING0xce2f00x166dataEnglishUnited States0.49162011173184356
                                                                                  RT_STRING0xce4580x152dataEnglishUnited States0.5059171597633136
                                                                                  RT_STRING0xce5ac0x10adataEnglishUnited States0.49624060150375937
                                                                                  RT_STRING0xce6b80xbcdataEnglishUnited States0.6329787234042553
                                                                                  RT_STRING0xce7740x1c0dataEnglishUnited States0.5178571428571429
                                                                                  RT_STRING0xce9340x250dataEnglishUnited States0.44256756756756754
                                                                                  RT_GROUP_ICON0xceb840x5adata0.7555555555555555
                                                                                  RT_MANIFEST0xcebe00x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39786666666666665

                                                                                  Imports

                                                                                  DLLImport
                                                                                  KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                                                                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                                                                  gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishUnited States

                                                                                  Network Behavior

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 30, 2024 22:46:24.811031103 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:24.811100960 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:24.811212063 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:24.811414957 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:24.811445951 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.577523947 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.578404903 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.578439951 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.581708908 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.581783056 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.670886993 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.671185970 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.671335936 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.719326019 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.738729954 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.738750935 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.785590887 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.802082062 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.802225113 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:46:25.802335978 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.855268002 CET56266443192.168.2.496.7.168.138
                                                                                  Oct 30, 2024 22:46:25.855298042 CET4435626696.7.168.138192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.522905111 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.529723883 CET565156360111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.529833078 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.538011074 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.543967009 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.547394037 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.554315090 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.560133934 CET8056362111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.560381889 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.570128918 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.575911045 CET46556363111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.576010942 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.585314989 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.591212034 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.591356993 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.600874901 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.606724024 CET55555636565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.606784105 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.660908937 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.660929918 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.666793108 CET565156360111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.666801929 CET565156360111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.676734924 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.676749945 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.682610035 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.682620049 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.692001104 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.692034960 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.697968006 CET8056362111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.697977066 CET8056362111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.707709074 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.707743883 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:21.713601112 CET46556363111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.713608980 CET46556363111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.723472118 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.723472118 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.729403973 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.729414940 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.739043951 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.739074945 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:21.744939089 CET55555636565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:21.744946957 CET55555636565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.255474091 CET565156360111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.256042004 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.256145954 CET563605651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.262011051 CET565156360111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.291462898 CET8056362111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.291625023 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.291685104 CET5636280192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.297432899 CET8056362111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.433482885 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.435384035 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.435384035 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.435384989 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.435457945 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.435457945 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.441380024 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.441394091 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.441407919 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.441420078 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.441881895 CET805636465.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.441962957 CET5636480192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:22.635133982 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.635324955 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.635324955 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.635356903 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.635400057 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:22.641169071 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.641184092 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.641196966 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:22.641208887 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:23.107623100 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:23.160680056 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:24.123451948 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:24.176511049 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:25.140209913 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:25.191936970 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:26.154690981 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:26.207549095 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:27.170456886 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:27.223185062 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:28.186988115 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:28.238820076 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:29.201764107 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:29.254427910 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:30.066714048 CET46556363111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:30.067445993 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:30.069328070 CET56363465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:30.075763941 CET46556363111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:30.100661039 CET55555636565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:30.100776911 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:30.100835085 CET563655555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:47:30.106699944 CET55555636565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:47:30.217381001 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:30.270051956 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:31.232889891 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:31.285686016 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:32.233846903 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:32.285685062 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:33.249798059 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:33.301312923 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:34.367187023 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:34.410701990 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:35.280770063 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:35.332571030 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:36.296356916 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:36.348186016 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:37.311563969 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:37.363818884 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:38.327274084 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:38.379439116 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:39.327501059 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:39.379544020 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:40.343698978 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:40.395066977 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:41.359196901 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:41.410702944 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:42.374316931 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:42.426326990 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:43.375437975 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:43.426353931 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:44.391125917 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:44.441956997 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:45.406510115 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:45.457619905 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:46.612037897 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:46.660702944 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:47.423233032 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:47.473330021 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:48.438911915 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:48.488842964 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:49.454722881 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:49.504465103 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:50.470132113 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:50.520081043 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:51.471606970 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:51.535768986 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:52.486771107 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:52.535712957 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:53.501966000 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:53.551348925 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:54.517843962 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:54.566987038 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:55.533262014 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:55.582715034 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:56.548677921 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:56.598308086 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:57.564431906 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:57.613864899 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:58.580018997 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:58.629586935 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:47:59.580749035 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:47:59.629498959 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:00.597485065 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:00.645225048 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:01.611753941 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:01.660857916 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:02.627525091 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:02.676464081 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:03.643296957 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:03.691982985 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:04.658742905 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:04.707618952 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:05.674316883 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:05.723248959 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:06.675509930 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:06.723279953 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:07.691114902 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:07.738900900 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:08.706801891 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:08.754496098 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:09.722491980 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:09.770153999 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:11.738234997 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:11.738995075 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:11.739167929 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:11.739444017 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:11.739490032 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:11.754606009 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:11.755269051 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:12.786426067 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:12.832732916 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:13.789330006 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:13.832623959 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:14.801304102 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:14.848268986 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:15.815942049 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:15.863886118 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:16.818363905 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:16.863909006 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:17.833879948 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:17.879513025 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:18.849251986 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:18.895145893 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:19.865037918 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:19.910887003 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:20.880357027 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:20.926399946 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.523144007 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.529314041 CET565156542111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.529520035 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.538356066 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.544337034 CET8056543111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.544413090 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.558281898 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.564785004 CET46556544111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.564867973 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.576545000 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.585150003 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.585349083 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.585432053 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.592178106 CET55555654665.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.592255116 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.660906076 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.660906076 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.667805910 CET565156542111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.667848110 CET565156542111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.676492929 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.676493883 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.683532953 CET8056543111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.683609009 CET8056543111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.692205906 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.692250013 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:21.698110104 CET46556544111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.698237896 CET46556544111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.707789898 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.707823038 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.714051008 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.714065075 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.723459005 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.723500013 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:21.729481936 CET55555654665.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.729556084 CET55555654665.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.895885944 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:21.942019939 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:22.250055075 CET565156542111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.250814915 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:22.250891924 CET565425651192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:22.254235029 CET8056543111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.254945993 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:22.255018950 CET5654380192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:22.256793022 CET565156542111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.261893988 CET8056543111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.540862083 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.543493032 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.543493032 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.543493032 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.543577909 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.543579102 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.550214052 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.550228119 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.550240040 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.550257921 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.550836086 CET805654565.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.551346064 CET5654580192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:22.912795067 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:22.957647085 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:23.927767992 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:23.973290920 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:24.942941904 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:24.988912106 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:25.959009886 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:26.004614115 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:26.974390030 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:27.020178080 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:27.975414991 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:28.020194054 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:28.990835905 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:29.035806894 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:29.991527081 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:30.035797119 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:30.075252056 CET46556544111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:30.075514078 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:30.075722933 CET56544465192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:30.082113028 CET55555654665.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:30.082243919 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:30.082309961 CET565465555192.168.2.465.21.245.7
                                                                                  Oct 30, 2024 22:48:30.082895994 CET46556544111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:30.089365959 CET55555654665.21.245.7192.168.2.4
                                                                                  Oct 30, 2024 22:48:31.007342100 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:31.051412106 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:32.023983002 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:32.067042112 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:33.038333893 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:33.082712889 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:34.054167986 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:34.098289013 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:35.056233883 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:35.098289013 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:36.161571980 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:36.207667112 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:37.058751106 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:37.113919973 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:38.074069977 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:38.113933086 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:39.089891911 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:39.129676104 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:40.105319023 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:40.160803080 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:41.121040106 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:41.176440001 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:42.121645927 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:42.176479101 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:43.137026072 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:43.192058086 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:44.152635098 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:44.207665920 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:45.168162107 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:45.223298073 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:46.183892012 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:46.238925934 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:47.199750900 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:47.254564047 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:48.215606928 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:48.270189047 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:49.230667114 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:49.288239002 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:50.246789932 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:50.301460028 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:51.432374001 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:51.473326921 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:52.250581026 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:52.301444054 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:53.250941038 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:53.303354025 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:54.266458988 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:54.317060947 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:55.282052994 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:55.332695961 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:56.297925949 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:56.348309994 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:57.313813925 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:57.364115953 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:58.328979015 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:58.379573107 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:48:59.330004930 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:48:59.379590034 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:00.345875025 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:00.395200014 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:01.361407995 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:01.410819054 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:02.377163887 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:02.426464081 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:03.392709017 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:03.442085028 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:04.412250042 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:04.457700014 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:05.410775900 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:05.457804918 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:06.413019896 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:06.457725048 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:07.414215088 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:07.457721949 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:08.429801941 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:08.473340988 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:09.445107937 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:09.492024899 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:10.445426941 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:10.489032984 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:11.461091042 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:11.504606009 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:12.476514101 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:12.520230055 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:13.492158890 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:13.535859108 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:14.492605925 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:14.535995007 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:15.508028030 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:15.551471949 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:16.507894993 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:16.551481009 CET563618080192.168.2.4111.90.140.76
                                                                                  Oct 30, 2024 22:49:17.523744106 CET808056361111.90.140.76192.168.2.4
                                                                                  Oct 30, 2024 22:49:17.567219973 CET563618080192.168.2.4111.90.140.76

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Oct 30, 2024 22:46:21.793045044 CET5628353192.168.2.41.1.1.1
                                                                                  Oct 30, 2024 22:46:24.191369057 CET53613051.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Oct 30, 2024 22:46:21.793045044 CET192.168.2.41.1.1.10x6c6fStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Oct 30, 2024 22:46:21.802793026 CET1.1.1.1192.168.2.40x6c6fNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • armmf.adobe.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.456362111.90.140.76808372C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 30, 2024 22:47:21.692001104 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:47:21.692034960 CET6OUTData Raw: 00 00 00 03
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.45636465.21.245.7808372C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 30, 2024 22:47:21.723472118 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:47:21.723472118 CET6OUTData Raw: 00 00 00 03
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:47:22.433482885 CET505INHTTP/1.1 400 Bad Request
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Wed, 30 Oct 2024 21:47:21 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 326
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
                                                                                  Oct 30, 2024 22:47:22.435384035 CET6OUTData Raw: 00 00 10 18
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:47:22.435384035 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:47:22.435384989 CET6OUTData Raw: 2d 2d 0d 0a
                                                                                  Data Ascii: --
                                                                                  Oct 30, 2024 22:47:22.435457945 CET6OUTData Raw: 00 00 00 00
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.456543111.90.140.76808372C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 30, 2024 22:48:21.676492929 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:48:21.676493883 CET6OUTData Raw: 00 00 00 03
                                                                                  Data Ascii:


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.45654565.21.245.7808372C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Oct 30, 2024 22:48:21.707789898 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:48:21.707823038 CET6OUTData Raw: 00 00 00 03
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:48:22.540862083 CET505INHTTP/1.1 400 Bad Request
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Wed, 30 Oct 2024 21:48:20 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 326
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 42 61 64 20 52 65 71 75 65 73 74 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 42 61 64 20 52 65 71 75 65 73 74 20 2d 20 49 6e 76 61 6c 69 64 20 56 65 72 62 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 30 2e 20 54 68 65 20 72 65 71 75 65 73 74 20 76 65 72 62 20 69 73 20 69 6e 76 61 6c 69 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Bad Request</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Bad Request - Invalid Verb</h2><hr><p>HTTP Error 400. The request verb is invalid.</p></BODY></HTML>
                                                                                  Oct 30, 2024 22:48:22.543493032 CET6OUTData Raw: 00 00 10 18
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:48:22.543493032 CET6OUTData Raw: 00 00 00 01
                                                                                  Data Ascii:
                                                                                  Oct 30, 2024 22:48:22.543493032 CET6OUTData Raw: 2d 2d 0d 0a
                                                                                  Data Ascii: --
                                                                                  Oct 30, 2024 22:48:22.543577909 CET6OUTData Raw: 00 00 00 00
                                                                                  Data Ascii:


                                                                                  HTTPS Proxied Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.45626696.7.168.1384438032C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  2024-10-30 21:46:25 UTC475OUTGET /onboarding/smskillreader.txt HTTP/1.1
                                                                                  Host: armmf.adobe.com
                                                                                  Connection: keep-alive
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36
                                                                                  Sec-Fetch-Site: same-origin
                                                                                  Sec-Fetch-Mode: no-cors
                                                                                  Sec-Fetch-Dest: empty
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  If-None-Match: "78-5faa31cce96da"
                                                                                  If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
                                                                                  2024-10-30 21:46:25 UTC198INHTTP/1.1 304 Not Modified
                                                                                  Content-Type: text/plain; charset=UTF-8
                                                                                  Last-Modified: Mon, 01 May 2023 15:02:33 GMT
                                                                                  ETag: "78-5faa31cce96da"
                                                                                  Date: Wed, 30 Oct 2024 21:46:25 GMT
                                                                                  Connection: close


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:17:46:06
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Users\user\Desktop\0438.pdf.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Users\user\Desktop\0438.pdf.exe"
                                                                                  Imagebase:0x7ff6c0420000
                                                                                  File size:11'654'747 bytes
                                                                                  MD5 hash:2D11DBA46735AF1CB1C0A42E9564E20D
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:17:46:07
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\pdf.msi" /qn
                                                                                  Imagebase:0x7ff7ab270000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:17:46:07
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\Doc.pdf"
                                                                                  Imagebase:0x7ff6bc1b0000
                                                                                  File size:5'641'176 bytes
                                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:17:46:07
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                  Imagebase:0x7ff7ab270000
                                                                                  File size:69'632 bytes
                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:17:46:08
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                  Imagebase:0x7ff74bb60000
                                                                                  File size:3'581'912 bytes
                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:17:46:08
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                  Imagebase:0x7ff6eef20000
                                                                                  File size:55'320 bytes
                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:17:46:08
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2056 --field-trial-handle=1604,i,14248424182564037547,2314373854622466325,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                  Imagebase:0x7ff74bb60000
                                                                                  File size:3'581'912 bytes
                                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:17:46:15
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /siex /silentinstall
                                                                                  Imagebase:0x7ff70f330000
                                                                                  File size:6'307'408 bytes
                                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.1777309138.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 3%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:17:46:16
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /siex /silentinstall
                                                                                  Imagebase:0x400000
                                                                                  File size:7'753'808 bytes
                                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.1786776059.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                  • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe, Author: Joe Security
                                                                                  Antivirus matches:
                                                                                  • Detection: 3%, ReversingLabs
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:10
                                                                                  Start time:17:46:17
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /firewall
                                                                                  Imagebase:0x400000
                                                                                  File size:6'307'408 bytes
                                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:11
                                                                                  Start time:17:46:17
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /firewall
                                                                                  Imagebase:0x400000
                                                                                  File size:7'753'808 bytes
                                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:12
                                                                                  Start time:17:46:18
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /server /start
                                                                                  Imagebase:0x400000
                                                                                  File size:6'307'408 bytes
                                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:13
                                                                                  Start time:17:46:19
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe" /start
                                                                                  Imagebase:0x400000
                                                                                  File size:7'753'808 bytes
                                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:14
                                                                                  Start time:17:46:19
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMServer.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:7'753'808 bytes
                                                                                  MD5 hash:F3D74B072B9697CF64B0B8445FDC8128
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:16
                                                                                  Start time:17:46:21
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe"
                                                                                  Imagebase:0x400000
                                                                                  File size:6'307'408 bytes
                                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:Borland Delphi
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:17
                                                                                  Start time:17:46:21
                                                                                  Start date:30/10/2024
                                                                                  Path:C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LiteManager Pro - Server\ROMFUSClient.exe" /tray
                                                                                  Imagebase:0x400000
                                                                                  File size:6'307'408 bytes
                                                                                  MD5 hash:63D0964168B927D00064AA684E79A300
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:Borland Delphi
                                                                                  Has exited:false

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:11.9%
                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                    Signature Coverage:27.7%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:29
                                                                                    execution_graph 25870 7ff6c045154b 25871 7ff6c04514a2 25870->25871 25874 7ff6c0451900 25871->25874 25900 7ff6c0451558 25874->25900 25877 7ff6c045198b 25879 7ff6c0451868 DloadReleaseSectionWriteAccess 6 API calls 25877->25879 25878 7ff6c04519b4 25881 7ff6c0451a3d LoadLibraryExA 25878->25881 25882 7ff6c0451b85 25878->25882 25883 7ff6c0451aa9 25878->25883 25888 7ff6c0451abd 25878->25888 25880 7ff6c0451998 RaiseException 25879->25880 25893 7ff6c04514e1 25880->25893 25881->25883 25884 7ff6c0451a54 GetLastError 25881->25884 25908 7ff6c0451868 25882->25908 25883->25888 25889 7ff6c0451ab4 FreeLibrary 25883->25889 25886 7ff6c0451a69 25884->25886 25887 7ff6c0451a7e 25884->25887 25885 7ff6c0451b1b GetProcAddress 25885->25882 25892 7ff6c0451b30 GetLastError 25885->25892 25886->25883 25886->25887 25891 7ff6c0451868 DloadReleaseSectionWriteAccess 6 API calls 25887->25891 25888->25882 25888->25885 25889->25888 25894 7ff6c0451a8b RaiseException 25891->25894 25895 7ff6c0451b45 25892->25895 25894->25893 25895->25882 25896 7ff6c0451868 DloadReleaseSectionWriteAccess 6 API calls 25895->25896 25897 7ff6c0451b67 RaiseException 25896->25897 25898 7ff6c0451558 _com_raise_error 6 API calls 25897->25898 25899 7ff6c0451b81 25898->25899 25899->25882 25901 7ff6c045156e 25900->25901 25907 7ff6c04515d3 25900->25907 25916 7ff6c0451604 25901->25916 25904 7ff6c04515ce 25906 7ff6c0451604 DloadReleaseSectionWriteAccess 3 API calls 25904->25906 25906->25907 25907->25877 25907->25878 25909 7ff6c04518d1 25908->25909 25910 7ff6c0451878 25908->25910 25909->25893 25911 7ff6c0451604 DloadReleaseSectionWriteAccess 3 API calls 25910->25911 25912 7ff6c045187d 25911->25912 25913 7ff6c04518cc 25912->25913 25914 7ff6c04517d8 DloadProtectSection 3 API calls 25912->25914 25915 7ff6c0451604 DloadReleaseSectionWriteAccess 3 API calls 25913->25915 25914->25913 25915->25909 25917 7ff6c045161f 25916->25917 25919 7ff6c0451573 25916->25919 25918 7ff6c0451624 GetModuleHandleW 25917->25918 25917->25919 25920 7ff6c0451639 25918->25920 25921 7ff6c045163e GetProcAddress 25918->25921 25919->25904 25923 7ff6c04517d8 25919->25923 25920->25919 25921->25920 25922 7ff6c0451653 GetProcAddress 25921->25922 25922->25920 25924 7ff6c04517fa DloadProtectSection 25923->25924 25925 7ff6c0451802 25924->25925 25926 7ff6c045183a VirtualProtect 25924->25926 25928 7ff6c04516a4 VirtualQuery GetSystemInfo 25924->25928 25925->25904 25926->25925 25928->25926 25929 7ff6c0452d6c 25954 7ff6c04527fc 25929->25954 25932 7ff6c0452eb8 26052 7ff6c0453170 7 API calls 2 library calls 25932->26052 25933 7ff6c0452d88 __scrt_acquire_startup_lock 25935 7ff6c0452ec2 25933->25935 25937 7ff6c0452da6 25933->25937 26053 7ff6c0453170 7 API calls 2 library calls 25935->26053 25938 7ff6c0452dcb 25937->25938 25941 7ff6c0452de8 __scrt_release_startup_lock 25937->25941 25962 7ff6c045cd90 25937->25962 25939 7ff6c0452ecd abort 25942 7ff6c0452e51 25941->25942 26049 7ff6c045c050 35 API calls __GSHandlerCheck_EH 25941->26049 25966 7ff6c04532bc 25942->25966 25944 7ff6c0452e56 25969 7ff6c045cd20 25944->25969 26054 7ff6c0452fb0 25954->26054 25957 7ff6c045282b 26056 7ff6c045cc50 25957->26056 25958 7ff6c0452827 25958->25932 25958->25933 25963 7ff6c045cdeb 25962->25963 25964 7ff6c045cdcc 25962->25964 25963->25941 25964->25963 26073 7ff6c0421120 25964->26073 26154 7ff6c0453cf0 25966->26154 26156 7ff6c0460730 25969->26156 25971 7ff6c0452e5e 25974 7ff6c0450754 25971->25974 25972 7ff6c045cd2f 25972->25971 26160 7ff6c0460ac0 35 API calls swprintf 25972->26160 26162 7ff6c043dfd0 25974->26162 25978 7ff6c045079a 26249 7ff6c044946c 25978->26249 25980 7ff6c04507a4 __scrt_get_show_window_mode 26254 7ff6c0449a14 25980->26254 25982 7ff6c0450819 25983 7ff6c045096e GetCommandLineW 25982->25983 26031 7ff6c0450ddc 25982->26031 25986 7ff6c0450980 25983->25986 26024 7ff6c0450b42 25983->26024 25984 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 25985 7ff6c0450de2 25984->25985 25989 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 25985->25989 26316 7ff6c042129c 25986->26316 25988 7ff6c0450b51 25992 7ff6c0421fa0 31 API calls 25988->25992 25996 7ff6c0450b68 BuildCatchObjectHelperInternal 25988->25996 26007 7ff6c0450de8 25989->26007 25991 7ff6c04509a5 26326 7ff6c044cad0 102 API calls 3 library calls 25991->26326 25992->25996 25995 7ff6c0451900 _com_raise_error 14 API calls 25995->26007 26276 7ff6c0421fa0 25996->26276 25997 7ff6c0450b93 SetEnvironmentVariableW GetLocalTime 26281 7ff6c0433e28 25997->26281 26001 7ff6c04509f9 OpenFileMappingW 26005 7ff6c0450a19 MapViewOfFile 26001->26005 26006 7ff6c0450ad0 CloseHandle 26001->26006 26003 7ff6c04509af 26003->25985 26003->26001 26004 7ff6c0450adb 26003->26004 26011 7ff6c042129c 33 API calls 26004->26011 26005->26006 26009 7ff6c0450a3f UnmapViewOfFile MapViewOfFile 26005->26009 26006->26024 26007->25995 26009->26006 26012 7ff6c0450a71 26009->26012 26010 7ff6c0450c75 26309 7ff6c04467b4 26010->26309 26014 7ff6c0450b00 26011->26014 26327 7ff6c044a190 33 API calls 2 library calls 26012->26327 26331 7ff6c044fd0c 35 API calls 2 library calls 26014->26331 26018 7ff6c0450a81 26328 7ff6c044fd0c 35 API calls 2 library calls 26018->26328 26019 7ff6c04467b4 33 API calls 26023 7ff6c0450c87 DialogBoxParamW 26019->26023 26020 7ff6c0450b0a 26020->26024 26026 7ff6c0450dd7 26020->26026 26022 7ff6c0450a90 26329 7ff6c043b9b4 102 API calls 26022->26329 26032 7ff6c0450cd3 26023->26032 26264 7ff6c0436454 26024->26264 26029 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26026->26029 26027 7ff6c0450aa5 26330 7ff6c043bb00 102 API calls 26027->26330 26029->26031 26030 7ff6c0450ab8 26035 7ff6c0450ac7 UnmapViewOfFile 26030->26035 26031->25984 26033 7ff6c0450cec 26032->26033 26034 7ff6c0450ce6 Sleep 26032->26034 26036 7ff6c0450cfa 26033->26036 26332 7ff6c0449f4c 49 API calls 2 library calls 26033->26332 26034->26033 26035->26006 26038 7ff6c0450d06 DeleteObject 26036->26038 26039 7ff6c0450d25 26038->26039 26040 7ff6c0450d1f DeleteObject 26038->26040 26041 7ff6c0450d5b 26039->26041 26042 7ff6c0450d6d 26039->26042 26040->26039 26333 7ff6c044fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26041->26333 26312 7ff6c04494e4 26042->26312 26045 7ff6c0450d60 CloseHandle 26045->26042 26049->25942 26052->25935 26053->25939 26055 7ff6c045281e __scrt_dllmain_crt_thread_attach 26054->26055 26055->25957 26055->25958 26057 7ff6c0460d4c 26056->26057 26058 7ff6c0452830 26057->26058 26061 7ff6c045ec00 26057->26061 26058->25958 26060 7ff6c04551a0 7 API calls 2 library calls 26058->26060 26060->25958 26072 7ff6c045f398 EnterCriticalSection 26061->26072 26078 7ff6c04291c8 26073->26078 26077 7ff6c0452a01 26077->25964 26086 7ff6c04356a4 26078->26086 26080 7ff6c04291df 26089 7ff6c043b788 26080->26089 26084 7ff6c0421130 26085 7ff6c04529bc 34 API calls 26084->26085 26085->26077 26095 7ff6c04356e8 26086->26095 26104 7ff6c04213a4 26089->26104 26092 7ff6c0429a28 26093 7ff6c04356e8 2 API calls 26092->26093 26094 7ff6c0429a36 26093->26094 26094->26084 26096 7ff6c04356fe __scrt_get_show_window_mode 26095->26096 26099 7ff6c043eba4 26096->26099 26102 7ff6c043eb58 GetCurrentProcess GetProcessAffinityMask 26099->26102 26103 7ff6c04356de 26102->26103 26103->26080 26105 7ff6c04213ad 26104->26105 26106 7ff6c042142d 26104->26106 26107 7ff6c042143d 26105->26107 26108 7ff6c04213ce 26105->26108 26106->26092 26124 7ff6c0422018 33 API calls std::_Xinvalid_argument 26107->26124 26112 7ff6c04213db __scrt_get_show_window_mode 26108->26112 26114 7ff6c04521d0 26108->26114 26123 7ff6c042197c 31 API calls _invalid_parameter_noinfo_noreturn 26112->26123 26115 7ff6c04521db 26114->26115 26116 7ff6c04521f4 26115->26116 26118 7ff6c04521fa 26115->26118 26125 7ff6c045bbc0 26115->26125 26116->26112 26119 7ff6c0452205 26118->26119 26128 7ff6c0452f7c RtlPcToFileHeader RaiseException _com_raise_error std::bad_alloc::bad_alloc 26118->26128 26129 7ff6c0421f80 26119->26129 26122 7ff6c045220b 26123->26106 26136 7ff6c045bc00 26125->26136 26128->26119 26130 7ff6c0421f8e std::bad_alloc::bad_alloc 26129->26130 26142 7ff6c0454078 26130->26142 26132 7ff6c0421f9f 26133 7ff6c0421fdc 26132->26133 26147 7ff6c0457904 26132->26147 26133->26122 26141 7ff6c045f398 EnterCriticalSection 26136->26141 26143 7ff6c0454097 26142->26143 26144 7ff6c04540b4 RtlPcToFileHeader 26142->26144 26143->26144 26145 7ff6c04540db RaiseException 26144->26145 26146 7ff6c04540cc 26144->26146 26145->26132 26146->26145 26152 7ff6c045783c 31 API calls _invalid_parameter_noinfo_noreturn 26147->26152 26149 7ff6c045791d 26153 7ff6c0457934 16 API calls abort 26149->26153 26152->26149 26155 7ff6c04532d3 GetStartupInfoW 26154->26155 26155->25944 26157 7ff6c046073d 26156->26157 26158 7ff6c0460749 26156->26158 26161 7ff6c0460570 48 API calls 4 library calls 26157->26161 26158->25972 26160->25972 26161->26158 26334 7ff6c0452450 26162->26334 26165 7ff6c043e026 GetProcAddress 26167 7ff6c043e03b 26165->26167 26168 7ff6c043e053 GetProcAddress 26165->26168 26166 7ff6c043e07b 26169 7ff6c043e503 26166->26169 26376 7ff6c045b788 39 API calls _snwprintf 26166->26376 26167->26168 26168->26166 26171 7ff6c043e068 26168->26171 26170 7ff6c0436454 34 API calls 26169->26170 26173 7ff6c043e50c 26170->26173 26171->26166 26336 7ff6c0437df4 26173->26336 26174 7ff6c043e3b0 26174->26169 26176 7ff6c043e3ba 26174->26176 26177 7ff6c0436454 34 API calls 26176->26177 26178 7ff6c043e3c3 CreateFileW 26177->26178 26179 7ff6c043e4f0 CloseHandle 26178->26179 26180 7ff6c043e403 SetFilePointer 26178->26180 26183 7ff6c0421fa0 31 API calls 26179->26183 26180->26179 26182 7ff6c043e41c ReadFile 26180->26182 26182->26179 26184 7ff6c043e444 26182->26184 26183->26169 26185 7ff6c043e458 26184->26185 26186 7ff6c043e800 26184->26186 26191 7ff6c042129c 33 API calls 26185->26191 26395 7ff6c0452624 8 API calls 26186->26395 26188 7ff6c042129c 33 API calls 26205 7ff6c043e51a 26188->26205 26189 7ff6c043e805 26190 7ff6c043e53e CompareStringW 26190->26205 26198 7ff6c043e48f 26191->26198 26193 7ff6c043e63a 26196 7ff6c043e648 26193->26196 26197 7ff6c043e7c2 26193->26197 26194 7ff6c0421fa0 31 API calls 26194->26205 26378 7ff6c0437eb0 47 API calls 26196->26378 26200 7ff6c0421fa0 31 API calls 26197->26200 26202 7ff6c043e4db 26198->26202 26377 7ff6c043d0a0 33 API calls 26198->26377 26204 7ff6c043e7cb 26200->26204 26206 7ff6c0421fa0 31 API calls 26202->26206 26203 7ff6c043e651 26208 7ff6c04351a4 9 API calls 26203->26208 26210 7ff6c0421fa0 31 API calls 26204->26210 26205->26188 26205->26190 26205->26194 26224 7ff6c043e5cc 26205->26224 26344 7ff6c04351a4 26205->26344 26349 7ff6c0438090 26205->26349 26353 7ff6c04332bc 26205->26353 26207 7ff6c043e4e5 26206->26207 26211 7ff6c0421fa0 31 API calls 26207->26211 26212 7ff6c043e656 26208->26212 26209 7ff6c042129c 33 API calls 26209->26224 26213 7ff6c043e7d5 26210->26213 26211->26179 26214 7ff6c043e706 26212->26214 26221 7ff6c043e661 26212->26221 26367 7ff6c0452320 26213->26367 26217 7ff6c043da98 48 API calls 26214->26217 26215 7ff6c0438090 47 API calls 26215->26224 26219 7ff6c043e74b AllocConsole 26217->26219 26222 7ff6c043e6fb 26219->26222 26223 7ff6c043e755 GetCurrentProcessId AttachConsole 26219->26223 26220 7ff6c0421fa0 31 API calls 26220->26224 26379 7ff6c043aae0 26221->26379 26227 7ff6c04219e0 std::locale::global 31 API calls 26222->26227 26225 7ff6c043e76c 26223->26225 26224->26193 26224->26209 26224->26215 26224->26220 26226 7ff6c04332bc 51 API calls 26224->26226 26232 7ff6c043e778 GetStdHandle WriteConsoleW Sleep FreeConsole 26225->26232 26226->26224 26229 7ff6c043e7b9 ExitProcess 26227->26229 26232->26222 26234 7ff6c043aae0 48 API calls 26235 7ff6c043e6ce 26234->26235 26389 7ff6c043dc2c 33 API calls 26235->26389 26237 7ff6c043e6da 26390 7ff6c04219e0 26237->26390 26239 7ff6c04362dc GetCurrentDirectoryW 26240 7ff6c0436300 26239->26240 26241 7ff6c043638d 26239->26241 26242 7ff6c04213a4 33 API calls 26240->26242 26241->25978 26243 7ff6c043631b GetCurrentDirectoryW 26242->26243 26244 7ff6c0436341 26243->26244 26596 7ff6c04220b0 26244->26596 26246 7ff6c043634f 26246->26241 26247 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26246->26247 26248 7ff6c04363a9 26247->26248 26250 7ff6c043dd88 26249->26250 26251 7ff6c0449481 OleInitialize 26250->26251 26252 7ff6c04494a7 26251->26252 26253 7ff6c04494cd SHGetMalloc 26252->26253 26253->25980 26255 7ff6c0449a49 26254->26255 26262 7ff6c0449a4e BuildCatchObjectHelperInternal 26254->26262 26256 7ff6c0421fa0 31 API calls 26255->26256 26256->26262 26257 7ff6c0421fa0 31 API calls 26259 7ff6c0449a7d BuildCatchObjectHelperInternal 26257->26259 26258 7ff6c0449aac BuildCatchObjectHelperInternal 26261 7ff6c0421fa0 31 API calls 26258->26261 26263 7ff6c0449adb BuildCatchObjectHelperInternal 26258->26263 26259->26258 26260 7ff6c0421fa0 31 API calls 26259->26260 26260->26258 26261->26263 26262->26257 26262->26259 26263->25982 26265 7ff6c04213a4 33 API calls 26264->26265 26266 7ff6c0436489 26265->26266 26267 7ff6c043648c GetModuleFileNameW 26266->26267 26270 7ff6c04364dc 26266->26270 26268 7ff6c04364a7 26267->26268 26269 7ff6c04364de 26267->26269 26268->26266 26269->26270 26271 7ff6c042129c 33 API calls 26270->26271 26273 7ff6c0436506 26271->26273 26272 7ff6c043653e 26272->25988 26273->26272 26274 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26273->26274 26275 7ff6c0436560 26274->26275 26277 7ff6c0421fb3 26276->26277 26278 7ff6c0421fdc 26276->26278 26277->26278 26279 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26277->26279 26278->25997 26280 7ff6c0422000 26279->26280 26282 7ff6c0433e4d swprintf 26281->26282 26283 7ff6c0459ef0 swprintf 46 API calls 26282->26283 26284 7ff6c0433e69 SetEnvironmentVariableW GetModuleHandleW LoadIconW 26283->26284 26285 7ff6c044b014 LoadBitmapW 26284->26285 26286 7ff6c044b046 26285->26286 26287 7ff6c044b03e 26285->26287 26289 7ff6c044b063 26286->26289 26290 7ff6c044b04e GetObjectW 26286->26290 26601 7ff6c0448624 FindResourceW 26287->26601 26616 7ff6c044849c 26289->26616 26290->26289 26292 7ff6c044b0ce 26304 7ff6c04398ac 26292->26304 26293 7ff6c044b09e 26621 7ff6c0448504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26293->26621 26295 7ff6c0448624 11 API calls 26297 7ff6c044b08a 26295->26297 26297->26293 26299 7ff6c044b092 DeleteObject 26297->26299 26298 7ff6c044b0a7 26622 7ff6c04484cc 26298->26622 26299->26293 26303 7ff6c044b0bf DeleteObject 26303->26292 26629 7ff6c04398dc 26304->26629 26306 7ff6c04398ba 26696 7ff6c043a43c GetModuleHandleW FindResourceW 26306->26696 26308 7ff6c04398c2 26308->26010 26310 7ff6c04521d0 33 API calls 26309->26310 26311 7ff6c04467fa 26310->26311 26311->26019 26313 7ff6c0449501 26312->26313 26314 7ff6c044950a OleUninitialize 26313->26314 26315 7ff6c048e330 26314->26315 26317 7ff6c042139b 26316->26317 26318 7ff6c04212d0 26316->26318 26778 7ff6c0422004 33 API calls std::_Xinvalid_argument 26317->26778 26321 7ff6c0421396 26318->26321 26322 7ff6c0421338 26318->26322 26324 7ff6c04212de BuildCatchObjectHelperInternal 26318->26324 26323 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 26321->26323 26322->26324 26325 7ff6c04521d0 33 API calls 26322->26325 26323->26317 26324->25991 26325->26324 26326->26003 26327->26018 26328->26022 26329->26027 26330->26030 26331->26020 26332->26036 26333->26045 26335 7ff6c043dff4 GetModuleHandleW 26334->26335 26335->26165 26335->26166 26337 7ff6c0437e0c 26336->26337 26338 7ff6c0437e55 26337->26338 26339 7ff6c0437e23 26337->26339 26396 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 26338->26396 26341 7ff6c042129c 33 API calls 26339->26341 26343 7ff6c0437e47 26341->26343 26342 7ff6c0437e5a 26343->26205 26345 7ff6c04351c8 GetVersionExW 26344->26345 26346 7ff6c04351fb 26344->26346 26345->26346 26347 7ff6c0452320 _handle_error 8 API calls 26346->26347 26348 7ff6c0435228 26347->26348 26348->26205 26350 7ff6c04380a5 26349->26350 26397 7ff6c0438188 26350->26397 26352 7ff6c04380ca 26352->26205 26354 7ff6c04332e7 GetFileAttributesW 26353->26354 26355 7ff6c04332e4 26353->26355 26356 7ff6c04332f8 26354->26356 26357 7ff6c0433375 26354->26357 26355->26354 26406 7ff6c0436a0c 26356->26406 26358 7ff6c0452320 _handle_error 8 API calls 26357->26358 26361 7ff6c0433389 26358->26361 26361->26205 26362 7ff6c043333c 26362->26357 26364 7ff6c0433399 26362->26364 26363 7ff6c0433323 GetFileAttributesW 26363->26362 26365 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26364->26365 26366 7ff6c043339e 26365->26366 26368 7ff6c0452329 26367->26368 26369 7ff6c043e7e4 26368->26369 26370 7ff6c0452550 IsProcessorFeaturePresent 26368->26370 26369->26239 26371 7ff6c0452568 26370->26371 26496 7ff6c0452744 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26371->26496 26373 7ff6c045257b 26497 7ff6c0452510 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26373->26497 26376->26174 26377->26198 26378->26203 26380 7ff6c043aaf3 26379->26380 26498 7ff6c0439774 26380->26498 26383 7ff6c043ab58 LoadStringW 26384 7ff6c043ab86 26383->26384 26385 7ff6c043ab71 LoadStringW 26383->26385 26386 7ff6c043da98 26384->26386 26385->26384 26524 7ff6c043d874 26386->26524 26389->26237 26391 7ff6c0421fa0 26390->26391 26392 7ff6c0421fdc 26391->26392 26393 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26391->26393 26392->26222 26394 7ff6c0422000 26393->26394 26395->26189 26396->26342 26398 7ff6c0438326 26397->26398 26401 7ff6c04381ba 26397->26401 26405 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 26398->26405 26400 7ff6c043832b 26403 7ff6c04381d4 BuildCatchObjectHelperInternal 26401->26403 26404 7ff6c04358a4 33 API calls 2 library calls 26401->26404 26403->26352 26404->26403 26405->26400 26407 7ff6c0436a4b 26406->26407 26408 7ff6c0436a44 26406->26408 26410 7ff6c042129c 33 API calls 26407->26410 26409 7ff6c0452320 _handle_error 8 API calls 26408->26409 26411 7ff6c043331f 26409->26411 26412 7ff6c0436a76 26410->26412 26411->26362 26411->26363 26413 7ff6c0436a96 26412->26413 26414 7ff6c0436cc7 26412->26414 26416 7ff6c0436b49 26413->26416 26417 7ff6c0436ab0 26413->26417 26415 7ff6c04362dc 35 API calls 26414->26415 26419 7ff6c0436ce6 26415->26419 26443 7ff6c042129c 33 API calls 26416->26443 26477 7ff6c0436b44 26416->26477 26442 7ff6c04370ab 26417->26442 26479 7ff6c042c098 33 API calls 2 library calls 26417->26479 26420 7ff6c0436eef 26419->26420 26426 7ff6c0436d1b 26419->26426 26419->26477 26462 7ff6c04370cf 26420->26462 26488 7ff6c042c098 33 API calls 2 library calls 26420->26488 26421 7ff6c04370b1 26428 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26421->26428 26424 7ff6c0436b03 26439 7ff6c0421fa0 31 API calls 26424->26439 26444 7ff6c0436b15 BuildCatchObjectHelperInternal 26424->26444 26427 7ff6c04370bd 26426->26427 26482 7ff6c042c098 33 API calls 2 library calls 26426->26482 26492 7ff6c0422004 33 API calls std::_Xinvalid_argument 26427->26492 26437 7ff6c04370b7 26428->26437 26429 7ff6c04370d5 26430 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26429->26430 26438 7ff6c04370db 26430->26438 26431 7ff6c04370a6 26436 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26431->26436 26432 7ff6c0436f56 26489 7ff6c04211cc 33 API calls BuildCatchObjectHelperInternal 26432->26489 26435 7ff6c0421fa0 31 API calls 26435->26477 26436->26442 26447 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26437->26447 26449 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26438->26449 26439->26444 26441 7ff6c04370c3 26446 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26441->26446 26491 7ff6c0422004 33 API calls std::_Xinvalid_argument 26442->26491 26450 7ff6c0436bbe 26443->26450 26444->26435 26445 7ff6c0436f69 26490 7ff6c04357ac 33 API calls BuildCatchObjectHelperInternal 26445->26490 26452 7ff6c04370c9 26446->26452 26447->26427 26448 7ff6c0421fa0 31 API calls 26460 7ff6c0436df5 26448->26460 26454 7ff6c04370e1 26449->26454 26480 7ff6c0435820 33 API calls 26450->26480 26493 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 26452->26493 26453 7ff6c0436d76 BuildCatchObjectHelperInternal 26453->26441 26453->26448 26456 7ff6c0436bd3 26481 7ff6c042e164 33 API calls 2 library calls 26456->26481 26459 7ff6c0421fa0 31 API calls 26463 7ff6c0436fec 26459->26463 26465 7ff6c0436e21 26460->26465 26483 7ff6c0421744 33 API calls 4 library calls 26460->26483 26461 7ff6c0436f79 BuildCatchObjectHelperInternal 26461->26438 26461->26459 26494 7ff6c0422004 33 API calls std::_Xinvalid_argument 26462->26494 26464 7ff6c0421fa0 31 API calls 26463->26464 26468 7ff6c0436ff6 26464->26468 26465->26452 26469 7ff6c042129c 33 API calls 26465->26469 26467 7ff6c0421fa0 31 API calls 26471 7ff6c0436c6d 26467->26471 26472 7ff6c0421fa0 31 API calls 26468->26472 26473 7ff6c0436ec2 26469->26473 26470 7ff6c0436be9 BuildCatchObjectHelperInternal 26470->26437 26470->26467 26474 7ff6c0421fa0 31 API calls 26471->26474 26472->26477 26484 7ff6c0422034 26473->26484 26474->26477 26476 7ff6c0436edf 26478 7ff6c0421fa0 31 API calls 26476->26478 26477->26408 26477->26421 26477->26429 26477->26431 26478->26477 26479->26424 26480->26456 26481->26470 26482->26453 26483->26465 26485 7ff6c0422059 BuildCatchObjectHelperInternal 26484->26485 26486 7ff6c0422085 26484->26486 26485->26476 26495 7ff6c04215b8 33 API calls 3 library calls 26486->26495 26488->26432 26489->26445 26490->26461 26493->26462 26495->26485 26496->26373 26505 7ff6c0439638 26498->26505 26501 7ff6c04397d9 26503 7ff6c0452320 _handle_error 8 API calls 26501->26503 26504 7ff6c04397f2 26503->26504 26504->26383 26504->26384 26506 7ff6c0439692 26505->26506 26514 7ff6c0439730 26505->26514 26507 7ff6c04396c0 26506->26507 26519 7ff6c0440f68 WideCharToMultiByte 26506->26519 26509 7ff6c04396ef 26507->26509 26521 7ff6c043aa88 45 API calls 2 library calls 26507->26521 26522 7ff6c045a270 31 API calls 2 library calls 26509->26522 26510 7ff6c0452320 _handle_error 8 API calls 26511 7ff6c0439764 26510->26511 26511->26501 26515 7ff6c0439800 26511->26515 26514->26510 26516 7ff6c0439840 26515->26516 26518 7ff6c0439869 26515->26518 26523 7ff6c045a270 31 API calls 2 library calls 26516->26523 26518->26501 26520 7ff6c0440faa 26519->26520 26520->26507 26521->26509 26522->26514 26523->26518 26540 7ff6c043d4d0 26524->26540 26529 7ff6c043d8e5 swprintf 26537 7ff6c043d974 26529->26537 26554 7ff6c0459ef0 26529->26554 26581 7ff6c0429d78 33 API calls 26529->26581 26530 7ff6c043d9a3 26532 7ff6c043da17 26530->26532 26534 7ff6c043da3f 26530->26534 26533 7ff6c0452320 _handle_error 8 API calls 26532->26533 26535 7ff6c043da2b 26533->26535 26536 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26534->26536 26535->26234 26538 7ff6c043da44 26536->26538 26537->26530 26582 7ff6c0429d78 33 API calls 26537->26582 26541 7ff6c043d665 26540->26541 26542 7ff6c043d502 26540->26542 26544 7ff6c043cb80 26541->26544 26542->26541 26543 7ff6c0421744 33 API calls 26542->26543 26543->26542 26545 7ff6c043cbb6 26544->26545 26551 7ff6c043cc80 26544->26551 26548 7ff6c043cc7b 26545->26548 26549 7ff6c043cc20 26545->26549 26553 7ff6c043cbc6 26545->26553 26550 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 26548->26550 26552 7ff6c04521d0 33 API calls 26549->26552 26549->26553 26550->26551 26583 7ff6c0422004 33 API calls std::_Xinvalid_argument 26551->26583 26552->26553 26553->26529 26555 7ff6c0459f36 26554->26555 26558 7ff6c0459f4e 26554->26558 26584 7ff6c045d69c 15 API calls _invalid_parameter_noinfo_noreturn 26555->26584 26557 7ff6c0459f58 26586 7ff6c0457ef0 35 API calls 2 library calls 26557->26586 26558->26555 26558->26557 26559 7ff6c0459f3b 26585 7ff6c04578e4 31 API calls _invalid_parameter_noinfo_noreturn 26559->26585 26562 7ff6c0459f69 __scrt_get_show_window_mode 26587 7ff6c0457e70 15 API calls _set_errno_from_matherr 26562->26587 26563 7ff6c0452320 _handle_error 8 API calls 26564 7ff6c045a10b 26563->26564 26564->26529 26566 7ff6c0459fd4 26588 7ff6c04582f8 46 API calls 3 library calls 26566->26588 26568 7ff6c0459fdd 26569 7ff6c0459fe5 26568->26569 26570 7ff6c045a014 26568->26570 26589 7ff6c045d90c 26569->26589 26572 7ff6c045a06c 26570->26572 26573 7ff6c045a023 26570->26573 26574 7ff6c045a092 26570->26574 26577 7ff6c045a01a 26570->26577 26578 7ff6c045d90c __free_lconv_mon 15 API calls 26572->26578 26576 7ff6c045d90c __free_lconv_mon 15 API calls 26573->26576 26574->26572 26575 7ff6c045a09c 26574->26575 26579 7ff6c045d90c __free_lconv_mon 15 API calls 26575->26579 26580 7ff6c0459f46 26576->26580 26577->26572 26577->26573 26578->26580 26579->26580 26580->26563 26581->26529 26582->26530 26584->26559 26585->26580 26586->26562 26587->26566 26588->26568 26590 7ff6c045d911 RtlFreeHeap 26589->26590 26594 7ff6c045d941 __free_lconv_mon 26589->26594 26591 7ff6c045d92c 26590->26591 26590->26594 26595 7ff6c045d69c 15 API calls _invalid_parameter_noinfo_noreturn 26591->26595 26593 7ff6c045d931 GetLastError 26593->26594 26594->26580 26595->26593 26597 7ff6c04220f6 26596->26597 26599 7ff6c04220cb BuildCatchObjectHelperInternal 26596->26599 26600 7ff6c0421474 33 API calls 3 library calls 26597->26600 26599->26246 26600->26599 26602 7ff6c044879b 26601->26602 26603 7ff6c044864f SizeofResource 26601->26603 26602->26286 26603->26602 26604 7ff6c0448669 LoadResource 26603->26604 26604->26602 26605 7ff6c0448682 LockResource 26604->26605 26605->26602 26606 7ff6c0448697 GlobalAlloc 26605->26606 26606->26602 26607 7ff6c04486b8 GlobalLock 26606->26607 26608 7ff6c04486ca BuildCatchObjectHelperInternal 26607->26608 26609 7ff6c0448792 GlobalFree 26607->26609 26610 7ff6c04486d8 CreateStreamOnHGlobal 26608->26610 26609->26602 26611 7ff6c04486f6 GdipAlloc 26610->26611 26612 7ff6c0448789 GlobalUnlock 26610->26612 26613 7ff6c044870b 26611->26613 26612->26609 26613->26612 26614 7ff6c044875a GdipCreateHBITMAPFromBitmap 26613->26614 26615 7ff6c0448772 26613->26615 26614->26615 26615->26612 26617 7ff6c04484cc 4 API calls 26616->26617 26618 7ff6c04484aa 26617->26618 26619 7ff6c04484b9 26618->26619 26627 7ff6c0448504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26618->26627 26619->26292 26619->26293 26619->26295 26621->26298 26623 7ff6c04484e3 26622->26623 26624 7ff6c04484de 26622->26624 26626 7ff6c0448df4 16 API calls _handle_error 26623->26626 26628 7ff6c0448590 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26624->26628 26626->26303 26627->26619 26628->26623 26632 7ff6c04398fe _snwprintf 26629->26632 26630 7ff6c0439973 26747 7ff6c04368b0 48 API calls 26630->26747 26632->26630 26634 7ff6c0439a89 26632->26634 26633 7ff6c0421fa0 31 API calls 26636 7ff6c04399fd 26633->26636 26634->26636 26638 7ff6c04220b0 33 API calls 26634->26638 26635 7ff6c043997d BuildCatchObjectHelperInternal 26635->26633 26693 7ff6c043a42e 26635->26693 26698 7ff6c04324c0 26636->26698 26637 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26639 7ff6c043a434 26637->26639 26638->26636 26642 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26639->26642 26646 7ff6c043a43a 26642->26646 26643 7ff6c0439a22 26645 7ff6c043204c 100 API calls 26643->26645 26644 7ff6c0439b17 26716 7ff6c045a450 26644->26716 26647 7ff6c0439a2b 26645->26647 26647->26639 26650 7ff6c0439a66 26647->26650 26649 7ff6c0439aad 26649->26644 26651 7ff6c0438e58 33 API calls 26649->26651 26654 7ff6c0452320 _handle_error 8 API calls 26650->26654 26651->26649 26653 7ff6c045a450 31 API calls 26658 7ff6c0439b57 __vcrt_FlsAlloc 26653->26658 26655 7ff6c043a40e 26654->26655 26655->26306 26657 7ff6c0432aa0 101 API calls 26660 7ff6c0439ca1 26657->26660 26666 7ff6c0439c89 26658->26666 26686 7ff6c0439d5c 26658->26686 26724 7ff6c0432bb0 26658->26724 26733 7ff6c04328d0 26658->26733 26738 7ff6c0432aa0 26658->26738 26661 7ff6c04328d0 104 API calls 26660->26661 26660->26686 26667 7ff6c0439cc9 26661->26667 26666->26657 26666->26686 26667->26686 26690 7ff6c0439cd7 __vcrt_FlsAlloc 26667->26690 26748 7ff6c0440bbc MultiByteToWideChar 26667->26748 26669 7ff6c043a1ec 26679 7ff6c043a2c2 26669->26679 26754 7ff6c045cf90 31 API calls 2 library calls 26669->26754 26671 7ff6c043a157 26671->26669 26751 7ff6c045cf90 31 API calls 2 library calls 26671->26751 26673 7ff6c043a14b 26673->26306 26675 7ff6c043a2ae 26675->26679 26756 7ff6c0438cd0 33 API calls 2 library calls 26675->26756 26676 7ff6c043a3a2 26678 7ff6c045a450 31 API calls 26676->26678 26677 7ff6c043a249 26755 7ff6c045b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26677->26755 26681 7ff6c043a3cb 26678->26681 26679->26676 26685 7ff6c0438e58 33 API calls 26679->26685 26683 7ff6c045a450 31 API calls 26681->26683 26682 7ff6c043a16d 26752 7ff6c045b7bc 31 API calls _invalid_parameter_noinfo_noreturn 26682->26752 26683->26686 26685->26679 26743 7ff6c043204c 26686->26743 26687 7ff6c043a1d8 26687->26669 26753 7ff6c0438cd0 33 API calls 2 library calls 26687->26753 26688 7ff6c0440f68 WideCharToMultiByte 26688->26690 26690->26669 26690->26671 26690->26673 26690->26686 26690->26688 26691 7ff6c043a429 26690->26691 26749 7ff6c043aa88 45 API calls 2 library calls 26690->26749 26750 7ff6c045a270 31 API calls 2 library calls 26690->26750 26757 7ff6c0452624 8 API calls 26691->26757 26693->26637 26697 7ff6c043a468 26696->26697 26697->26308 26699 7ff6c04324fd CreateFileW 26698->26699 26701 7ff6c04325ae GetLastError 26699->26701 26704 7ff6c043266e 26699->26704 26702 7ff6c0436a0c 49 API calls 26701->26702 26703 7ff6c04325dc 26702->26703 26706 7ff6c043262c 26703->26706 26707 7ff6c04325e0 CreateFileW GetLastError 26703->26707 26705 7ff6c04326cf 26704->26705 26708 7ff6c04326b1 SetFileTime 26704->26708 26709 7ff6c0432708 26705->26709 26713 7ff6c04220b0 33 API calls 26705->26713 26706->26704 26712 7ff6c0432736 26706->26712 26707->26706 26708->26705 26710 7ff6c0452320 _handle_error 8 API calls 26709->26710 26711 7ff6c043271b 26710->26711 26711->26643 26711->26649 26714 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26712->26714 26713->26709 26715 7ff6c043273b 26714->26715 26717 7ff6c045a47d 26716->26717 26723 7ff6c045a492 26717->26723 26758 7ff6c045d69c 15 API calls _invalid_parameter_noinfo_noreturn 26717->26758 26719 7ff6c045a487 26759 7ff6c04578e4 31 API calls _invalid_parameter_noinfo_noreturn 26719->26759 26721 7ff6c0452320 _handle_error 8 API calls 26722 7ff6c0439b37 26721->26722 26722->26653 26723->26721 26725 7ff6c0432bcd 26724->26725 26726 7ff6c0432be9 26724->26726 26727 7ff6c0432bfb 26725->26727 26760 7ff6c042b9c4 99 API calls _com_raise_error 26725->26760 26726->26727 26729 7ff6c0432c01 SetFilePointer 26726->26729 26727->26658 26729->26727 26730 7ff6c0432c1e GetLastError 26729->26730 26730->26727 26731 7ff6c0432c28 26730->26731 26731->26727 26761 7ff6c042b9c4 99 API calls _com_raise_error 26731->26761 26734 7ff6c04328f6 26733->26734 26735 7ff6c04328fd 26733->26735 26734->26658 26735->26734 26737 7ff6c0432320 GetStdHandle ReadFile GetLastError GetLastError GetFileType 26735->26737 26762 7ff6c042b8a4 99 API calls _com_raise_error 26735->26762 26737->26735 26763 7ff6c0432778 26738->26763 26741 7ff6c0432ac7 26741->26658 26744 7ff6c0432066 26743->26744 26745 7ff6c0432072 26743->26745 26744->26745 26771 7ff6c04320d0 26744->26771 26747->26635 26748->26690 26749->26690 26750->26690 26751->26682 26752->26687 26753->26669 26754->26677 26755->26675 26756->26679 26757->26693 26758->26719 26759->26723 26764 7ff6c0432789 _snwprintf 26763->26764 26765 7ff6c04327b5 26764->26765 26766 7ff6c0432890 SetFilePointer 26764->26766 26767 7ff6c0452320 _handle_error 8 API calls 26765->26767 26766->26765 26768 7ff6c04328b8 GetLastError 26766->26768 26769 7ff6c043281d 26767->26769 26768->26765 26769->26741 26770 7ff6c042b9c4 99 API calls _com_raise_error 26769->26770 26772 7ff6c0432102 26771->26772 26773 7ff6c04320ea 26771->26773 26774 7ff6c0432126 26772->26774 26777 7ff6c042b544 99 API calls 26772->26777 26773->26772 26775 7ff6c04320f6 CloseHandle 26773->26775 26774->26745 26775->26772 26777->26774 26779 7ff6c045d94c 26780 7ff6c045d95b _invalid_parameter_noinfo_noreturn 26779->26780 26781 7ff6c045d997 26779->26781 26780->26781 26782 7ff6c045d97e HeapAlloc 26780->26782 26785 7ff6c045bbc0 _invalid_parameter_noinfo_noreturn 2 API calls 26780->26785 26786 7ff6c045d69c 15 API calls _invalid_parameter_noinfo_noreturn 26781->26786 26782->26780 26784 7ff6c045d995 26782->26784 26785->26780 26786->26784 26787 7ff6c045bdf8 26788 7ff6c045be68 26787->26788 26789 7ff6c045be1e GetModuleHandleW 26787->26789 26804 7ff6c045f398 EnterCriticalSection 26788->26804 26789->26788 26797 7ff6c045be2b 26789->26797 26797->26788 26805 7ff6c045bfb0 GetModuleHandleExW 26797->26805 26806 7ff6c045bfda GetProcAddress 26805->26806 26807 7ff6c045c001 26805->26807 26806->26807 26810 7ff6c045bff4 26806->26810 26808 7ff6c045c00b FreeLibrary 26807->26808 26809 7ff6c045c011 26807->26809 26808->26809 26809->26788 26810->26807 26811 7ff6c04511cf 26812 7ff6c0451102 26811->26812 26813 7ff6c0451900 _com_raise_error 14 API calls 26812->26813 26813->26812 26814 7ff6c044b190 27157 7ff6c042255c 26814->27157 26816 7ff6c044b1db 26817 7ff6c044be93 26816->26817 26818 7ff6c044b1ef 26816->26818 26967 7ff6c044b20c 26816->26967 27423 7ff6c044f390 26817->27423 26821 7ff6c044b2db 26818->26821 26822 7ff6c044b1ff 26818->26822 26818->26967 26820 7ff6c0452320 _handle_error 8 API calls 26826 7ff6c044c350 26820->26826 26829 7ff6c044b391 26821->26829 26834 7ff6c044b2f5 26821->26834 26827 7ff6c044b207 26822->26827 26828 7ff6c044b2a9 26822->26828 26824 7ff6c044beba SendMessageW 26825 7ff6c044bec9 26824->26825 26831 7ff6c044bed5 SendDlgItemMessageW 26825->26831 26832 7ff6c044bef0 GetDlgItem SendMessageW 26825->26832 26837 7ff6c043aae0 48 API calls 26827->26837 26827->26967 26833 7ff6c044b2cb EndDialog 26828->26833 26828->26967 27165 7ff6c04222bc GetDlgItem 26829->27165 26831->26832 26836 7ff6c04362dc 35 API calls 26832->26836 26833->26967 26838 7ff6c043aae0 48 API calls 26834->26838 26839 7ff6c044bf47 GetDlgItem 26836->26839 26840 7ff6c044b236 26837->26840 26841 7ff6c044b313 SetDlgItemTextW 26838->26841 27442 7ff6c0422520 26839->27442 27446 7ff6c0421ec4 34 API calls _handle_error 26840->27446 26845 7ff6c044b326 26841->26845 26844 7ff6c044b408 GetDlgItem 26849 7ff6c044b422 SendMessageW SendMessageW 26844->26849 26850 7ff6c044b44f SetFocus 26844->26850 26854 7ff6c044b340 GetMessageW 26845->26854 26845->26967 26848 7ff6c044b246 26853 7ff6c044b25c 26848->26853 27447 7ff6c042250c 26848->27447 26849->26850 26855 7ff6c044b4f2 26850->26855 26856 7ff6c044b465 26850->26856 26851 7ff6c044b3da 26858 7ff6c0421fa0 31 API calls 26851->26858 26872 7ff6c044c363 26853->26872 26853->26967 26862 7ff6c044b35e IsDialogMessageW 26854->26862 26854->26967 27179 7ff6c0428d04 26855->27179 26863 7ff6c043aae0 48 API calls 26856->26863 26857 7ff6c044bcc5 26864 7ff6c043aae0 48 API calls 26857->26864 26858->26967 26862->26845 26867 7ff6c044b373 TranslateMessage DispatchMessageW 26862->26867 26868 7ff6c044b46f 26863->26868 26869 7ff6c044bcd6 SetDlgItemTextW 26864->26869 26866 7ff6c044b52c 27189 7ff6c044ef80 26866->27189 26867->26845 26878 7ff6c042129c 33 API calls 26868->26878 26873 7ff6c043aae0 48 API calls 26869->26873 26874 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26872->26874 26879 7ff6c044bd08 26873->26879 26880 7ff6c044c368 26874->26880 26877 7ff6c043aae0 48 API calls 26884 7ff6c044b555 26877->26884 26885 7ff6c044b498 26878->26885 26895 7ff6c042129c 33 API calls 26879->26895 26890 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26880->26890 26887 7ff6c043da98 48 API calls 26884->26887 26888 7ff6c044f0a4 24 API calls 26885->26888 26893 7ff6c044b568 26887->26893 26894 7ff6c044b4a5 26888->26894 26897 7ff6c044c36e 26890->26897 27203 7ff6c044f0a4 26893->27203 26894->26880 26910 7ff6c044b4e8 26894->26910 26927 7ff6c044bd31 26895->26927 26907 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26897->26907 26905 7ff6c044bdda 26911 7ff6c043aae0 48 API calls 26905->26911 26912 7ff6c044c374 26907->26912 26919 7ff6c044b5ec 26910->26919 27450 7ff6c044fa80 33 API calls 2 library calls 26910->27450 26922 7ff6c044bde4 26911->26922 26932 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26912->26932 26916 7ff6c0421fa0 31 API calls 26925 7ff6c044b586 26916->26925 26920 7ff6c044b61a 26919->26920 27451 7ff6c04332a8 26919->27451 27217 7ff6c0432f58 26920->27217 26944 7ff6c042129c 33 API calls 26922->26944 26925->26897 26925->26910 26927->26905 26939 7ff6c042129c 33 API calls 26927->26939 26938 7ff6c044c37a 26932->26938 26949 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26938->26949 26945 7ff6c044bd7f 26939->26945 26942 7ff6c044b64c 27229 7ff6c0437fc4 26942->27229 26943 7ff6c044b634 GetLastError 26943->26942 26948 7ff6c044be0d 26944->26948 26951 7ff6c043aae0 48 API calls 26945->26951 26947 7ff6c044b60e 27454 7ff6c0449d90 12 API calls _handle_error 26947->27454 26965 7ff6c042129c 33 API calls 26948->26965 26956 7ff6c044c380 26949->26956 26952 7ff6c044bd8a 26951->26952 26957 7ff6c0421150 33 API calls 26952->26957 26966 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 26956->26966 26961 7ff6c044bda2 26957->26961 26959 7ff6c044b65e 26963 7ff6c044b674 26959->26963 26964 7ff6c044b665 GetLastError 26959->26964 26972 7ff6c0422034 33 API calls 26961->26972 26971 7ff6c044b72b 26963->26971 26973 7ff6c044b68b GetTickCount 26963->26973 27057 7ff6c044b71c 26963->27057 26964->26963 26968 7ff6c044be4e 26965->26968 26969 7ff6c044c386 26966->26969 26967->26820 26985 7ff6c0421fa0 31 API calls 26968->26985 26974 7ff6c042255c 61 API calls 26969->26974 26975 7ff6c044ba50 26971->26975 26980 7ff6c0436454 34 API calls 26971->26980 26976 7ff6c044bdbe 26972->26976 27232 7ff6c0424228 26973->27232 26978 7ff6c044c3e4 26974->26978 26983 7ff6c044b3b1 EndDialog 26975->26983 27463 7ff6c042bd0c 33 API calls 26975->27463 26981 7ff6c0421fa0 31 API calls 26976->26981 26986 7ff6c044c3e8 26978->26986 26994 7ff6c044c489 GetDlgItem SetFocus 26978->26994 27033 7ff6c044c3fd 26978->27033 26988 7ff6c044b74e 26980->26988 26989 7ff6c044bdcc 26981->26989 26983->26851 26993 7ff6c044be78 26985->26993 26995 7ff6c0452320 _handle_error 8 API calls 26986->26995 27455 7ff6c043b914 102 API calls 26988->27455 26998 7ff6c0421fa0 31 API calls 26989->26998 26991 7ff6c044bb79 27006 7ff6c043aae0 48 API calls 26991->27006 26992 7ff6c044ba75 27464 7ff6c0421150 26992->27464 27002 7ff6c0421fa0 31 API calls 26993->27002 26999 7ff6c044c4ba 26994->26999 27003 7ff6c044ca97 26995->27003 26998->26905 27011 7ff6c042129c 33 API calls 26999->27011 27000 7ff6c044b6ba 27005 7ff6c0421fa0 31 API calls 27000->27005 27008 7ff6c044be83 27002->27008 27004 7ff6c044b768 27010 7ff6c043da98 48 API calls 27004->27010 27012 7ff6c044b6c8 27005->27012 27013 7ff6c044bba7 SetDlgItemTextW 27006->27013 27007 7ff6c044ba8a 27014 7ff6c043aae0 48 API calls 27007->27014 27015 7ff6c0421fa0 31 API calls 27008->27015 27009 7ff6c044c434 SendDlgItemMessageW 27016 7ff6c044c45d EndDialog 27009->27016 27017 7ff6c044c454 27009->27017 27018 7ff6c044b7aa GetCommandLineW 27010->27018 27019 7ff6c044c4cc 27011->27019 27242 7ff6c0432134 27012->27242 27020 7ff6c0422534 27013->27020 27021 7ff6c044ba97 27014->27021 27015->26851 27016->26986 27017->27016 27022 7ff6c044b869 27018->27022 27023 7ff6c044b84f 27018->27023 27468 7ff6c04380d8 33 API calls 27019->27468 27025 7ff6c044bbc5 SetDlgItemTextW GetDlgItem 27020->27025 27026 7ff6c0421150 33 API calls 27021->27026 27456 7ff6c044ab54 33 API calls _handle_error 27022->27456 27041 7ff6c04220b0 33 API calls 27023->27041 27030 7ff6c044bc13 27025->27030 27031 7ff6c044bbf0 GetWindowLongPtrW SetWindowLongPtrW 27025->27031 27032 7ff6c044baaa 27026->27032 27027 7ff6c044c4e0 27034 7ff6c042250c SetDlgItemTextW 27027->27034 27258 7ff6c044ce88 27030->27258 27031->27030 27038 7ff6c0421fa0 31 API calls 27032->27038 27033->26986 27033->27009 27042 7ff6c044c4f4 27034->27042 27035 7ff6c044b87a 27457 7ff6c044ab54 33 API calls _handle_error 27035->27457 27040 7ff6c044bab5 27038->27040 27047 7ff6c0421fa0 31 API calls 27040->27047 27041->27022 27051 7ff6c044c526 SendDlgItemMessageW FindFirstFileW 27042->27051 27044 7ff6c044b704 27049 7ff6c043204c 100 API calls 27044->27049 27045 7ff6c044b6f5 GetLastError 27045->27044 27046 7ff6c044ce88 160 API calls 27050 7ff6c044bc3c 27046->27050 27059 7ff6c044bac3 27047->27059 27048 7ff6c044b88b 27458 7ff6c044ab54 33 API calls _handle_error 27048->27458 27053 7ff6c044b711 27049->27053 27408 7ff6c044f974 27050->27408 27060 7ff6c044c57b 27051->27060 27149 7ff6c044ca04 27051->27149 27054 7ff6c0421fa0 31 API calls 27053->27054 27054->27057 27056 7ff6c044b89c 27459 7ff6c043b9b4 102 API calls 27056->27459 27057->26971 27057->26991 27063 7ff6c043aae0 48 API calls 27059->27063 27067 7ff6c043aae0 48 API calls 27060->27067 27062 7ff6c044ce88 160 API calls 27078 7ff6c044bc6a 27062->27078 27066 7ff6c044badb 27063->27066 27064 7ff6c044b8b3 27460 7ff6c044fbdc 33 API calls 27064->27460 27065 7ff6c044ca81 27065->26986 27079 7ff6c042129c 33 API calls 27066->27079 27072 7ff6c044c59e 27067->27072 27069 7ff6c044caa9 27070 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27069->27070 27074 7ff6c044caae 27070->27074 27071 7ff6c044bc96 27422 7ff6c0422298 GetDlgItem EnableWindow 27071->27422 27084 7ff6c042129c 33 API calls 27072->27084 27073 7ff6c044b8d2 CreateFileMappingW 27076 7ff6c044b953 ShellExecuteExW 27073->27076 27077 7ff6c044b911 MapViewOfFile 27073->27077 27082 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27074->27082 27097 7ff6c044b974 27076->27097 27461 7ff6c0453640 27077->27461 27078->27071 27083 7ff6c044ce88 160 API calls 27078->27083 27090 7ff6c044bb04 27079->27090 27080 7ff6c044b3f5 27080->26857 27080->26983 27085 7ff6c044cab4 27082->27085 27083->27071 27086 7ff6c044c5cd 27084->27086 27089 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27085->27089 27087 7ff6c0421150 33 API calls 27086->27087 27092 7ff6c044c5e8 27087->27092 27088 7ff6c044b9c3 27098 7ff6c044b9dc UnmapViewOfFile CloseHandle 27088->27098 27099 7ff6c044b9ef 27088->27099 27094 7ff6c044caba 27089->27094 27090->26938 27091 7ff6c044bb5a 27090->27091 27095 7ff6c0421fa0 31 API calls 27091->27095 27469 7ff6c042e164 33 API calls 2 library calls 27092->27469 27102 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27094->27102 27095->26983 27096 7ff6c044c5ff 27100 7ff6c0421fa0 31 API calls 27096->27100 27097->27088 27104 7ff6c044b9b1 Sleep 27097->27104 27098->27099 27099->26912 27101 7ff6c044ba25 27099->27101 27103 7ff6c044c60c 27100->27103 27106 7ff6c0421fa0 31 API calls 27101->27106 27105 7ff6c044cac0 27102->27105 27103->27074 27108 7ff6c0421fa0 31 API calls 27103->27108 27104->27088 27104->27097 27109 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27105->27109 27107 7ff6c044ba42 27106->27107 27110 7ff6c0421fa0 31 API calls 27107->27110 27111 7ff6c044c673 27108->27111 27112 7ff6c044cac6 27109->27112 27110->26975 27113 7ff6c042250c SetDlgItemTextW 27111->27113 27115 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27112->27115 27114 7ff6c044c687 FindClose 27113->27114 27116 7ff6c044c797 SendDlgItemMessageW 27114->27116 27117 7ff6c044c6a3 27114->27117 27118 7ff6c044cacc 27115->27118 27119 7ff6c044c7cb 27116->27119 27470 7ff6c044a2cc 10 API calls _handle_error 27117->27470 27122 7ff6c043aae0 48 API calls 27119->27122 27121 7ff6c044c6c6 27123 7ff6c043aae0 48 API calls 27121->27123 27124 7ff6c044c7d8 27122->27124 27125 7ff6c044c6cf 27123->27125 27127 7ff6c042129c 33 API calls 27124->27127 27126 7ff6c043da98 48 API calls 27125->27126 27131 7ff6c044c6ec BuildCatchObjectHelperInternal 27126->27131 27128 7ff6c044c807 27127->27128 27130 7ff6c0421150 33 API calls 27128->27130 27129 7ff6c0421fa0 31 API calls 27132 7ff6c044c783 27129->27132 27133 7ff6c044c822 27130->27133 27131->27085 27131->27129 27134 7ff6c042250c SetDlgItemTextW 27132->27134 27471 7ff6c042e164 33 API calls 2 library calls 27133->27471 27134->27116 27136 7ff6c044c839 27137 7ff6c0421fa0 31 API calls 27136->27137 27138 7ff6c044c845 BuildCatchObjectHelperInternal 27137->27138 27139 7ff6c0421fa0 31 API calls 27138->27139 27140 7ff6c044c87f 27139->27140 27141 7ff6c0421fa0 31 API calls 27140->27141 27142 7ff6c044c88c 27141->27142 27142->27094 27143 7ff6c0421fa0 31 API calls 27142->27143 27144 7ff6c044c8f3 27143->27144 27145 7ff6c042250c SetDlgItemTextW 27144->27145 27146 7ff6c044c907 27145->27146 27146->27149 27472 7ff6c044a2cc 10 API calls _handle_error 27146->27472 27148 7ff6c044c932 27150 7ff6c043aae0 48 API calls 27148->27150 27149->26986 27149->27065 27149->27069 27149->27112 27151 7ff6c044c93c 27150->27151 27152 7ff6c043da98 48 API calls 27151->27152 27154 7ff6c044c959 BuildCatchObjectHelperInternal 27152->27154 27153 7ff6c0421fa0 31 API calls 27155 7ff6c044c9f0 27153->27155 27154->27105 27154->27153 27156 7ff6c042250c SetDlgItemTextW 27155->27156 27156->27149 27158 7ff6c042256a 27157->27158 27159 7ff6c04225d0 27157->27159 27158->27159 27473 7ff6c043a4ac 27158->27473 27159->26816 27161 7ff6c042258f 27161->27159 27162 7ff6c04225a4 GetDlgItem 27161->27162 27162->27159 27163 7ff6c04225b7 27162->27163 27163->27159 27164 7ff6c04225be SetWindowTextW 27163->27164 27164->27159 27166 7ff6c04222fc 27165->27166 27167 7ff6c0422334 27165->27167 27169 7ff6c042129c 33 API calls 27166->27169 27522 7ff6c04223f8 GetWindowTextLengthW 27167->27522 27170 7ff6c042232a BuildCatchObjectHelperInternal 27169->27170 27172 7ff6c0421fa0 31 API calls 27170->27172 27174 7ff6c0422389 27170->27174 27171 7ff6c04223c8 27173 7ff6c0452320 _handle_error 8 API calls 27171->27173 27172->27174 27175 7ff6c04223dd 27173->27175 27174->27171 27176 7ff6c04223f0 27174->27176 27175->26844 27175->26983 27175->27080 27177 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27176->27177 27178 7ff6c04223f5 27177->27178 27180 7ff6c0428d34 27179->27180 27186 7ff6c0428de8 27179->27186 27183 7ff6c0428d91 27180->27183 27184 7ff6c0428de3 27180->27184 27188 7ff6c0428d42 BuildCatchObjectHelperInternal 27180->27188 27187 7ff6c04521d0 33 API calls 27183->27187 27183->27188 27185 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 27184->27185 27185->27186 27534 7ff6c0422004 33 API calls std::_Xinvalid_argument 27186->27534 27187->27188 27188->26866 27193 7ff6c044efb0 27189->27193 27190 7ff6c044efd7 27191 7ff6c0452320 _handle_error 8 API calls 27190->27191 27192 7ff6c044b537 27191->27192 27192->26877 27193->27190 27535 7ff6c042bd0c 33 API calls 27193->27535 27195 7ff6c044f02a 27196 7ff6c0421150 33 API calls 27195->27196 27197 7ff6c044f03f 27196->27197 27199 7ff6c0421fa0 31 API calls 27197->27199 27200 7ff6c044f04f BuildCatchObjectHelperInternal 27197->27200 27198 7ff6c0421fa0 31 API calls 27201 7ff6c044f076 27198->27201 27199->27200 27200->27198 27202 7ff6c0421fa0 31 API calls 27201->27202 27202->27190 27536 7ff6c044ae1c PeekMessageW 27203->27536 27206 7ff6c044f143 SendMessageW SendMessageW 27208 7ff6c044f189 27206->27208 27209 7ff6c044f1a4 SendMessageW 27206->27209 27207 7ff6c044f0f5 27210 7ff6c044f101 ShowWindow SendMessageW SendMessageW 27207->27210 27208->27209 27211 7ff6c044f1c6 SendMessageW SendMessageW 27209->27211 27212 7ff6c044f1c3 27209->27212 27210->27206 27213 7ff6c044f218 SendMessageW 27211->27213 27214 7ff6c044f1f3 SendMessageW 27211->27214 27212->27211 27215 7ff6c0452320 _handle_error 8 API calls 27213->27215 27214->27213 27216 7ff6c044b578 27215->27216 27216->26916 27218 7ff6c043309d 27217->27218 27225 7ff6c0432f8e 27217->27225 27219 7ff6c0452320 _handle_error 8 API calls 27218->27219 27220 7ff6c04330b3 27219->27220 27220->26942 27220->26943 27221 7ff6c0433077 27221->27218 27222 7ff6c0433684 56 API calls 27221->27222 27222->27218 27223 7ff6c042129c 33 API calls 27223->27225 27225->27221 27225->27223 27226 7ff6c04330c8 27225->27226 27541 7ff6c0433684 27225->27541 27227 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27226->27227 27228 7ff6c04330cd 27227->27228 27230 7ff6c0437fcf 27229->27230 27231 7ff6c0437fd2 SetCurrentDirectoryW 27229->27231 27230->27231 27231->26959 27233 7ff6c0424255 27232->27233 27234 7ff6c042426a 27233->27234 27235 7ff6c042129c 33 API calls 27233->27235 27236 7ff6c0452320 _handle_error 8 API calls 27234->27236 27235->27234 27237 7ff6c04242a1 27236->27237 27238 7ff6c0423c84 27237->27238 27239 7ff6c0423cab 27238->27239 27575 7ff6c042710c 27239->27575 27241 7ff6c0423cbb BuildCatchObjectHelperInternal 27241->27000 27245 7ff6c043216a 27242->27245 27243 7ff6c043219e 27246 7ff6c043227f 27243->27246 27248 7ff6c0436a0c 49 API calls 27243->27248 27244 7ff6c04321b1 CreateFileW 27244->27243 27245->27243 27245->27244 27247 7ff6c04322af 27246->27247 27251 7ff6c04220b0 33 API calls 27246->27251 27249 7ff6c0452320 _handle_error 8 API calls 27247->27249 27250 7ff6c0432209 27248->27250 27252 7ff6c04322c4 27249->27252 27253 7ff6c0432246 27250->27253 27254 7ff6c043220d CreateFileW 27250->27254 27251->27247 27252->27044 27252->27045 27253->27246 27255 7ff6c04322d8 27253->27255 27254->27253 27256 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27255->27256 27257 7ff6c04322dd 27256->27257 27587 7ff6c044aa08 27258->27587 27260 7ff6c044d1ee 27261 7ff6c0421fa0 31 API calls 27260->27261 27262 7ff6c044d1f7 27261->27262 27263 7ff6c0452320 _handle_error 8 API calls 27262->27263 27265 7ff6c044bc2b 27263->27265 27264 7ff6c043d22c 33 API calls 27377 7ff6c044cf03 BuildCatchObjectHelperInternal 27264->27377 27265->27046 27266 7ff6c044eefa 27711 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 27266->27711 27269 7ff6c044ef00 27712 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 27269->27712 27271 7ff6c044ef06 27276 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27271->27276 27273 7ff6c044eeee 27274 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27273->27274 27275 7ff6c044eef4 27274->27275 27710 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 27275->27710 27278 7ff6c044ef0c 27276->27278 27280 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27278->27280 27281 7ff6c044ef12 27280->27281 27286 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27281->27286 27282 7ff6c044ee4a 27283 7ff6c044eed2 27282->27283 27287 7ff6c04220b0 33 API calls 27282->27287 27293 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 27283->27293 27284 7ff6c044eee8 27709 7ff6c0422004 33 API calls std::_Xinvalid_argument 27284->27709 27285 7ff6c04213a4 33 API calls 27288 7ff6c044dc3a GetTempPathW 27285->27288 27289 7ff6c044ef18 27286->27289 27292 7ff6c044ee77 27287->27292 27288->27377 27296 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27289->27296 27290 7ff6c04362dc 35 API calls 27290->27377 27708 7ff6c044abe8 33 API calls 3 library calls 27292->27708 27293->27284 27295 7ff6c0422520 SetWindowTextW 27295->27377 27301 7ff6c044ef1e 27296->27301 27299 7ff6c044ee8d 27303 7ff6c0421fa0 31 API calls 27299->27303 27306 7ff6c044eea4 BuildCatchObjectHelperInternal 27299->27306 27300 7ff6c045bb8c 43 API calls 27300->27377 27308 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27301->27308 27303->27306 27304 7ff6c0421fa0 31 API calls 27304->27283 27305 7ff6c044e7f3 27305->27283 27305->27284 27309 7ff6c04521d0 33 API calls 27305->27309 27316 7ff6c044e83b BuildCatchObjectHelperInternal 27305->27316 27306->27304 27307 7ff6c0435aa8 33 API calls 27307->27377 27310 7ff6c044ef24 27308->27310 27309->27316 27315 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27310->27315 27312 7ff6c044aa08 33 API calls 27312->27377 27313 7ff6c044ef6c 27714 7ff6c0422004 33 API calls std::_Xinvalid_argument 27313->27714 27314 7ff6c0424228 33 API calls 27314->27377 27320 7ff6c044ef2a 27315->27320 27324 7ff6c04220b0 33 API calls 27316->27324 27370 7ff6c044eb8f 27316->27370 27318 7ff6c0421fa0 31 API calls 27318->27282 27319 7ff6c044ef78 27715 7ff6c0422004 33 API calls std::_Xinvalid_argument 27319->27715 27331 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27320->27331 27321 7ff6c044ef72 27333 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 27321->27333 27323 7ff6c044ef66 27329 7ff6c0421f80 Concurrency::cancel_current_task 33 API calls 27323->27329 27332 7ff6c044e963 27324->27332 27326 7ff6c0428d04 33 API calls 27326->27377 27328 7ff6c044ed40 27328->27319 27328->27321 27345 7ff6c044ed3b BuildCatchObjectHelperInternal 27328->27345 27350 7ff6c04521d0 33 API calls 27328->27350 27329->27313 27330 7ff6c044ec2a 27330->27313 27330->27323 27340 7ff6c044ec72 BuildCatchObjectHelperInternal 27330->27340 27330->27345 27347 7ff6c04521d0 33 API calls 27330->27347 27337 7ff6c044ef30 27331->27337 27339 7ff6c044ef60 27332->27339 27346 7ff6c042129c 33 API calls 27332->27346 27333->27319 27335 7ff6c04499c8 31 API calls 27335->27377 27336 7ff6c042e164 33 API calls 27336->27377 27351 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27337->27351 27338 7ff6c0433d34 51 API calls 27338->27377 27713 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 27339->27713 27630 7ff6c044f4e0 27340->27630 27342 7ff6c044d5e9 GetDlgItem 27348 7ff6c0422520 SetWindowTextW 27342->27348 27345->27318 27352 7ff6c044e9a6 27346->27352 27347->27340 27353 7ff6c044d608 SendMessageW 27348->27353 27350->27345 27355 7ff6c044ef36 27351->27355 27704 7ff6c043d22c 27352->27704 27353->27377 27354 7ff6c04332bc 51 API calls 27354->27377 27360 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27355->27360 27358 7ff6c0435b60 53 API calls 27358->27377 27359 7ff6c043dc2c 33 API calls 27359->27377 27364 7ff6c044ef3c 27360->27364 27361 7ff6c044d63c SendMessageW 27361->27377 27363 7ff6c0433f30 54 API calls 27363->27377 27368 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27364->27368 27367 7ff6c044e9d1 27367->27370 27375 7ff6c04413c4 CompareStringW 27367->27375 27381 7ff6c044ef48 27367->27381 27384 7ff6c044ef4e 27367->27384 27391 7ff6c0421fa0 31 API calls 27367->27391 27393 7ff6c042129c 33 API calls 27367->27393 27399 7ff6c043d22c 33 API calls 27367->27399 27372 7ff6c044ef42 27368->27372 27370->27328 27370->27330 27373 7ff6c044ef5a 27370->27373 27389 7ff6c044ef54 27370->27389 27371 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27371->27373 27378 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27372->27378 27374 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27373->27374 27374->27339 27375->27367 27377->27260 27377->27264 27377->27266 27377->27269 27377->27271 27377->27273 27377->27275 27377->27278 27377->27281 27377->27282 27377->27285 27377->27289 27377->27290 27377->27295 27377->27300 27377->27301 27377->27305 27377->27307 27377->27310 27377->27312 27377->27314 27377->27320 27377->27326 27377->27335 27377->27336 27377->27337 27377->27338 27377->27354 27377->27355 27377->27358 27377->27359 27377->27361 27377->27363 27377->27364 27377->27372 27379 7ff6c0435820 33 API calls 27377->27379 27380 7ff6c04332a8 51 API calls 27377->27380 27383 7ff6c042250c SetDlgItemTextW 27377->27383 27386 7ff6c0437df4 47 API calls 27377->27386 27387 7ff6c0421150 33 API calls 27377->27387 27392 7ff6c0422034 33 API calls 27377->27392 27394 7ff6c0422674 31 API calls 27377->27394 27396 7ff6c042129c 33 API calls 27377->27396 27397 7ff6c044df99 EndDialog 27377->27397 27400 7ff6c044db21 MoveFileW 27377->27400 27403 7ff6c0421fa0 31 API calls 27377->27403 27405 7ff6c0432f58 56 API calls 27377->27405 27406 7ff6c04220b0 33 API calls 27377->27406 27591 7ff6c04413c4 CompareStringW 27377->27591 27592 7ff6c044a440 27377->27592 27668 7ff6c043cfa4 35 API calls _invalid_parameter_noinfo_noreturn 27377->27668 27669 7ff6c04495b4 33 API calls Concurrency::cancel_current_task 27377->27669 27670 7ff6c0450684 31 API calls _invalid_parameter_noinfo_noreturn 27377->27670 27671 7ff6c042df4c 47 API calls BuildCatchObjectHelperInternal 27377->27671 27672 7ff6c044a834 33 API calls _invalid_parameter_noinfo_noreturn 27377->27672 27673 7ff6c0449518 33 API calls 27377->27673 27674 7ff6c044abe8 33 API calls 3 library calls 27377->27674 27675 7ff6c0437368 33 API calls 2 library calls 27377->27675 27676 7ff6c0434088 33 API calls 27377->27676 27677 7ff6c04365b0 33 API calls 3 library calls 27377->27677 27678 7ff6c04372cc 27377->27678 27682 7ff6c0421744 33 API calls 4 library calls 27377->27682 27683 7ff6c04331bc 27377->27683 27697 7ff6c0433ea0 FindClose 27377->27697 27698 7ff6c04413f4 CompareStringW 27377->27698 27699 7ff6c0449cd0 47 API calls 27377->27699 27700 7ff6c04487d8 51 API calls 3 library calls 27377->27700 27701 7ff6c044ab54 33 API calls _handle_error 27377->27701 27702 7ff6c0435b08 CompareStringW 27377->27702 27703 7ff6c0437eb0 47 API calls 27377->27703 27378->27381 27379->27377 27380->27377 27382 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27381->27382 27382->27384 27383->27377 27388 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27384->27388 27386->27377 27387->27377 27388->27389 27389->27371 27391->27367 27392->27377 27393->27367 27394->27377 27396->27377 27397->27377 27399->27367 27401 7ff6c044db55 MoveFileExW 27400->27401 27402 7ff6c044db70 27400->27402 27401->27402 27402->27377 27404 7ff6c0421fa0 31 API calls 27402->27404 27403->27377 27404->27402 27405->27377 27406->27377 27409 7ff6c044f9a3 27408->27409 27410 7ff6c04220b0 33 API calls 27409->27410 27411 7ff6c044f9b9 27410->27411 27412 7ff6c044f9ee 27411->27412 27413 7ff6c04220b0 33 API calls 27411->27413 27728 7ff6c042e34c 27412->27728 27413->27412 27415 7ff6c044fa4b 27748 7ff6c042e7a8 27415->27748 27419 7ff6c044fa61 27420 7ff6c0452320 _handle_error 8 API calls 27419->27420 27421 7ff6c044bc52 27420->27421 27421->27062 27424 7ff6c044849c 4 API calls 27423->27424 27425 7ff6c044f3bf 27424->27425 27426 7ff6c044f4b7 27425->27426 27427 7ff6c044f3c7 GetWindow 27425->27427 27428 7ff6c0452320 _handle_error 8 API calls 27426->27428 27432 7ff6c044f3e2 27427->27432 27429 7ff6c044be9b 27428->27429 27429->26824 27429->26825 27430 7ff6c044f3ee GetClassNameW 28748 7ff6c04413c4 CompareStringW 27430->28748 27432->27426 27432->27430 27433 7ff6c044f496 GetWindow 27432->27433 27434 7ff6c044f417 GetWindowLongPtrW 27432->27434 27433->27426 27433->27432 27434->27433 27435 7ff6c044f429 SendMessageW 27434->27435 27435->27433 27436 7ff6c044f445 GetObjectW 27435->27436 28749 7ff6c0448504 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27436->28749 27438 7ff6c044f461 27439 7ff6c04484cc 4 API calls 27438->27439 28750 7ff6c0448df4 16 API calls _handle_error 27438->28750 27439->27438 27441 7ff6c044f479 SendMessageW DeleteObject 27441->27433 27443 7ff6c0422527 27442->27443 27444 7ff6c042252a SetWindowTextW 27442->27444 27443->27444 27445 7ff6c048e2e0 27444->27445 27446->26848 27448 7ff6c0422516 SetDlgItemTextW 27447->27448 27449 7ff6c0422513 27447->27449 27449->27448 27450->26919 27452 7ff6c04332bc 51 API calls 27451->27452 27453 7ff6c04332b1 27452->27453 27453->26920 27453->26947 27454->26920 27455->27004 27456->27035 27457->27048 27458->27056 27459->27064 27460->27073 27462 7ff6c0453620 27461->27462 27462->27076 27463->26992 27465 7ff6c0421177 27464->27465 27466 7ff6c0422034 33 API calls 27465->27466 27467 7ff6c0421185 BuildCatchObjectHelperInternal 27466->27467 27467->27007 27468->27027 27469->27096 27470->27121 27471->27136 27472->27148 27474 7ff6c0433e28 swprintf 46 API calls 27473->27474 27475 7ff6c043a509 27474->27475 27476 7ff6c0440f68 WideCharToMultiByte 27475->27476 27478 7ff6c043a519 27476->27478 27477 7ff6c043a589 27498 7ff6c0439408 27477->27498 27478->27477 27491 7ff6c0439800 31 API calls 27478->27491 27496 7ff6c043a56a SetDlgItemTextW 27478->27496 27481 7ff6c043a603 27485 7ff6c043a60c GetWindowLongPtrW 27481->27485 27486 7ff6c043a6c2 27481->27486 27482 7ff6c043a6f2 GetSystemMetrics GetWindow 27483 7ff6c043a71d 27482->27483 27484 7ff6c043a821 27482->27484 27483->27484 27495 7ff6c043a73e GetWindowRect 27483->27495 27497 7ff6c043a800 GetWindow 27483->27497 27488 7ff6c0452320 _handle_error 8 API calls 27484->27488 27489 7ff6c048e2c0 27485->27489 27513 7ff6c04395a8 27486->27513 27492 7ff6c043a830 27488->27492 27493 7ff6c043a6aa GetWindowRect 27489->27493 27491->27478 27492->27161 27493->27486 27494 7ff6c043a6e5 SetWindowTextW 27494->27482 27495->27483 27496->27478 27497->27483 27497->27484 27499 7ff6c04395a8 47 API calls 27498->27499 27501 7ff6c043944f 27499->27501 27500 7ff6c0452320 _handle_error 8 API calls 27502 7ff6c043958e GetWindowRect GetClientRect 27500->27502 27503 7ff6c042129c 33 API calls 27501->27503 27512 7ff6c043955a 27501->27512 27502->27481 27502->27482 27504 7ff6c043949c 27503->27504 27505 7ff6c04395a1 27504->27505 27507 7ff6c042129c 33 API calls 27504->27507 27506 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27505->27506 27508 7ff6c04395a7 27506->27508 27509 7ff6c0439514 27507->27509 27510 7ff6c043959c 27509->27510 27509->27512 27511 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27510->27511 27511->27505 27512->27500 27514 7ff6c0433e28 swprintf 46 API calls 27513->27514 27515 7ff6c04395eb 27514->27515 27516 7ff6c0440f68 WideCharToMultiByte 27515->27516 27517 7ff6c0439603 27516->27517 27518 7ff6c0439800 31 API calls 27517->27518 27519 7ff6c043961b 27518->27519 27520 7ff6c0452320 _handle_error 8 API calls 27519->27520 27521 7ff6c043962b 27520->27521 27521->27482 27521->27494 27523 7ff6c04213a4 33 API calls 27522->27523 27524 7ff6c0422462 GetWindowTextW 27523->27524 27525 7ff6c0422494 27524->27525 27526 7ff6c042129c 33 API calls 27525->27526 27527 7ff6c04224a2 27526->27527 27530 7ff6c0422505 27527->27530 27531 7ff6c04224dd 27527->27531 27528 7ff6c0452320 _handle_error 8 API calls 27529 7ff6c04224f3 27528->27529 27529->27170 27532 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27530->27532 27531->27528 27533 7ff6c042250a 27532->27533 27535->27195 27537 7ff6c044ae3c GetMessageW 27536->27537 27538 7ff6c044ae80 GetDlgItem 27536->27538 27539 7ff6c044ae6a TranslateMessage DispatchMessageW 27537->27539 27540 7ff6c044ae5b IsDialogMessageW 27537->27540 27538->27206 27538->27207 27539->27538 27540->27538 27540->27539 27543 7ff6c04336b3 27541->27543 27542 7ff6c04336e0 27544 7ff6c04332bc 51 API calls 27542->27544 27543->27542 27545 7ff6c04336cc CreateDirectoryW 27543->27545 27547 7ff6c04336ee 27544->27547 27545->27542 27546 7ff6c043377d 27545->27546 27548 7ff6c043378d 27546->27548 27561 7ff6c0433d34 27546->27561 27549 7ff6c0433791 GetLastError 27547->27549 27551 7ff6c0436a0c 49 API calls 27547->27551 27552 7ff6c0452320 _handle_error 8 API calls 27548->27552 27549->27548 27553 7ff6c043371c 27551->27553 27554 7ff6c04337b9 27552->27554 27555 7ff6c043373b 27553->27555 27556 7ff6c0433720 CreateDirectoryW 27553->27556 27554->27225 27557 7ff6c0433774 27555->27557 27558 7ff6c04337ce 27555->27558 27556->27555 27557->27546 27557->27549 27559 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27558->27559 27560 7ff6c04337d3 27559->27560 27562 7ff6c0433d5b 27561->27562 27563 7ff6c0433d5e SetFileAttributesW 27561->27563 27562->27563 27564 7ff6c0433df5 27563->27564 27565 7ff6c0433d74 27563->27565 27566 7ff6c0452320 _handle_error 8 API calls 27564->27566 27567 7ff6c0436a0c 49 API calls 27565->27567 27569 7ff6c0433e0a 27566->27569 27568 7ff6c0433d99 27567->27568 27570 7ff6c0433dbc 27568->27570 27571 7ff6c0433d9d SetFileAttributesW 27568->27571 27569->27548 27570->27564 27572 7ff6c0433e1a 27570->27572 27571->27570 27573 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27572->27573 27574 7ff6c0433e1f 27573->27574 27576 7ff6c0427206 27575->27576 27577 7ff6c042713b 27575->27577 27585 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 27576->27585 27583 7ff6c042714b BuildCatchObjectHelperInternal 27577->27583 27584 7ff6c0423f48 33 API calls 2 library calls 27577->27584 27580 7ff6c042720b 27581 7ff6c0427273 27580->27581 27586 7ff6c042889c 8 API calls BuildCatchObjectHelperInternal 27580->27586 27581->27241 27583->27241 27584->27583 27585->27580 27586->27580 27588 7ff6c044aa2f 27587->27588 27589 7ff6c044aa36 27587->27589 27588->27377 27589->27588 27716 7ff6c0421744 33 API calls 4 library calls 27589->27716 27591->27377 27593 7ff6c044a706 27592->27593 27594 7ff6c044a47f 27592->27594 27596 7ff6c0452320 _handle_error 8 API calls 27593->27596 27717 7ff6c044cdf8 33 API calls 27594->27717 27598 7ff6c044a717 27596->27598 27597 7ff6c044a49e 27599 7ff6c042129c 33 API calls 27597->27599 27598->27342 27600 7ff6c044a4de 27599->27600 27601 7ff6c042129c 33 API calls 27600->27601 27602 7ff6c044a517 27601->27602 27603 7ff6c042129c 33 API calls 27602->27603 27604 7ff6c044a54a 27603->27604 27718 7ff6c044a834 33 API calls _invalid_parameter_noinfo_noreturn 27604->27718 27606 7ff6c044a734 27607 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27606->27607 27608 7ff6c044a73a 27607->27608 27610 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27608->27610 27609 7ff6c044a573 27609->27606 27609->27608 27611 7ff6c044a740 27609->27611 27612 7ff6c04220b0 33 API calls 27609->27612 27615 7ff6c044a685 27609->27615 27610->27611 27613 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27611->27613 27612->27615 27614 7ff6c044a746 27613->27614 27617 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27614->27617 27615->27593 27615->27614 27616 7ff6c044a72f 27615->27616 27618 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27616->27618 27619 7ff6c044a74c 27617->27619 27618->27606 27620 7ff6c042255c 61 API calls 27619->27620 27621 7ff6c044a795 27620->27621 27622 7ff6c044a7b1 27621->27622 27623 7ff6c044a801 SetDlgItemTextW 27621->27623 27626 7ff6c044a7a1 27621->27626 27624 7ff6c0452320 _handle_error 8 API calls 27622->27624 27623->27622 27625 7ff6c044a827 27624->27625 27625->27342 27626->27622 27629 7ff6c044a7ad 27626->27629 27719 7ff6c043bb00 102 API calls 27626->27719 27627 7ff6c044a7b7 EndDialog 27627->27622 27629->27622 27629->27627 27635 7ff6c044f529 __scrt_get_show_window_mode 27630->27635 27646 7ff6c044f87d 27630->27646 27631 7ff6c0421fa0 31 API calls 27632 7ff6c044f89c 27631->27632 27633 7ff6c0452320 _handle_error 8 API calls 27632->27633 27634 7ff6c044f8a8 27633->27634 27634->27345 27636 7ff6c044f684 27635->27636 27720 7ff6c04413c4 CompareStringW 27635->27720 27638 7ff6c042129c 33 API calls 27636->27638 27639 7ff6c044f6c0 27638->27639 27640 7ff6c04332a8 51 API calls 27639->27640 27641 7ff6c044f6ca 27640->27641 27642 7ff6c0421fa0 31 API calls 27641->27642 27645 7ff6c044f6d5 27642->27645 27643 7ff6c044f742 ShellExecuteExW 27644 7ff6c044f846 27643->27644 27650 7ff6c044f755 27643->27650 27644->27646 27652 7ff6c044f8fb 27644->27652 27645->27643 27648 7ff6c042129c 33 API calls 27645->27648 27646->27631 27647 7ff6c044f78e 27722 7ff6c044fe24 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27647->27722 27651 7ff6c044f717 27648->27651 27649 7ff6c044f7e3 CloseHandle 27653 7ff6c044f7f2 27649->27653 27654 7ff6c044f801 27649->27654 27650->27647 27650->27649 27659 7ff6c044f781 ShowWindow 27650->27659 27721 7ff6c0435b60 53 API calls 2 library calls 27651->27721 27656 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27652->27656 27723 7ff6c04413c4 CompareStringW 27653->27723 27654->27644 27664 7ff6c044f837 ShowWindow 27654->27664 27657 7ff6c044f900 27656->27657 27659->27647 27661 7ff6c044f725 27663 7ff6c0421fa0 31 API calls 27661->27663 27662 7ff6c044f7a6 27662->27649 27666 7ff6c044f7b4 GetExitCodeProcess 27662->27666 27665 7ff6c044f72f 27663->27665 27664->27644 27665->27643 27666->27649 27667 7ff6c044f7c7 27666->27667 27667->27649 27668->27377 27669->27377 27670->27377 27671->27377 27672->27377 27673->27377 27674->27377 27675->27377 27676->27377 27677->27377 27679 7ff6c04372ea 27678->27679 27724 7ff6c042b3a8 27679->27724 27682->27377 27684 7ff6c04331e7 DeleteFileW 27683->27684 27685 7ff6c04331e4 27683->27685 27686 7ff6c04331fd 27684->27686 27693 7ff6c043327c 27684->27693 27685->27684 27688 7ff6c0436a0c 49 API calls 27686->27688 27687 7ff6c0452320 _handle_error 8 API calls 27690 7ff6c0433291 27687->27690 27689 7ff6c0433222 27688->27689 27691 7ff6c0433226 DeleteFileW 27689->27691 27692 7ff6c0433243 27689->27692 27690->27377 27691->27692 27692->27693 27694 7ff6c04332a1 27692->27694 27693->27687 27695 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27694->27695 27696 7ff6c04332a6 27695->27696 27698->27377 27699->27377 27700->27377 27701->27377 27702->27377 27703->27377 27705 7ff6c043d25e 27704->27705 27706 7ff6c043d292 27705->27706 27707 7ff6c0421744 33 API calls 27705->27707 27706->27367 27707->27705 27708->27299 27710->27266 27711->27269 27712->27271 27713->27323 27716->27589 27717->27597 27718->27609 27719->27629 27720->27636 27721->27661 27722->27662 27723->27654 27727 7ff6c042b3f2 __scrt_get_show_window_mode 27724->27727 27725 7ff6c0452320 _handle_error 8 API calls 27726 7ff6c042b4b6 27725->27726 27726->27377 27727->27725 27784 7ff6c04386ec 27728->27784 27730 7ff6c042e3c4 27790 7ff6c042e600 27730->27790 27732 7ff6c042e4d4 27734 7ff6c04521d0 33 API calls 27732->27734 27733 7ff6c042e454 27733->27732 27735 7ff6c042e549 27733->27735 27737 7ff6c042e4f0 27734->27737 27736 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27735->27736 27745 7ff6c042e54e 27736->27745 27796 7ff6c0443148 102 API calls 27737->27796 27739 7ff6c042e51d 27740 7ff6c0452320 _handle_error 8 API calls 27739->27740 27742 7ff6c042e52d 27740->27742 27741 7ff6c04318c2 27744 7ff6c043190d 27741->27744 27746 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27741->27746 27742->27415 27743 7ff6c0421fa0 31 API calls 27743->27745 27744->27415 27745->27741 27745->27743 27745->27744 27747 7ff6c043193b 27746->27747 27751 7ff6c042e7ea 27748->27751 27749 7ff6c042e864 27752 7ff6c042e8a1 27749->27752 27753 7ff6c042e993 27749->27753 27751->27749 27751->27752 27797 7ff6c0433ec8 27751->27797 27756 7ff6c042e900 27752->27756 27804 7ff6c042f578 27752->27804 27754 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27753->27754 27755 7ff6c042e998 27754->27755 27760 7ff6c042e955 27756->27760 27840 7ff6c04228a4 82 API calls 2 library calls 27756->27840 27758 7ff6c0452320 _handle_error 8 API calls 27759 7ff6c042e97e 27758->27759 27762 7ff6c042e578 27759->27762 27760->27758 28734 7ff6c04315d8 27762->28734 27765 7ff6c042e59e 27767 7ff6c0421fa0 31 API calls 27765->27767 27766 7ff6c0441870 108 API calls 27766->27765 27768 7ff6c042e5b7 27767->27768 27769 7ff6c0421fa0 31 API calls 27768->27769 27770 7ff6c042e5c3 27769->27770 27771 7ff6c0421fa0 31 API calls 27770->27771 27772 7ff6c042e5cf 27771->27772 27773 7ff6c043878c 108 API calls 27772->27773 27774 7ff6c042e5db 27773->27774 27775 7ff6c0421fa0 31 API calls 27774->27775 27776 7ff6c042e5e4 27775->27776 27777 7ff6c0421fa0 31 API calls 27776->27777 27780 7ff6c042e5ed 27777->27780 27778 7ff6c04318c2 27779 7ff6c043190d 27778->27779 27781 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27778->27781 27779->27419 27780->27778 27780->27779 27782 7ff6c0421fa0 31 API calls 27780->27782 27783 7ff6c043193b 27781->27783 27782->27780 27785 7ff6c043870a 27784->27785 27786 7ff6c04521d0 33 API calls 27785->27786 27787 7ff6c043872f 27786->27787 27788 7ff6c04521d0 33 API calls 27787->27788 27789 7ff6c0438759 27788->27789 27789->27730 27791 7ff6c042e627 27790->27791 27794 7ff6c042e62c BuildCatchObjectHelperInternal 27790->27794 27792 7ff6c0421fa0 31 API calls 27791->27792 27792->27794 27793 7ff6c0421fa0 31 API calls 27795 7ff6c042e668 BuildCatchObjectHelperInternal 27793->27795 27794->27793 27794->27795 27795->27733 27796->27739 27798 7ff6c04372cc 8 API calls 27797->27798 27799 7ff6c0433ee1 27798->27799 27803 7ff6c0433f0f 27799->27803 27841 7ff6c04340bc 27799->27841 27802 7ff6c0433efa FindClose 27802->27803 27803->27751 27805 7ff6c042f598 _snwprintf 27804->27805 27867 7ff6c0422950 27805->27867 27810 7ff6c042f5cc 27812 7ff6c042f5fc 27810->27812 27882 7ff6c04233e4 27810->27882 27811 7ff6c042f5f8 27811->27812 27914 7ff6c0423ad8 27811->27914 28117 7ff6c0422c54 27812->28117 27819 7ff6c042f7cb 27924 7ff6c042f8a4 27819->27924 27821 7ff6c0428d04 33 API calls 27822 7ff6c042f662 27821->27822 28137 7ff6c0437918 48 API calls 2 library calls 27822->28137 27824 7ff6c042f677 27825 7ff6c0433ec8 55 API calls 27824->27825 27834 7ff6c042f6ad 27825->27834 27827 7ff6c042f842 27827->27812 27929 7ff6c04269f8 27827->27929 27940 7ff6c042f930 27827->27940 27832 7ff6c042f74d 27832->27819 27833 7ff6c042f89a 27832->27833 27836 7ff6c042f895 27832->27836 27835 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27833->27835 27834->27832 27834->27833 27837 7ff6c0433ec8 55 API calls 27834->27837 28138 7ff6c0437918 48 API calls 2 library calls 27834->28138 27838 7ff6c042f8a0 27835->27838 27839 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27836->27839 27837->27834 27839->27833 27840->27760 27842 7ff6c04340f9 FindFirstFileW 27841->27842 27843 7ff6c04341d2 FindNextFileW 27841->27843 27846 7ff6c04341f3 27842->27846 27847 7ff6c043411e 27842->27847 27845 7ff6c04341e1 GetLastError 27843->27845 27843->27846 27848 7ff6c04341c0 27845->27848 27849 7ff6c0434211 27846->27849 27852 7ff6c04220b0 33 API calls 27846->27852 27850 7ff6c0436a0c 49 API calls 27847->27850 27853 7ff6c0452320 _handle_error 8 API calls 27848->27853 27857 7ff6c042129c 33 API calls 27849->27857 27851 7ff6c0434144 27850->27851 27854 7ff6c0434148 FindFirstFileW 27851->27854 27855 7ff6c0434167 27851->27855 27852->27849 27856 7ff6c0433ef4 27853->27856 27854->27855 27855->27846 27859 7ff6c04341af GetLastError 27855->27859 27866 7ff6c0434314 27855->27866 27856->27802 27856->27803 27858 7ff6c043423b 27857->27858 27860 7ff6c0438090 47 API calls 27858->27860 27859->27848 27862 7ff6c0434249 27860->27862 27861 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27863 7ff6c043431a 27861->27863 27862->27848 27864 7ff6c043430f 27862->27864 27865 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27864->27865 27865->27866 27866->27861 27868 7ff6c042296c 27867->27868 27869 7ff6c04386ec 33 API calls 27868->27869 27870 7ff6c042298d 27869->27870 27871 7ff6c04521d0 33 API calls 27870->27871 27874 7ff6c0422ac2 27870->27874 27873 7ff6c0422ab0 27871->27873 27873->27874 27876 7ff6c04291c8 35 API calls 27873->27876 28140 7ff6c0434d04 27874->28140 27876->27874 27877 7ff6c0432ca8 27881 7ff6c04324c0 54 API calls 27877->27881 27878 7ff6c0432cc1 27879 7ff6c0432cc5 27878->27879 28154 7ff6c042b7e8 99 API calls 2 library calls 27878->28154 27879->27810 27881->27878 27912 7ff6c04328d0 104 API calls 27882->27912 27883 7ff6c0423674 28155 7ff6c04228a4 82 API calls 2 library calls 27883->28155 27884 7ff6c0423431 __scrt_get_show_window_mode 27891 7ff6c042344e 27884->27891 27893 7ff6c0423601 27884->27893 27910 7ff6c0432bb0 101 API calls 27884->27910 27886 7ff6c04269f8 132 API calls 27888 7ff6c0423682 27886->27888 27887 7ff6c04234cc 27905 7ff6c04328d0 104 API calls 27887->27905 27888->27886 27889 7ff6c042370c 27888->27889 27888->27893 27906 7ff6c0432aa0 101 API calls 27888->27906 27889->27893 27895 7ff6c0423740 27889->27895 28156 7ff6c04228a4 82 API calls 2 library calls 27889->28156 27891->27883 27891->27888 27892 7ff6c04235cb 27892->27891 27894 7ff6c04235d7 27892->27894 27893->27811 27894->27893 27897 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27894->27897 27895->27893 27896 7ff6c042384d 27895->27896 27908 7ff6c0432bb0 101 API calls 27895->27908 27896->27893 27899 7ff6c04220b0 33 API calls 27896->27899 27900 7ff6c0423891 27897->27900 27898 7ff6c04234eb 27898->27892 27911 7ff6c0432aa0 101 API calls 27898->27911 27899->27893 27900->27811 27901 7ff6c04235a7 27901->27892 27907 7ff6c04328d0 104 API calls 27901->27907 27902 7ff6c04269f8 132 API calls 27903 7ff6c042378e 27902->27903 27903->27902 27904 7ff6c0423803 27903->27904 27909 7ff6c0432aa0 101 API calls 27903->27909 27913 7ff6c0432aa0 101 API calls 27904->27913 27905->27898 27906->27888 27907->27892 27908->27903 27909->27903 27910->27887 27911->27901 27912->27884 27913->27896 27915 7ff6c0423af9 27914->27915 27921 7ff6c0423b55 27914->27921 28157 7ff6c0423378 27915->28157 27916 7ff6c0452320 _handle_error 8 API calls 27919 7ff6c0423b67 27916->27919 27919->27819 27919->27821 27920 7ff6c0423b6c 27922 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 27920->27922 27921->27916 27923 7ff6c0423b71 27922->27923 28388 7ff6c043886c 27924->28388 27926 7ff6c042f8ba 28392 7ff6c043ef60 GetSystemTime SystemTimeToFileTime 27926->28392 27930 7ff6c0426a0a 27929->27930 27931 7ff6c0426a0e 27929->27931 27930->27827 27939 7ff6c0432bb0 101 API calls 27931->27939 27932 7ff6c0426a1b 27933 7ff6c0426a2f 27932->27933 27934 7ff6c0426a3e 27932->27934 27933->27930 28401 7ff6c0425e24 27933->28401 28463 7ff6c0425130 130 API calls 2 library calls 27934->28463 27937 7ff6c0426a3c 27937->27930 28464 7ff6c042466c 82 API calls 27937->28464 27939->27932 27941 7ff6c042f978 27940->27941 27945 7ff6c042f9b0 27941->27945 28000 7ff6c042fa34 27941->28000 28579 7ff6c044612c 137 API calls 3 library calls 27941->28579 27943 7ff6c0431189 27946 7ff6c04311e1 27943->27946 27947 7ff6c043118e 27943->27947 27944 7ff6c0452320 _handle_error 8 API calls 27948 7ff6c04311c4 27944->27948 27945->27943 27950 7ff6c042f9d0 27945->27950 27945->28000 27946->28000 28628 7ff6c044612c 137 API calls 3 library calls 27946->28628 27947->28000 28627 7ff6c042dd08 179 API calls 27947->28627 27948->27827 27950->28000 28494 7ff6c0429bb0 27950->28494 27953 7ff6c042fad6 28507 7ff6c0435ef8 27953->28507 27956 7ff6c042fb7a 28116 7ff6c0432aa0 101 API calls 27956->28116 27958 7ff6c042fb5e 27958->27956 28000->27944 28118 7ff6c0422c74 28117->28118 28121 7ff6c0422c88 28117->28121 28118->28121 28713 7ff6c0422d80 108 API calls _invalid_parameter_noinfo_noreturn 28118->28713 28119 7ff6c0421fa0 31 API calls 28124 7ff6c0422ca1 28119->28124 28121->28119 28123 7ff6c0422d64 28126 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28123->28126 28124->28123 28714 7ff6c0423090 31 API calls _invalid_parameter_noinfo_noreturn 28124->28714 28125 7ff6c0422d08 28715 7ff6c0423090 31 API calls _invalid_parameter_noinfo_noreturn 28125->28715 28128 7ff6c0422d7c 28126->28128 28129 7ff6c0422d14 28130 7ff6c0421fa0 31 API calls 28129->28130 28131 7ff6c0422d20 28130->28131 28716 7ff6c043878c 28131->28716 28137->27824 28138->27834 28139 7ff6c0440994 83 API calls _handle_error 28139->27827 28141 7ff6c0434d32 __scrt_get_show_window_mode 28140->28141 28150 7ff6c0434bac 28141->28150 28143 7ff6c0434d54 28144 7ff6c0434d90 28143->28144 28146 7ff6c0434dae 28143->28146 28145 7ff6c0452320 _handle_error 8 API calls 28144->28145 28147 7ff6c0422b32 28145->28147 28148 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28146->28148 28147->27810 28147->27877 28149 7ff6c0434db3 28148->28149 28151 7ff6c0434c27 28150->28151 28152 7ff6c0434c2f BuildCatchObjectHelperInternal 28150->28152 28153 7ff6c0421fa0 31 API calls 28151->28153 28152->28143 28153->28152 28154->27879 28155->27893 28156->27895 28158 7ff6c042339a 28157->28158 28161 7ff6c0423396 28157->28161 28163 7ff6c0423294 28158->28163 28161->27920 28161->27921 28162 7ff6c0432aa0 101 API calls 28162->28161 28164 7ff6c04232bb 28163->28164 28166 7ff6c04232f6 28163->28166 28165 7ff6c04269f8 132 API calls 28164->28165 28169 7ff6c04232db 28165->28169 28171 7ff6c0426e74 28166->28171 28169->28162 28173 7ff6c0426e95 28171->28173 28172 7ff6c04269f8 132 API calls 28172->28173 28173->28172 28175 7ff6c042331d 28173->28175 28203 7ff6c043e808 28173->28203 28175->28169 28176 7ff6c0423904 28175->28176 28211 7ff6c0426a7c 28176->28211 28179 7ff6c042396a 28182 7ff6c0423989 28179->28182 28183 7ff6c042399a 28179->28183 28180 7ff6c0423a8a 28184 7ff6c0452320 _handle_error 8 API calls 28180->28184 28244 7ff6c0440d54 33 API calls 28182->28244 28188 7ff6c04239ec 28183->28188 28189 7ff6c04239a3 28183->28189 28187 7ff6c0423a9e 28184->28187 28185 7ff6c0423ab3 28190 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28185->28190 28187->28169 28246 7ff6c04226b4 33 API calls BuildCatchObjectHelperInternal 28188->28246 28245 7ff6c0440c80 33 API calls 28189->28245 28193 7ff6c0423ab8 28190->28193 28197 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28193->28197 28194 7ff6c04239b0 28198 7ff6c0421fa0 31 API calls 28194->28198 28201 7ff6c04239c0 BuildCatchObjectHelperInternal 28194->28201 28195 7ff6c0421fa0 31 API calls 28202 7ff6c042394f 28195->28202 28196 7ff6c0423a13 28247 7ff6c0440ae8 34 API calls _invalid_parameter_noinfo_noreturn 28196->28247 28200 7ff6c0423abe 28197->28200 28198->28201 28201->28195 28202->28180 28202->28185 28202->28193 28204 7ff6c043e811 28203->28204 28205 7ff6c043e82b 28204->28205 28209 7ff6c042b664 RtlPcToFileHeader RaiseException _com_raise_error 28204->28209 28207 7ff6c043e845 SetThreadExecutionState 28205->28207 28210 7ff6c042b664 RtlPcToFileHeader RaiseException _com_raise_error 28205->28210 28209->28205 28210->28207 28212 7ff6c0426a96 _snwprintf 28211->28212 28213 7ff6c0426ae4 28212->28213 28214 7ff6c0426ac4 28212->28214 28215 7ff6c0426d4d 28213->28215 28219 7ff6c0426b0f 28213->28219 28286 7ff6c04228a4 82 API calls 2 library calls 28214->28286 28315 7ff6c04228a4 82 API calls 2 library calls 28215->28315 28217 7ff6c0426ad0 28220 7ff6c0452320 _handle_error 8 API calls 28217->28220 28219->28217 28248 7ff6c0441f94 28219->28248 28221 7ff6c042394b 28220->28221 28221->28179 28221->28202 28243 7ff6c0422794 33 API calls __std_swap_ranges_trivially_swappable 28221->28243 28224 7ff6c0426b6e 28287 7ff6c04228a4 82 API calls 2 library calls 28224->28287 28225 7ff6c0426b80 28226 7ff6c0426b85 28225->28226 28288 7ff6c04240b0 28225->28288 28228 7ff6c0426c2a 28226->28228 28242 7ff6c0426b7b 28226->28242 28292 7ff6c0438968 109 API calls 28226->28292 28257 7ff6c0434760 28228->28257 28233 7ff6c0426c52 28234 7ff6c0426cc7 28233->28234 28235 7ff6c0426cd1 28233->28235 28261 7ff6c0431794 28234->28261 28293 7ff6c0441f20 28235->28293 28238 7ff6c0426ccf 28313 7ff6c0434700 8 API calls _handle_error 28238->28313 28240 7ff6c0426cfd 28240->28242 28314 7ff6c042433c 82 API calls 2 library calls 28240->28314 28276 7ff6c0441870 28242->28276 28243->28179 28244->28202 28245->28194 28246->28196 28247->28202 28249 7ff6c0442056 std::bad_alloc::bad_alloc 28248->28249 28252 7ff6c0441fc5 std::bad_alloc::bad_alloc 28248->28252 28251 7ff6c0454078 _com_raise_error 2 API calls 28249->28251 28250 7ff6c0426b59 28250->28224 28250->28225 28250->28226 28251->28252 28252->28250 28253 7ff6c0454078 _com_raise_error 2 API calls 28252->28253 28254 7ff6c044200f std::bad_alloc::bad_alloc 28252->28254 28253->28254 28254->28250 28255 7ff6c0454078 _com_raise_error 2 API calls 28254->28255 28256 7ff6c04420a9 28255->28256 28258 7ff6c0434780 28257->28258 28260 7ff6c043478a 28257->28260 28259 7ff6c04521d0 33 API calls 28258->28259 28259->28260 28260->28233 28262 7ff6c04317be __scrt_get_show_window_mode 28261->28262 28316 7ff6c0438a48 28262->28316 28264 7ff6c0431830 28265 7ff6c0431856 28264->28265 28268 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28264->28268 28265->28238 28266 7ff6c0438a48 146 API calls 28269 7ff6c04317f2 28266->28269 28269->28264 28269->28266 28326 7ff6c0438c4c 28269->28326 28277 7ff6c044188e 28276->28277 28279 7ff6c04418a1 28277->28279 28341 7ff6c043e948 28277->28341 28281 7ff6c04418d8 28279->28281 28332 7ff6c045236c 28279->28332 28285 7ff6c0441a37 28281->28285 28336 7ff6c043a984 28281->28336 28282 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28283 7ff6c0441ad0 28282->28283 28285->28282 28286->28217 28287->28242 28289 7ff6c04240d7 __scrt_get_show_window_mode 28288->28289 28290 7ff6c04240dd 28288->28290 28289->28226 28290->28289 28348 7ff6c0424120 28290->28348 28292->28228 28294 7ff6c0441f29 28293->28294 28295 7ff6c0441f5d 28294->28295 28296 7ff6c0441f55 28294->28296 28297 7ff6c0441f49 28294->28297 28295->28238 28384 7ff6c0443964 151 API calls 28296->28384 28354 7ff6c04420ac 28297->28354 28300 7ff6c0444733 BuildCatchObjectHelperInternal 28300->28300 28301 7ff6c0438a48 146 API calls 28300->28301 28302 7ff6c0444ad7 28300->28302 28301->28300 28313->28240 28314->28242 28315->28217 28318 7ff6c0438bcd 28316->28318 28322 7ff6c0438a91 BuildCatchObjectHelperInternal 28316->28322 28317 7ff6c0438c1a 28319 7ff6c043e808 SetThreadExecutionState RtlPcToFileHeader RaiseException 28317->28319 28318->28317 28320 7ff6c042a174 8 API calls 28318->28320 28323 7ff6c0438c1f 28319->28323 28320->28317 28321 7ff6c044612c 137 API calls 28321->28322 28322->28318 28322->28321 28322->28323 28324 7ff6c0434888 108 API calls 28322->28324 28325 7ff6c04328d0 104 API calls 28322->28325 28323->28269 28324->28322 28325->28322 28327 7ff6c0438c72 BuildCatchObjectHelperInternal 28326->28327 28328 7ff6c0438c8b 28326->28328 28328->28327 28334 7ff6c045239f 28332->28334 28333 7ff6c04523c8 28333->28281 28334->28333 28335 7ff6c0441870 108 API calls 28334->28335 28335->28334 28337 7ff6c043a995 28336->28337 28338 7ff6c043a9dd 28336->28338 28337->28338 28339 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28337->28339 28338->28285 28340 7ff6c043a9fe 28339->28340 28342 7ff6c043ecd8 103 API calls 28341->28342 28343 7ff6c043e95f ReleaseSemaphore 28342->28343 28344 7ff6c043e984 28343->28344 28345 7ff6c043e9a3 DeleteCriticalSection CloseHandle CloseHandle 28343->28345 28346 7ff6c043ea5c 101 API calls 28344->28346 28347 7ff6c043e98e CloseHandle 28346->28347 28347->28344 28347->28345 28349 7ff6c0424168 __std_swap_ranges_trivially_swappable __scrt_get_show_window_mode 28348->28349 28352 7ff6c0424149 28348->28352 28350 7ff6c0422018 33 API calls 28349->28350 28351 7ff6c04241eb 28350->28351 28352->28349 28353 7ff6c04521d0 33 API calls 28352->28353 28353->28349 28356 7ff6c04420c8 __scrt_get_show_window_mode 28354->28356 28355 7ff6c04421ba 28355->28300 28356->28355 28357 7ff6c042b75c 82 API calls 28356->28357 28357->28356 28384->28295 28389 7ff6c0438882 28388->28389 28390 7ff6c0438892 28388->28390 28395 7ff6c04323f0 28389->28395 28390->27926 28393 7ff6c0452320 _handle_error 8 API calls 28392->28393 28394 7ff6c042f7dc 28393->28394 28394->27827 28394->28139 28396 7ff6c043240f 28395->28396 28400 7ff6c0432aa0 101 API calls 28396->28400 28397 7ff6c0432428 28399 7ff6c0432bb0 101 API calls 28397->28399 28398 7ff6c0432438 28398->28390 28399->28398 28400->28397 28402 7ff6c0425e67 28401->28402 28465 7ff6c04385f0 28402->28465 28404 7ff6c0426134 28475 7ff6c0426fcc 82 API calls 28404->28475 28406 7ff6c04269af 28407 7ff6c0452320 _handle_error 8 API calls 28406->28407 28410 7ff6c04269c3 28407->28410 28408 7ff6c04269e4 28411 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28408->28411 28409 7ff6c0426973 28488 7ff6c042466c 82 API calls 28409->28488 28410->27937 28414 7ff6c04269e9 28411->28414 28413 7ff6c042612e 28413->28404 28413->28409 28415 7ff6c04385f0 104 API calls 28413->28415 28417 7ff6c04261a4 28415->28417 28417->28404 28421 7ff6c04261ac 28417->28421 28418 7ff6c04269ef 28419 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28418->28419 28420 7ff6c04269f5 28419->28420 28422 7ff6c042623f 28421->28422 28476 7ff6c042466c 82 API calls 28421->28476 28422->28409 28424 7ff6c0426266 28422->28424 28427 7ff6c04268b7 28424->28427 28428 7ff6c04262ce 28424->28428 28430 7ff6c0434d04 31 API calls 28427->28430 28458 7ff6c042613c 28458->28406 28458->28408 28458->28418 28463->27937 28466 7ff6c043869a 28465->28466 28467 7ff6c0438614 28465->28467 28468 7ff6c043867c 28466->28468 28470 7ff6c04240b0 33 API calls 28466->28470 28467->28468 28469 7ff6c04240b0 33 API calls 28467->28469 28468->28413 28471 7ff6c043864d 28469->28471 28472 7ff6c04386b3 28470->28472 28489 7ff6c042a174 28471->28489 28474 7ff6c04328d0 104 API calls 28472->28474 28474->28468 28475->28458 28490 7ff6c042a185 28489->28490 28491 7ff6c042a19a 28490->28491 28493 7ff6c043af18 8 API calls 2 library calls 28490->28493 28491->28468 28493->28491 28495 7ff6c0429be7 28494->28495 28499 7ff6c0429c83 28495->28499 28502 7ff6c0429c1b 28495->28502 28503 7ff6c0429cae 28495->28503 28629 7ff6c0435294 28495->28629 28647 7ff6c043db60 28495->28647 28496 7ff6c0452320 _handle_error 8 API calls 28497 7ff6c0429c9d 28496->28497 28497->27953 28501 7ff6c0421fa0 31 API calls 28499->28501 28501->28502 28502->28496 28504 7ff6c0429cbf 28503->28504 28651 7ff6c043da48 CompareStringW 28503->28651 28504->28499 28506 7ff6c04220b0 33 API calls 28504->28506 28506->28499 28520 7ff6c0435f3a 28507->28520 28508 7ff6c0452320 _handle_error 8 API calls 28510 7ff6c042fb29 28508->28510 28510->27956 28580 7ff6c0437c94 47 API calls 2 library calls 28510->28580 28511 7ff6c042129c 33 API calls 28513 7ff6c0436129 28511->28513 28512 7ff6c04361d4 28514 7ff6c0421fa0 31 API calls 28513->28514 28515 7ff6c043613b BuildCatchObjectHelperInternal 28513->28515 28514->28515 28516 7ff6c043619b 28515->28516 28517 7ff6c04361c9 28515->28517 28516->28508 28518 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28517->28518 28519 7ff6c04361ce 28518->28519 28655 7ff6c042704c 47 API calls BuildCatchObjectHelperInternal 28519->28655 28520->28511 28520->28516 28520->28519 28579->27945 28580->27958 28627->28000 28628->28000 28631 7ff6c04352d4 28629->28631 28630 7ff6c0435339 __vcrt_FlsAlloc 28632 7ff6c0452320 _handle_error 8 API calls 28630->28632 28631->28630 28635 7ff6c0435312 __vcrt_FlsAlloc 28631->28635 28652 7ff6c04413f4 CompareStringW 28631->28652 28633 7ff6c0435503 28632->28633 28633->28495 28635->28630 28636 7ff6c0435382 __vcrt_FlsAlloc 28635->28636 28653 7ff6c04413f4 CompareStringW 28635->28653 28636->28630 28638 7ff6c042129c 33 API calls 28636->28638 28639 7ff6c0435439 28636->28639 28640 7ff6c0435426 28638->28640 28642 7ff6c043551b 28639->28642 28643 7ff6c0435489 28639->28643 28641 7ff6c04372cc 8 API calls 28640->28641 28641->28639 28645 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28642->28645 28643->28630 28654 7ff6c04413f4 CompareStringW 28643->28654 28646 7ff6c0435520 28645->28646 28648 7ff6c043db73 28647->28648 28649 7ff6c043db91 28648->28649 28650 7ff6c04220b0 33 API calls 28648->28650 28649->28495 28650->28649 28651->28504 28652->28635 28653->28636 28654->28630 28655->28512 28713->28121 28714->28125 28715->28129 28717 7ff6c04387df 28716->28717 28718 7ff6c04387af 28716->28718 28722 7ff6c045236c 108 API calls 28717->28722 28728 7ff6c043882b 28717->28728 28719 7ff6c045236c 108 API calls 28718->28719 28721 7ff6c04387ca 28719->28721 28724 7ff6c045236c 108 API calls 28721->28724 28725 7ff6c0438814 28722->28725 28723 7ff6c0438845 28727 7ff6c043461c 108 API calls 28723->28727 28724->28717 28726 7ff6c045236c 108 API calls 28725->28726 28726->28728 28729 7ff6c0438851 28727->28729 28730 7ff6c043461c 28728->28730 28731 7ff6c0434632 28730->28731 28733 7ff6c043463a 28730->28733 28732 7ff6c043e948 108 API calls 28731->28732 28732->28733 28733->28723 28735 7ff6c043163e 28734->28735 28740 7ff6c0431681 28734->28740 28737 7ff6c04331bc 51 API calls 28735->28737 28735->28740 28736 7ff6c042e600 31 API calls 28742 7ff6c04316de 28736->28742 28737->28735 28738 7ff6c0421fa0 31 API calls 28738->28740 28739 7ff6c043175b 28743 7ff6c0452320 _handle_error 8 API calls 28739->28743 28740->28738 28744 7ff6c04316a0 28740->28744 28741 7ff6c043178d 28746 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28741->28746 28742->28739 28742->28741 28745 7ff6c042e58a 28743->28745 28744->28736 28745->27765 28745->27766 28747 7ff6c0431792 28746->28747 28748->27432 28749->27438 28750->27441 28751 7ff6c04503e0 28752 7ff6c045041f 28751->28752 28753 7ff6c0450497 28751->28753 28754 7ff6c043aae0 48 API calls 28752->28754 28755 7ff6c043aae0 48 API calls 28753->28755 28757 7ff6c0450433 28754->28757 28756 7ff6c04504ab 28755->28756 28758 7ff6c043da98 48 API calls 28756->28758 28759 7ff6c043da98 48 API calls 28757->28759 28764 7ff6c0450442 BuildCatchObjectHelperInternal 28758->28764 28759->28764 28760 7ff6c0421fa0 31 API calls 28761 7ff6c0450541 28760->28761 28765 7ff6c042250c SetDlgItemTextW 28761->28765 28762 7ff6c04505cc 28767 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28762->28767 28763 7ff6c04505c6 28766 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28763->28766 28764->28760 28764->28762 28764->28763 28768 7ff6c0450556 SetWindowTextW 28765->28768 28766->28762 28771 7ff6c04505d2 28767->28771 28769 7ff6c045056f 28768->28769 28770 7ff6c045059c 28768->28770 28769->28770 28773 7ff6c04505c1 28769->28773 28772 7ff6c0452320 _handle_error 8 API calls 28770->28772 28774 7ff6c04505af 28772->28774 28775 7ff6c0457904 _invalid_parameter_noinfo_noreturn 31 API calls 28773->28775 28775->28763 28776 7ff6c04520f0 28777 7ff6c0452106 _com_error::_com_error 28776->28777 28778 7ff6c0454078 _com_raise_error 2 API calls 28777->28778 28779 7ff6c0452117 28778->28779 28780 7ff6c0451900 _com_raise_error 14 API calls 28779->28780 28781 7ff6c0452163 28780->28781 28782 7ff6c0451491 28783 7ff6c04513c9 28782->28783 28784 7ff6c0451900 _com_raise_error 14 API calls 28783->28784 28785 7ff6c0451408 28784->28785

                                                                                    Executed Functions

                                                                                    Function 00007FF6C044B190 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Item$Message$_invalid_parameter_noinfo_noreturn$Send$DialogText$File$ErrorLast$CloseFindFocusLoadStringViewWindow$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmap
                                                                                    • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                                                                    • API String ID: 255727823-2702805183
                                                                                    • Opcode ID: 9a17fb0a367c8f41df10969568811eb98f7642249842cc7a5319212f9cbedbf3
                                                                                    • Instruction ID: e3797a2ca0368b8e5100ba40153c191472a5799e3f21ae05277730ccb06226fb
                                                                                    • Opcode Fuzzy Hash: 9a17fb0a367c8f41df10969568811eb98f7642249842cc7a5319212f9cbedbf3
                                                                                    • Instruction Fuzzy Hash: 9ED29362A08682F1EA609F65E8542FB6361EF85782F40C636DACDC77A6DF3CE544C740
                                                                                    Function 00007FF6C044CE88 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963windowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$FileMessageMoveSend$DialogItemPathTemp
                                                                                    • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                                                                    • API String ID: 3007431893-3916287355
                                                                                    • Opcode ID: 13eb6110c4e0ac35ec007d1b6c7a4b17d7f990185731ca232e56026f253a956b
                                                                                    • Instruction ID: e4e9528c4daf63297db279c455dd3ca1ff7142ae1d82f2003de82fff48313e5f
                                                                                    • Opcode Fuzzy Hash: 13eb6110c4e0ac35ec007d1b6c7a4b17d7f990185731ca232e56026f253a956b
                                                                                    • Instruction Fuzzy Hash: 5013BD72B04A82F4EB10DFA4D8442EE27A1EB44799F509536DA9DD7BE9DF38E184C340
                                                                                    Function 00007FF6C0450754 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1466 7ff6c0450754-7ff6c0450829 call 7ff6c043dfd0 call 7ff6c04362dc call 7ff6c044946c call 7ff6c0453cf0 call 7ff6c0449a14 1477 7ff6c045082b-7ff6c0450840 1466->1477 1478 7ff6c0450860-7ff6c0450883 1466->1478 1479 7ff6c045085b call 7ff6c045220c 1477->1479 1480 7ff6c0450842-7ff6c0450855 1477->1480 1481 7ff6c04508ba-7ff6c04508dd 1478->1481 1482 7ff6c0450885-7ff6c045089a 1478->1482 1479->1478 1480->1479 1485 7ff6c0450ddd-7ff6c0450de2 call 7ff6c0457904 1480->1485 1483 7ff6c0450914-7ff6c0450937 1481->1483 1484 7ff6c04508df-7ff6c04508f4 1481->1484 1487 7ff6c045089c-7ff6c04508af 1482->1487 1488 7ff6c04508b5 call 7ff6c045220c 1482->1488 1492 7ff6c0450939-7ff6c045094e 1483->1492 1493 7ff6c045096e-7ff6c045097a GetCommandLineW 1483->1493 1490 7ff6c04508f6-7ff6c0450909 1484->1490 1491 7ff6c045090f call 7ff6c045220c 1484->1491 1503 7ff6c0450de3-7ff6c0450df0 call 7ff6c0457904 1485->1503 1487->1485 1487->1488 1488->1481 1490->1485 1490->1491 1491->1483 1496 7ff6c0450969 call 7ff6c045220c 1492->1496 1497 7ff6c0450950-7ff6c0450963 1492->1497 1499 7ff6c0450b47-7ff6c0450b5e call 7ff6c0436454 1493->1499 1500 7ff6c0450980-7ff6c04509b7 call 7ff6c045797c call 7ff6c042129c call 7ff6c044cad0 1493->1500 1496->1493 1497->1485 1497->1496 1509 7ff6c0450b89-7ff6c0450ce4 call 7ff6c0421fa0 SetEnvironmentVariableW GetLocalTime call 7ff6c0433e28 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff6c044b014 call 7ff6c04398ac call 7ff6c04467b4 * 2 DialogBoxParamW call 7ff6c04468a8 * 2 1499->1509 1510 7ff6c0450b60-7ff6c0450b85 call 7ff6c0421fa0 call 7ff6c0453640 1499->1510 1524 7ff6c04509ec-7ff6c04509f3 1500->1524 1525 7ff6c04509b9-7ff6c04509cc 1500->1525 1512 7ff6c0450df5-7ff6c0450e2f call 7ff6c0451900 1503->1512 1573 7ff6c0450cec-7ff6c0450cf3 1509->1573 1574 7ff6c0450ce6 Sleep 1509->1574 1510->1509 1521 7ff6c0450e34-7ff6c0450e8d 1512->1521 1521->1512 1532 7ff6c0450adb-7ff6c0450b12 call 7ff6c045797c call 7ff6c042129c call 7ff6c044fd0c 1524->1532 1533 7ff6c04509f9-7ff6c0450a13 OpenFileMappingW 1524->1533 1530 7ff6c04509e7 call 7ff6c045220c 1525->1530 1531 7ff6c04509ce-7ff6c04509e1 1525->1531 1530->1524 1531->1503 1531->1530 1532->1499 1557 7ff6c0450b14-7ff6c0450b27 1532->1557 1537 7ff6c0450a19-7ff6c0450a39 MapViewOfFile 1533->1537 1538 7ff6c0450ad0-7ff6c0450ad9 CloseHandle 1533->1538 1537->1538 1542 7ff6c0450a3f-7ff6c0450a6f UnmapViewOfFile MapViewOfFile 1537->1542 1538->1499 1542->1538 1545 7ff6c0450a71-7ff6c0450aca call 7ff6c044a190 call 7ff6c044fd0c call 7ff6c043b9b4 call 7ff6c043bb00 call 7ff6c043bb70 UnmapViewOfFile 1542->1545 1545->1538 1558 7ff6c0450b29-7ff6c0450b3c 1557->1558 1559 7ff6c0450b42 call 7ff6c045220c 1557->1559 1558->1559 1562 7ff6c0450dd7-7ff6c0450ddc call 7ff6c0457904 1558->1562 1559->1499 1562->1485 1576 7ff6c0450cfa-7ff6c0450d1d call 7ff6c043b8e0 DeleteObject 1573->1576 1577 7ff6c0450cf5 call 7ff6c0449f4c 1573->1577 1574->1573 1581 7ff6c0450d25-7ff6c0450d2c 1576->1581 1582 7ff6c0450d1f DeleteObject 1576->1582 1577->1576 1583 7ff6c0450d48-7ff6c0450d59 1581->1583 1584 7ff6c0450d2e-7ff6c0450d35 1581->1584 1582->1581 1586 7ff6c0450d5b-7ff6c0450d67 call 7ff6c044fe24 CloseHandle 1583->1586 1587 7ff6c0450d6d-7ff6c0450d7a 1583->1587 1584->1583 1585 7ff6c0450d37-7ff6c0450d43 call 7ff6c042ba0c 1584->1585 1585->1583 1586->1587 1590 7ff6c0450d7c-7ff6c0450d89 1587->1590 1591 7ff6c0450d9f-7ff6c0450da4 call 7ff6c04494e4 1587->1591 1594 7ff6c0450d8b-7ff6c0450d93 1590->1594 1595 7ff6c0450d99-7ff6c0450d9b 1590->1595 1597 7ff6c0450da9-7ff6c0450dd6 call 7ff6c0452320 1591->1597 1594->1591 1598 7ff6c0450d95-7ff6c0450d97 1594->1598 1595->1591 1596 7ff6c0450d9d 1595->1596 1596->1591 1598->1591
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                                                                    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                                                                    • API String ID: 1048086575-3710569615
                                                                                    • Opcode ID: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                                    • Instruction ID: dcb92f907ff0c0bc1bac1f14561b3d7810a9aaefd0a850b720165890a6099d2a
                                                                                    • Opcode Fuzzy Hash: 7fb843965e060d2caf1f274bd47349aa60f49b36b68f6f054b76b7ae27a5abf6
                                                                                    • Instruction Fuzzy Hash: 79129F75A08B82E1EB109F24E8552BA7361FF85786F408636DADDC6BA5EF3CE144C740
                                                                                    Function 00007FF6C043A4AC Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWideswprintf
                                                                                    • String ID: $%s:$CAPTION
                                                                                    • API String ID: 2100155373-404845831
                                                                                    • Opcode ID: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                    • Instruction ID: 8889b5b63a0849ff5d2543be9371cae9d6d43ab336bd5238a6592f39c5af6d85
                                                                                    • Opcode Fuzzy Hash: 1224945cd41bf140f0dcf37f1b002595631e4f701a4b658f84a72e9da714e3d9
                                                                                    • Instruction Fuzzy Hash: 3B91D732B18641D6E718DF2AE80066AA7A1FB89785F549535EE8DC7B58CF3CE805CB40
                                                                                    Function 00007FF6C0448624 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101memorywindowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$Resource$AllocCreateGdipLock$BitmapFindFreeFromLoadSizeofStreamUnlock
                                                                                    • String ID: PNG
                                                                                    • API String ID: 211097158-364855578
                                                                                    • Opcode ID: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                    • Instruction ID: d43017f1dbd007baa9b971289a69e4e2f99db6646163dbeeda9938b247fcd3cb
                                                                                    • Opcode Fuzzy Hash: c8606208415c3a11eb94d5df8c8f8595ea54109f2541637b646828bce78d4013
                                                                                    • Instruction Fuzzy Hash: 2F413F25B19B06E1EF048F56D86437A63A0AF88B96F148539CE8DC7364EF7CE4488740
                                                                                    Function 00007FF6C042F930 Relevance: 17.2, APIs: 8, Strings: 1, Instructions: 1417COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: __tmp_reference_source_
                                                                                    • API String ID: 3668304517-685763994
                                                                                    • Opcode ID: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                                    • Instruction ID: 529b308386112a7a6f0bf1a0e30892a6b843d6d0d11e6c430abb616de4aab54f
                                                                                    • Opcode Fuzzy Hash: ee1b9b2f793652c4fffa685adae4afd38ebba44b70748007b51654422c3c5d5b
                                                                                    • Instruction Fuzzy Hash: 37E27262A08AC2E2EA648F65E1543AF6761FB85782F409232DBDDD37A5CF3CE455C700
                                                                                    Function 00007FF6C0424840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: CMT
                                                                                    • API String ID: 3668304517-2756464174
                                                                                    • Opcode ID: 900f1335872eede1b1a492564cf610b08fbb687fb420bf81384da2f580c8fe8c
                                                                                    • Instruction ID: d6f33fcceed6be2225d5c8a3f5f95a352dbb25d0e36d89207b504d5cec430582
                                                                                    • Opcode Fuzzy Hash: 900f1335872eede1b1a492564cf610b08fbb687fb420bf81384da2f580c8fe8c
                                                                                    • Instruction Fuzzy Hash: E1E2DB62B08682E6EB18DF6595582FEA7A1FB84785F408036DA9EC3796DF3CE554C300
                                                                                    Function 00007FF6C04340BC Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3712 7ff6c04340bc-7ff6c04340f3 3713 7ff6c04340f9-7ff6c0434101 3712->3713 3714 7ff6c04341d2-7ff6c04341df FindNextFileW 3712->3714 3715 7ff6c0434106-7ff6c0434118 FindFirstFileW 3713->3715 3716 7ff6c0434103 3713->3716 3717 7ff6c04341e1-7ff6c04341f1 GetLastError 3714->3717 3718 7ff6c04341f3-7ff6c04341f6 3714->3718 3715->3718 3719 7ff6c043411e-7ff6c0434146 call 7ff6c0436a0c 3715->3719 3716->3715 3720 7ff6c04341ca-7ff6c04341cd 3717->3720 3721 7ff6c04341f8-7ff6c0434200 3718->3721 3722 7ff6c0434211-7ff6c0434253 call 7ff6c045797c call 7ff6c042129c call 7ff6c0438090 3718->3722 3732 7ff6c0434148-7ff6c0434164 FindFirstFileW 3719->3732 3733 7ff6c0434167-7ff6c0434170 3719->3733 3723 7ff6c04342eb-7ff6c043430e call 7ff6c0452320 3720->3723 3725 7ff6c0434205-7ff6c043420c call 7ff6c04220b0 3721->3725 3726 7ff6c0434202 3721->3726 3749 7ff6c043428c-7ff6c04342e6 call 7ff6c043f168 * 3 3722->3749 3750 7ff6c0434255-7ff6c043426c 3722->3750 3725->3722 3726->3725 3732->3733 3736 7ff6c04341a9-7ff6c04341ad 3733->3736 3737 7ff6c0434172-7ff6c0434189 3733->3737 3736->3718 3741 7ff6c04341af-7ff6c04341be GetLastError 3736->3741 3739 7ff6c043418b-7ff6c043419e 3737->3739 3740 7ff6c04341a4 call 7ff6c045220c 3737->3740 3739->3740 3743 7ff6c0434315-7ff6c043431b call 7ff6c0457904 3739->3743 3740->3736 3745 7ff6c04341c8 3741->3745 3746 7ff6c04341c0-7ff6c04341c6 3741->3746 3745->3720 3746->3720 3746->3745 3749->3723 3751 7ff6c0434287 call 7ff6c045220c 3750->3751 3752 7ff6c043426e-7ff6c0434281 3750->3752 3751->3749 3752->3751 3755 7ff6c043430f-7ff6c0434314 call 7ff6c0457904 3752->3755 3755->3743
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                                                                    • String ID:
                                                                                    • API String ID: 474548282-0
                                                                                    • Opcode ID: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                    • Instruction ID: eb50b094e72780ee953a20575587fcce460078097343a97e79d0487ad9417f97
                                                                                    • Opcode Fuzzy Hash: 5b7a682f346ba33cc6e8113bf8bb974c5d06c867b30d63dc8f71ee7e42fd28a6
                                                                                    • Instruction Fuzzy Hash: 06618362A08A46E1EE109F24E4442AA6361FB997B5F109331EAEDC37D9DF3CE584C700
                                                                                    Function 00007FF6C0425E24 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3823 7ff6c0425e24-7ff6c0426129 call 7ff6c043833c call 7ff6c04385f0 3829 7ff6c042612e-7ff6c0426132 3823->3829 3830 7ff6c0426141-7ff6c0426171 call 7ff6c04383d8 call 7ff6c0438570 call 7ff6c0438528 3829->3830 3831 7ff6c0426134-7ff6c042613c call 7ff6c0426fcc 3829->3831 3849 7ff6c0426177-7ff6c0426179 3830->3849 3850 7ff6c0426973-7ff6c0426976 call 7ff6c042466c 3830->3850 3836 7ff6c042697b 3831->3836 3838 7ff6c042697e-7ff6c0426985 3836->3838 3840 7ff6c0426987-7ff6c0426998 3838->3840 3841 7ff6c04269b4-7ff6c04269e3 call 7ff6c0452320 3838->3841 3843 7ff6c042699a-7ff6c04269ad 3840->3843 3844 7ff6c04269af call 7ff6c045220c 3840->3844 3843->3844 3847 7ff6c04269e4-7ff6c04269e9 call 7ff6c0457904 3843->3847 3844->3841 3858 7ff6c04269ea-7ff6c04269ef call 7ff6c0457904 3847->3858 3849->3850 3854 7ff6c042617f-7ff6c0426189 3849->3854 3850->3836 3854->3850 3855 7ff6c042618f-7ff6c0426192 3854->3855 3855->3850 3857 7ff6c0426198-7ff6c04261aa call 7ff6c04385f0 3855->3857 3857->3831 3863 7ff6c04261ac-7ff6c04261fd call 7ff6c04384f8 call 7ff6c0438528 * 2 3857->3863 3864 7ff6c04269f0-7ff6c04269f7 call 7ff6c0457904 3858->3864 3873 7ff6c042623f-7ff6c0426249 3863->3873 3874 7ff6c04261ff-7ff6c0426222 call 7ff6c042466c call 7ff6c042ba0c 3863->3874 3875 7ff6c0426266-7ff6c0426270 3873->3875 3876 7ff6c042624b-7ff6c0426260 call 7ff6c0438528 3873->3876 3874->3873 3889 7ff6c0426224-7ff6c042622e call 7ff6c042433c 3874->3889 3879 7ff6c042627e-7ff6c0426296 call 7ff6c042334c 3875->3879 3880 7ff6c0426272-7ff6c042627b call 7ff6c0438528 3875->3880 3876->3850 3876->3875 3890 7ff6c0426298-7ff6c042629b 3879->3890 3891 7ff6c04262b3 3879->3891 3880->3879 3889->3873 3890->3891 3894 7ff6c042629d-7ff6c04262b1 3890->3894 3892 7ff6c04262b6-7ff6c04262c8 3891->3892 3895 7ff6c04268b7-7ff6c0426929 call 7ff6c0434d04 call 7ff6c0438528 3892->3895 3896 7ff6c04262ce-7ff6c04262d1 3892->3896 3894->3891 3894->3892 3915 7ff6c0426936 3895->3915 3916 7ff6c042692b-7ff6c0426934 call 7ff6c0438528 3895->3916 3897 7ff6c04262d7-7ff6c04262da 3896->3897 3898 7ff6c0426481-7ff6c04264f4 call 7ff6c0434c74 call 7ff6c0438528 * 2 3896->3898 3897->3898 3900 7ff6c04262e0-7ff6c04262e3 3897->3900 3930 7ff6c0426507-7ff6c0426533 call 7ff6c0438528 3898->3930 3931 7ff6c04264f6-7ff6c0426500 3898->3931 3903 7ff6c042632e-7ff6c0426353 call 7ff6c0438528 3900->3903 3904 7ff6c04262e5-7ff6c04262e8 3900->3904 3919 7ff6c042639e-7ff6c04263c5 call 7ff6c0438528 call 7ff6c0438384 3903->3919 3920 7ff6c0426355-7ff6c042638f call 7ff6c0424228 call 7ff6c0423c84 call 7ff6c042701c call 7ff6c0421fa0 3903->3920 3907 7ff6c042696d-7ff6c0426971 3904->3907 3908 7ff6c04262ee-7ff6c0426329 call 7ff6c0438528 3904->3908 3907->3838 3908->3907 3922 7ff6c0426939-7ff6c0426946 3915->3922 3916->3922 3943 7ff6c04263c7-7ff6c0426400 call 7ff6c0424228 call 7ff6c0423c84 call 7ff6c042701c call 7ff6c0421fa0 3919->3943 3944 7ff6c0426402-7ff6c042641f call 7ff6c0438444 3919->3944 3967 7ff6c0426390-7ff6c0426399 call 7ff6c0421fa0 3920->3967 3927 7ff6c0426948-7ff6c042694a 3922->3927 3928 7ff6c042694c 3922->3928 3927->3928 3929 7ff6c042694f-7ff6c0426959 3927->3929 3928->3929 3929->3907 3934 7ff6c042695b-7ff6c0426968 call 7ff6c0424840 3929->3934 3945 7ff6c0426549-7ff6c0426557 3930->3945 3946 7ff6c0426535-7ff6c0426544 call 7ff6c04383d8 call 7ff6c043f134 3930->3946 3931->3930 3934->3907 3943->3967 3964 7ff6c0426421-7ff6c042646f call 7ff6c0438444 * 2 call 7ff6c043c800 call 7ff6c0454a70 3944->3964 3965 7ff6c0426475-7ff6c042647c 3944->3965 3948 7ff6c0426559-7ff6c042656c call 7ff6c04383d8 3945->3948 3949 7ff6c0426572-7ff6c0426595 call 7ff6c0438528 3945->3949 3946->3945 3948->3949 3968 7ff6c0426597-7ff6c042659e 3949->3968 3969 7ff6c04265a0-7ff6c04265b0 3949->3969 3964->3965 3965->3907 3967->3919 3973 7ff6c04265b3-7ff6c04265eb call 7ff6c0438528 * 2 3968->3973 3969->3973 3987 7ff6c04265f6-7ff6c04265fa 3973->3987 3988 7ff6c04265ed-7ff6c04265f4 3973->3988 3990 7ff6c0426603-7ff6c0426632 3987->3990 3992 7ff6c04265fc 3987->3992 3988->3990 3993 7ff6c042663f 3990->3993 3994 7ff6c0426634-7ff6c0426638 3990->3994 3992->3990 3996 7ff6c0426641-7ff6c0426656 3993->3996 3994->3993 3995 7ff6c042663a-7ff6c042663d 3994->3995 3995->3996 3997 7ff6c0426658-7ff6c042665b 3996->3997 3998 7ff6c04266ca 3996->3998 3997->3998 3999 7ff6c042665d-7ff6c0426683 3997->3999 4000 7ff6c04266d2-7ff6c0426731 call 7ff6c0423d00 call 7ff6c0438444 call 7ff6c0440d54 3998->4000 3999->4000 4002 7ff6c0426685-7ff6c04266a9 3999->4002 4011 7ff6c0426733-7ff6c0426740 call 7ff6c0424840 4000->4011 4012 7ff6c0426745-7ff6c0426749 4000->4012 4004 7ff6c04266ab 4002->4004 4005 7ff6c04266b2-7ff6c04266bf 4002->4005 4004->4005 4005->4000 4007 7ff6c04266c1-7ff6c04266c8 4005->4007 4007->4000 4011->4012 4014 7ff6c042675b-7ff6c0426772 call 7ff6c045797c 4012->4014 4015 7ff6c042674b-7ff6c0426756 call 7ff6c042473c 4012->4015 4021 7ff6c0426777-7ff6c042677e 4014->4021 4022 7ff6c0426774 4014->4022 4020 7ff6c0426859-7ff6c0426860 4015->4020 4025 7ff6c0426873-7ff6c042687b 4020->4025 4026 7ff6c0426862-7ff6c0426872 call 7ff6c042433c 4020->4026 4023 7ff6c0426780-7ff6c0426783 4021->4023 4024 7ff6c04267a3-7ff6c04267ba call 7ff6c045797c 4021->4024 4022->4021 4028 7ff6c042679c 4023->4028 4029 7ff6c0426785 4023->4029 4039 7ff6c04267bc 4024->4039 4040 7ff6c04267bf-7ff6c04267c6 4024->4040 4025->3907 4027 7ff6c0426881-7ff6c0426892 4025->4027 4026->4025 4032 7ff6c04268ad-7ff6c04268b2 call 7ff6c045220c 4027->4032 4033 7ff6c0426894-7ff6c04268a7 4027->4033 4028->4024 4034 7ff6c0426788-7ff6c0426791 4029->4034 4032->3907 4033->3864 4033->4032 4034->4024 4038 7ff6c0426793-7ff6c042679a 4034->4038 4038->4028 4038->4034 4039->4040 4040->4020 4042 7ff6c04267cc-7ff6c04267cf 4040->4042 4043 7ff6c04267e8-7ff6c04267f0 4042->4043 4044 7ff6c04267d1 4042->4044 4043->4020 4045 7ff6c04267f2-7ff6c0426826 call 7ff6c0438360 call 7ff6c0438598 call 7ff6c0438528 4043->4045 4046 7ff6c04267d4-7ff6c04267dd 4044->4046 4045->4020 4054 7ff6c0426828-7ff6c0426839 4045->4054 4046->4020 4048 7ff6c04267df-7ff6c04267e6 4046->4048 4048->4043 4048->4046 4055 7ff6c042683b-7ff6c042684e 4054->4055 4056 7ff6c0426854 call 7ff6c045220c 4054->4056 4055->3858 4055->4056 4056->4020
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CMT
                                                                                    • API String ID: 0-2756464174
                                                                                    • Opcode ID: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                                    • Instruction ID: 7a4375f56bc5073d881bbb44e90746fca32a1f76bde79ade84ac53f3447b7cfe
                                                                                    • Opcode Fuzzy Hash: b8fa635b894758bb4949fb57bddd48836ff0d2ecd2be86fe1bb2065c738ed5aa
                                                                                    • Instruction Fuzzy Hash: D042CA62B08682EAEB18DF74D1442FE67A5EB55389F008136DB9ED3796DF38E558C300
                                                                                    Function 00007FF6C0441F20 Relevance: .3, Instructions: 337COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                                    • Instruction ID: b0292e54368d2fcd1f452a26dd927ec155543c7f057e201207c6638f9d6caadc
                                                                                    • Opcode Fuzzy Hash: 6a2ba48437b82e373fac81338819d40f47a0019a50d197aab006f7cc31990992
                                                                                    • Instruction Fuzzy Hash: 11E1D162A08282EAEB64CF69A0442AE7B91FB84749F058139DBCED7785DF3CE5458704
                                                                                    Function 00007FF6C0443484 Relevance: .3, Instructions: 302COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
                                                                                    • Instruction ID: 2808b229257f928f63c3918820270c32b30217b1bbab1d457933055dd3b82c08
                                                                                    • Opcode Fuzzy Hash: bca6f1c51f28919b1ed0d44622ea5b19d03515415c361c6bf899ecd233d7ad4e
                                                                                    • Instruction Fuzzy Hash: 37B1C1A2B08AC9B2DE58DEA595086EAA392B744FC6F44C436DE9D87741DF3CE155C300
                                                                                    Function 00007FF6C0434928 Relevance: .1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                    • String ID:
                                                                                    • API String ID: 3340455307-0
                                                                                    • Opcode ID: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                                    • Instruction ID: 7cf288ac30d7202457dbc6abba32ddd1e6ed7f1b2d89e8e763fd7487d132d6e5
                                                                                    • Opcode Fuzzy Hash: 2cb8b9ec6f6f726b57ae810d2a963647076a0ed4099b9c3b4f35ab7767efdb68
                                                                                    • Instruction Fuzzy Hash: 5741F622B15656D6FA64EF22A9417AB2252FBC8785F04E031DE8EC7794DF3CF4468704
                                                                                    Function 00007FF6C043DFD0 Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 0 7ff6c043dfd0-7ff6c043e024 call 7ff6c0452450 GetModuleHandleW 3 7ff6c043e026-7ff6c043e039 GetProcAddress 0->3 4 7ff6c043e07b-7ff6c043e3a5 0->4 5 7ff6c043e03b-7ff6c043e04a 3->5 6 7ff6c043e053-7ff6c043e066 GetProcAddress 3->6 7 7ff6c043e3ab-7ff6c043e3b4 call 7ff6c045b788 4->7 8 7ff6c043e503-7ff6c043e521 call 7ff6c0436454 call 7ff6c0437df4 4->8 5->6 6->4 10 7ff6c043e068-7ff6c043e078 6->10 7->8 16 7ff6c043e3ba-7ff6c043e3fd call 7ff6c0436454 CreateFileW 7->16 20 7ff6c043e525-7ff6c043e52f call 7ff6c04351a4 8->20 10->4 21 7ff6c043e4f0-7ff6c043e4fe CloseHandle call 7ff6c0421fa0 16->21 22 7ff6c043e403-7ff6c043e416 SetFilePointer 16->22 28 7ff6c043e531-7ff6c043e53c call 7ff6c043dd88 20->28 29 7ff6c043e564-7ff6c043e5ac call 7ff6c045797c call 7ff6c042129c call 7ff6c0438090 call 7ff6c0421fa0 call 7ff6c04332bc 20->29 21->8 22->21 24 7ff6c043e41c-7ff6c043e43e ReadFile 22->24 24->21 27 7ff6c043e444-7ff6c043e452 24->27 31 7ff6c043e458-7ff6c043e4ac call 7ff6c045797c call 7ff6c042129c 27->31 32 7ff6c043e800-7ff6c043e807 call 7ff6c0452624 27->32 28->29 41 7ff6c043e53e-7ff6c043e562 CompareStringW 28->41 69 7ff6c043e5b1-7ff6c043e5b4 29->69 49 7ff6c043e4c3-7ff6c043e4d9 call 7ff6c043d0a0 31->49 41->29 42 7ff6c043e5bd-7ff6c043e5c6 41->42 42->20 47 7ff6c043e5cc 42->47 50 7ff6c043e5d1-7ff6c043e5d4 47->50 64 7ff6c043e4db-7ff6c043e4eb call 7ff6c0421fa0 * 2 49->64 65 7ff6c043e4ae-7ff6c043e4be call 7ff6c043dd88 49->65 51 7ff6c043e5d6-7ff6c043e5d9 50->51 52 7ff6c043e63f-7ff6c043e642 50->52 57 7ff6c043e5dd-7ff6c043e62d call 7ff6c045797c call 7ff6c042129c call 7ff6c0438090 call 7ff6c0421fa0 call 7ff6c04332bc 51->57 55 7ff6c043e648-7ff6c043e65b call 7ff6c0437eb0 call 7ff6c04351a4 52->55 56 7ff6c043e7c2-7ff6c043e7ff call 7ff6c0421fa0 * 2 call 7ff6c0452320 52->56 82 7ff6c043e706-7ff6c043e753 call 7ff6c043da98 AllocConsole 55->82 83 7ff6c043e661-7ff6c043e701 call 7ff6c043dd88 * 2 call 7ff6c043aae0 call 7ff6c043da98 call 7ff6c043aae0 call 7ff6c043dc2c call 7ff6c04487ac call 7ff6c04219e0 55->83 108 7ff6c043e63c 57->108 109 7ff6c043e62f-7ff6c043e638 57->109 64->21 65->49 76 7ff6c043e5b6 69->76 77 7ff6c043e5ce 69->77 76->42 77->50 94 7ff6c043e7b0 82->94 95 7ff6c043e755-7ff6c043e7aa GetCurrentProcessId AttachConsole call 7ff6c043e868 call 7ff6c043e858 GetStdHandle WriteConsoleW Sleep FreeConsole 82->95 100 7ff6c043e7b4-7ff6c043e7bb call 7ff6c04219e0 ExitProcess 83->100 94->100 95->94 108->52 109->57 112 7ff6c043e63a 109->112 112->52
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                                                                    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                                                                    • API String ID: 1496594111-2013832382
                                                                                    • Opcode ID: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                                    • Instruction ID: 2d2036e55c6204110898b39b9cc903536dba2ce798ef9b80a71d8cf718dc8a47
                                                                                    • Opcode Fuzzy Hash: 19926894803355f4926a5d38047f13a95aa4f57e947c60c8a04cc60affe7caae
                                                                                    • Instruction Fuzzy Hash: BC322A31A09B82E9EB119F60E8401EA33A8FF49356F509236DA8DC77A5EF7CD655C340
                                                                                    Function 00007FF6C04398DC Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C0438E58: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C0438F8D
                                                                                    • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6C0439F75
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C043A42F
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C043A435
                                                                                      • Part of subcall function 00007FF6C0440BBC: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6C0440B44), ref: 00007FF6C0440BE9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                                                                    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                                                                    • API String ID: 3629253777-3268106645
                                                                                    • Opcode ID: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                                    • Instruction ID: 00917d9c77a3b6fefd4cb295e19df7a16d18d6ec8987be798a5025505cd96d24
                                                                                    • Opcode Fuzzy Hash: c1941742baf2d9c3be52f390a0a923855bad3b4b9f203786c8d0fad0fa7aba42
                                                                                    • Instruction Fuzzy Hash: 6162AB22A19682E5EB10DF24D4482BF6365FB48789F80A136DA9EC77D5EF3CE954C340
                                                                                    Function 00007FF6C0451900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1911 7ff6c0451900-7ff6c0451989 call 7ff6c0451558 1914 7ff6c045198b-7ff6c04519af call 7ff6c0451868 RaiseException 1911->1914 1915 7ff6c04519b4-7ff6c04519d1 1911->1915 1921 7ff6c0451bb8-7ff6c0451bd5 1914->1921 1917 7ff6c04519e6-7ff6c04519ea 1915->1917 1918 7ff6c04519d3-7ff6c04519e4 1915->1918 1920 7ff6c04519ed-7ff6c04519f9 1917->1920 1918->1920 1922 7ff6c0451a1a-7ff6c0451a1d 1920->1922 1923 7ff6c04519fb-7ff6c0451a0d 1920->1923 1924 7ff6c0451a23-7ff6c0451a26 1922->1924 1925 7ff6c0451ac4-7ff6c0451acb 1922->1925 1935 7ff6c0451b89-7ff6c0451b93 1923->1935 1936 7ff6c0451a13 1923->1936 1928 7ff6c0451a3d-7ff6c0451a52 LoadLibraryExA 1924->1928 1929 7ff6c0451a28-7ff6c0451a3b 1924->1929 1926 7ff6c0451acd-7ff6c0451adc 1925->1926 1927 7ff6c0451adf-7ff6c0451ae2 1925->1927 1926->1927 1931 7ff6c0451ae8-7ff6c0451aec 1927->1931 1932 7ff6c0451b85 1927->1932 1933 7ff6c0451aa9-7ff6c0451ab2 1928->1933 1934 7ff6c0451a54-7ff6c0451a67 GetLastError 1928->1934 1929->1928 1929->1933 1939 7ff6c0451b1b-7ff6c0451b2e GetProcAddress 1931->1939 1940 7ff6c0451aee-7ff6c0451af2 1931->1940 1932->1935 1945 7ff6c0451abd 1933->1945 1946 7ff6c0451ab4-7ff6c0451ab7 FreeLibrary 1933->1946 1941 7ff6c0451a69-7ff6c0451a7c 1934->1941 1942 7ff6c0451a7e-7ff6c0451aa4 call 7ff6c0451868 RaiseException 1934->1942 1943 7ff6c0451b95-7ff6c0451ba6 1935->1943 1944 7ff6c0451bb0 call 7ff6c0451868 1935->1944 1936->1922 1939->1932 1950 7ff6c0451b30-7ff6c0451b43 GetLastError 1939->1950 1940->1939 1947 7ff6c0451af4-7ff6c0451aff 1940->1947 1941->1933 1941->1942 1942->1921 1943->1944 1953 7ff6c0451bb5 1944->1953 1945->1925 1946->1945 1947->1939 1951 7ff6c0451b01-7ff6c0451b08 1947->1951 1955 7ff6c0451b5a-7ff6c0451b81 call 7ff6c0451868 RaiseException call 7ff6c0451558 1950->1955 1956 7ff6c0451b45-7ff6c0451b58 1950->1956 1951->1939 1958 7ff6c0451b0a-7ff6c0451b0f 1951->1958 1953->1921 1955->1932 1956->1932 1956->1955 1958->1939 1960 7ff6c0451b11-7ff6c0451b19 1958->1960 1960->1932 1960->1939
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                                                                    • String ID: H
                                                                                    • API String ID: 3432403771-2852464175
                                                                                    • Opcode ID: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                    • Instruction ID: 56e8a08039ff9c9d0ceecf635a42ec6989085f410060e9fcf84eec5a8b77b0f9
                                                                                    • Opcode Fuzzy Hash: cf3fc932a6b7fb7fc9ef8320b4dd67bfc8d7ec91281715f792326570f1d4a57f
                                                                                    • Instruction Fuzzy Hash: 4F913A36A05B52EAEB10CF65D8446AE33B1BB08B9AF058539DE8DD7764EF38E445C340
                                                                                    Function 00007FF6C044F4E0 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1989 7ff6c044f4e0-7ff6c044f523 1990 7ff6c044f529-7ff6c044f565 call 7ff6c0453cf0 1989->1990 1991 7ff6c044f894-7ff6c044f8b9 call 7ff6c0421fa0 call 7ff6c0452320 1989->1991 1997 7ff6c044f56a-7ff6c044f571 1990->1997 1998 7ff6c044f567 1990->1998 2000 7ff6c044f582-7ff6c044f586 1997->2000 2001 7ff6c044f573-7ff6c044f577 1997->2001 1998->1997 2004 7ff6c044f58b-7ff6c044f596 2000->2004 2005 7ff6c044f588 2000->2005 2002 7ff6c044f57c-7ff6c044f580 2001->2002 2003 7ff6c044f579 2001->2003 2002->2004 2003->2002 2006 7ff6c044f59c 2004->2006 2007 7ff6c044f628 2004->2007 2005->2004 2009 7ff6c044f5a2-7ff6c044f5a9 2006->2009 2008 7ff6c044f62c-7ff6c044f62f 2007->2008 2010 7ff6c044f637-7ff6c044f63a 2008->2010 2011 7ff6c044f631-7ff6c044f635 2008->2011 2012 7ff6c044f5ab 2009->2012 2013 7ff6c044f5ae-7ff6c044f5b3 2009->2013 2016 7ff6c044f660-7ff6c044f673 call 7ff6c04363ac 2010->2016 2017 7ff6c044f63c-7ff6c044f643 2010->2017 2011->2010 2011->2016 2012->2013 2014 7ff6c044f5e5-7ff6c044f5f0 2013->2014 2015 7ff6c044f5b5 2013->2015 2021 7ff6c044f5f2 2014->2021 2022 7ff6c044f5f5-7ff6c044f5fa 2014->2022 2018 7ff6c044f5ca-7ff6c044f5d0 2015->2018 2032 7ff6c044f698-7ff6c044f6ed call 7ff6c045797c call 7ff6c042129c call 7ff6c04332a8 call 7ff6c0421fa0 2016->2032 2033 7ff6c044f675-7ff6c044f693 call 7ff6c04413c4 2016->2033 2017->2016 2019 7ff6c044f645-7ff6c044f65c 2017->2019 2023 7ff6c044f5b7-7ff6c044f5be 2018->2023 2024 7ff6c044f5d2 2018->2024 2019->2016 2021->2022 2026 7ff6c044f8ba-7ff6c044f8c1 2022->2026 2027 7ff6c044f600-7ff6c044f607 2022->2027 2028 7ff6c044f5c3-7ff6c044f5c8 2023->2028 2029 7ff6c044f5c0 2023->2029 2024->2014 2030 7ff6c044f8c6-7ff6c044f8cb 2026->2030 2031 7ff6c044f8c3 2026->2031 2034 7ff6c044f60c-7ff6c044f612 2027->2034 2035 7ff6c044f609 2027->2035 2028->2018 2037 7ff6c044f5d4-7ff6c044f5db 2028->2037 2029->2028 2038 7ff6c044f8cd-7ff6c044f8d4 2030->2038 2039 7ff6c044f8de-7ff6c044f8e6 2030->2039 2031->2030 2056 7ff6c044f742-7ff6c044f74f ShellExecuteExW 2032->2056 2057 7ff6c044f6ef-7ff6c044f73d call 7ff6c045797c call 7ff6c042129c call 7ff6c0435b60 call 7ff6c0421fa0 2032->2057 2033->2032 2034->2026 2036 7ff6c044f618-7ff6c044f622 2034->2036 2035->2034 2036->2007 2036->2009 2042 7ff6c044f5dd 2037->2042 2043 7ff6c044f5e0 2037->2043 2044 7ff6c044f8d6 2038->2044 2045 7ff6c044f8d9 2038->2045 2046 7ff6c044f8eb-7ff6c044f8f6 2039->2046 2047 7ff6c044f8e8 2039->2047 2042->2043 2043->2014 2044->2045 2045->2039 2046->2008 2047->2046 2058 7ff6c044f846-7ff6c044f84e 2056->2058 2059 7ff6c044f755-7ff6c044f75f 2056->2059 2057->2056 2064 7ff6c044f882-7ff6c044f88f 2058->2064 2065 7ff6c044f850-7ff6c044f866 2058->2065 2061 7ff6c044f76f-7ff6c044f772 2059->2061 2062 7ff6c044f761-7ff6c044f764 2059->2062 2067 7ff6c044f774-7ff6c044f77f call 7ff6c048e188 2061->2067 2068 7ff6c044f78e-7ff6c044f7ad call 7ff6c048e1b8 call 7ff6c044fe24 2061->2068 2062->2061 2066 7ff6c044f766-7ff6c044f76d 2062->2066 2064->1991 2070 7ff6c044f87d call 7ff6c045220c 2065->2070 2071 7ff6c044f868-7ff6c044f87b 2065->2071 2066->2061 2072 7ff6c044f7e3-7ff6c044f7f0 CloseHandle 2066->2072 2067->2068 2088 7ff6c044f781-7ff6c044f78c ShowWindow 2067->2088 2068->2072 2097 7ff6c044f7af-7ff6c044f7b2 2068->2097 2070->2064 2071->2070 2076 7ff6c044f8fb-7ff6c044f903 call 7ff6c0457904 2071->2076 2078 7ff6c044f7f2-7ff6c044f803 call 7ff6c04413c4 2072->2078 2079 7ff6c044f805-7ff6c044f80c 2072->2079 2078->2079 2086 7ff6c044f82e-7ff6c044f830 2078->2086 2079->2086 2087 7ff6c044f80e-7ff6c044f811 2079->2087 2086->2058 2093 7ff6c044f832-7ff6c044f835 2086->2093 2087->2086 2092 7ff6c044f813-7ff6c044f828 2087->2092 2088->2068 2092->2086 2093->2058 2096 7ff6c044f837-7ff6c044f845 ShowWindow 2093->2096 2096->2058 2097->2072 2099 7ff6c044f7b4-7ff6c044f7c5 GetExitCodeProcess 2097->2099 2099->2072 2100 7ff6c044f7c7-7ff6c044f7dc 2099->2100 2100->2072
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                                                                    • String ID: .exe$.inf$Install$p
                                                                                    • API String ID: 1054546013-3607691742
                                                                                    • Opcode ID: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                                    • Instruction ID: 49428e8b15acdcdf7226e169e9b07f2e5961b3f3d157d2b4e28ed05a5e62f159
                                                                                    • Opcode Fuzzy Hash: bd083846a701d2a936ecc778425380adf73900159b5be9ae941c3623c510174f
                                                                                    • Instruction Fuzzy Hash: 81C18E62F18A12F5FB01DFA5D95427A23A1AF85B82F048532DE8DC77A5EF3CE5518340
                                                                                    Function 00007FF6C044F0A4 Relevance: 16.6, APIs: 11, Instructions: 102windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3569833718-0
                                                                                    • Opcode ID: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                    • Instruction ID: 7985dbc0910b4628d6754b1be62f2a787916f1ff56ec3b79e1edf3e76971c6bf
                                                                                    • Opcode Fuzzy Hash: c58ef51af4c11ae469b78d40ba7290d4e9656f32b0895ce54e4debee0d1a06d9
                                                                                    • Instruction Fuzzy Hash: A041E431B14742E6F710CF62E810BAB2360EB45B89F448636DD8ACBB95CF3DD8458780
                                                                                    Function 00007FF6C042EF10 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                                    • Instruction ID: a56762ccd302fe7e670725b1bc89007a6e012f63c53744ea488d4deb740808a2
                                                                                    • Opcode Fuzzy Hash: e994a9db728abc9e3b7c2f1aeddd0c1bbb8b4fdc17eb45be45aeabee48c93372
                                                                                    • Instruction Fuzzy Hash: 56129162B08B41E5EA10DF65D4482AE2371AB457A9F808236DE9CD7BDADF3CE585C340
                                                                                    Function 00007FF6C04324C0 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 3763 7ff6c04324c0-7ff6c04324fb 3764 7ff6c0432506 3763->3764 3765 7ff6c04324fd-7ff6c0432504 3763->3765 3766 7ff6c0432509-7ff6c0432578 3764->3766 3765->3764 3765->3766 3767 7ff6c043257d-7ff6c04325a8 CreateFileW 3766->3767 3768 7ff6c043257a 3766->3768 3769 7ff6c0432688-7ff6c043268d 3767->3769 3770 7ff6c04325ae-7ff6c04325de GetLastError call 7ff6c0436a0c 3767->3770 3768->3767 3771 7ff6c0432693-7ff6c0432697 3769->3771 3779 7ff6c043262c 3770->3779 3780 7ff6c04325e0-7ff6c043262a CreateFileW GetLastError 3770->3780 3773 7ff6c0432699-7ff6c043269c 3771->3773 3774 7ff6c04326a5-7ff6c04326a9 3771->3774 3773->3774 3776 7ff6c043269e 3773->3776 3777 7ff6c04326ab-7ff6c04326af 3774->3777 3778 7ff6c04326cf-7ff6c04326e3 3774->3778 3776->3774 3777->3778 3781 7ff6c04326b1-7ff6c04326c9 SetFileTime 3777->3781 3782 7ff6c043270c-7ff6c0432735 call 7ff6c0452320 3778->3782 3783 7ff6c04326e5-7ff6c04326f0 3778->3783 3784 7ff6c0432632-7ff6c043263a 3779->3784 3780->3784 3781->3778 3786 7ff6c0432708 3783->3786 3787 7ff6c04326f2-7ff6c04326fa 3783->3787 3788 7ff6c043263c-7ff6c0432653 3784->3788 3789 7ff6c0432673-7ff6c0432686 3784->3789 3786->3782 3791 7ff6c04326fc 3787->3791 3792 7ff6c04326ff-7ff6c0432703 call 7ff6c04220b0 3787->3792 3793 7ff6c043266e call 7ff6c045220c 3788->3793 3794 7ff6c0432655-7ff6c0432668 3788->3794 3789->3771 3791->3792 3792->3786 3793->3789 3794->3793 3795 7ff6c0432736-7ff6c043273b call 7ff6c0457904 3794->3795
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3536497005-0
                                                                                    • Opcode ID: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                    • Instruction ID: d4f255821227257c66b022b021d6bf8e9a6c3bd14cb63aafc7008dae67881e6f
                                                                                    • Opcode Fuzzy Hash: 7e74b88d639c8d570aa5cbccebcd9353285634c108726f52f9c563d03d833b9c
                                                                                    • Instruction Fuzzy Hash: 7E61D0B6A18641D6E7208F29E50136F77B1BB897A8F109324DFA983BD8DF3DD0588740
                                                                                    Function 00007FF6C044B014 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$Resource$Object$AllocBitmapCreateDeleteGdipLoadLock$FindFreeFromSizeofStreamUnlock
                                                                                    • String ID: ]
                                                                                    • API String ID: 3561356813-3352871620
                                                                                    • Opcode ID: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                    • Instruction ID: 05d8647613b621eeb0ad3f36c382337f68a7f6de2c40fa669932c5a5386a8f6f
                                                                                    • Opcode Fuzzy Hash: 2f79d63664e457f963bfbd157e1c525b341384e02eb8e860e1f42d2dee528bbf
                                                                                    • Instruction Fuzzy Hash: 64119620B09242F1FA64DF62964427B5291AF89BC2F088538DD9DC7B96DF3CE8048B40
                                                                                    Function 00007FF6C044AE1C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DialogDispatchPeekTranslate
                                                                                    • String ID:
                                                                                    • API String ID: 1266772231-0
                                                                                    • Opcode ID: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                    • Instruction ID: 2db38a21b8929f69becde762dfeaa5974c514141b739e07c7a74c8d2c233c22b
                                                                                    • Opcode Fuzzy Hash: 8f901ab8bb575df3ccfb48a5cb3294f091b017f84468599a2020223c8e70b7dc
                                                                                    • Instruction Fuzzy Hash: 7EF0EC25B38942E2FB509F61E899E372361BFD0B06F849932E58EC6A54DF3CD518CB40
                                                                                    Function 00007FF6C04491E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AutoClassCompareCompleteFindNameStringWindow
                                                                                    • String ID: EDIT
                                                                                    • API String ID: 4243998846-3080729518
                                                                                    • Opcode ID: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                    • Instruction ID: 65bc63fc2dc0b64775ea6ec9e7b605f74b182b185efdf757ddd29adf37a39aca
                                                                                    • Opcode Fuzzy Hash: 5198dd27efd6ef2cfe81d4e1a42d30dc263c523227a297f5f4c02164b2b5e029
                                                                                    • Instruction Fuzzy Hash: DE016D21B18A83F1FA209F62E8157B76390BF99B42F448532CD8DCA754EF3CE5499B40
                                                                                    Function 00007FF6C0432CE0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 4073 7ff6c0432ce0-7ff6c0432d0a 4074 7ff6c0432d0c-7ff6c0432d0e 4073->4074 4075 7ff6c0432d13-7ff6c0432d1b 4073->4075 4076 7ff6c0432ea9-7ff6c0432ec4 call 7ff6c0452320 4074->4076 4077 7ff6c0432d1d-7ff6c0432d28 GetStdHandle 4075->4077 4078 7ff6c0432d2b 4075->4078 4077->4078 4080 7ff6c0432d31-7ff6c0432d3d 4078->4080 4082 7ff6c0432d86-7ff6c0432da2 WriteFile 4080->4082 4083 7ff6c0432d3f-7ff6c0432d44 4080->4083 4086 7ff6c0432da6-7ff6c0432da9 4082->4086 4084 7ff6c0432d46-7ff6c0432d7a WriteFile 4083->4084 4085 7ff6c0432daf-7ff6c0432db3 4083->4085 4084->4086 4087 7ff6c0432d7c-7ff6c0432d82 4084->4087 4088 7ff6c0432ea2-7ff6c0432ea6 4085->4088 4089 7ff6c0432db9-7ff6c0432dbd 4085->4089 4086->4085 4086->4088 4087->4084 4090 7ff6c0432d84 4087->4090 4088->4076 4089->4088 4091 7ff6c0432dc3-7ff6c0432dd8 call 7ff6c042b4f8 4089->4091 4090->4086 4094 7ff6c0432dda-7ff6c0432de1 4091->4094 4095 7ff6c0432e1e-7ff6c0432e6d call 7ff6c045797c call 7ff6c042129c call 7ff6c042bca8 4091->4095 4094->4080 4096 7ff6c0432de7-7ff6c0432de9 4094->4096 4095->4088 4106 7ff6c0432e6f-7ff6c0432e86 4095->4106 4096->4080 4098 7ff6c0432def-7ff6c0432e19 4096->4098 4098->4080 4107 7ff6c0432e88-7ff6c0432e9b 4106->4107 4108 7ff6c0432e9d call 7ff6c045220c 4106->4108 4107->4108 4109 7ff6c0432ec5-7ff6c0432ecb call 7ff6c0457904 4107->4109 4108->4088
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite$Handle
                                                                                    • String ID:
                                                                                    • API String ID: 4209713984-0
                                                                                    • Opcode ID: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                    • Instruction ID: 91ba2d33a05bf91334a6681b184eb2c9aff1fd11cd77a1046972584b71e16b13
                                                                                    • Opcode Fuzzy Hash: 95d7fd16c8d926fcf5da752308064adee905e679e75eda990adbc5c1a1c917ca
                                                                                    • Instruction Fuzzy Hash: C251E372A19A42E2EA508F25D54577B3360EB88B96F149135EB8DC7B90DF3CE485C700
                                                                                    Function 00007FF6C04503E0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$TextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2912839123-0
                                                                                    • Opcode ID: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                                    • Instruction ID: 6a314fe7b2e3f51552d991305149f707133286bb6c8dc2426a6f35de5c182da6
                                                                                    • Opcode Fuzzy Hash: 34b731ebe9af3ba17aed105ea6cd5e0b01c3b8b12ff97f26908d03dc914b4b53
                                                                                    • Instruction Fuzzy Hash: E451CFBAF14656E4FB00DFA4D8442AE3362AF45B96F408636DA9DD6BD5EF6CD040C300
                                                                                    Function 00007FF6C0452D6C Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                    • String ID:
                                                                                    • API String ID: 1452418845-0
                                                                                    • Opcode ID: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                    • Instruction ID: 033c2a133c09a6ed73bdca54943fe77f65718a2862598e3f34b5ea64ebe50778
                                                                                    • Opcode Fuzzy Hash: f380b52e8f95e6a0f24ce785192d8cb773bc143ddf3d62aee805abe4fb8ed354
                                                                                    • Instruction Fuzzy Hash: AE31F839A0C106F6FA54AF6495523BB3291AF46746F44D53AEACECB3D3DF2CA8048351
                                                                                    Function 00007FF6C0433684 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 2359106489-0
                                                                                    • Opcode ID: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                    • Instruction ID: 6dccdc97f88b2c62d1da588f07cb06f04140fdde165f97f6254ab29b709633b9
                                                                                    • Opcode Fuzzy Hash: 9d9d2995018f7f6f648ac6a5d97c5d37007cde808aee1d861722df7aa9659c46
                                                                                    • Instruction Fuzzy Hash: 7431A0A6A0C682E1EA209F25A54527F6362BF8D7A2F50D231EEDDC3795DF3CD4458700
                                                                                    Function 00007FF6C0432320 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$FileHandleRead
                                                                                    • String ID:
                                                                                    • API String ID: 2244327787-0
                                                                                    • Opcode ID: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                    • Instruction ID: 4d95485a7e3dffd932f79107cd4c0a55133f93f2a181fdbc39ed0f95fc806d1f
                                                                                    • Opcode Fuzzy Hash: 5dece825d5be91adec6864fa12bb564f4e3b5809c08bfde6ef0babe01e3581d0
                                                                                    • Instruction Fuzzy Hash: CD217F31A0C652E1EA609F21A50023B73A0FB49B96F14A534DFDDC7788DF7CD8858711
                                                                                    Function 00007FF6C043E948 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C043ECD8: ResetEvent.KERNEL32 ref: 00007FF6C043ECF1
                                                                                      • Part of subcall function 00007FF6C043ECD8: ReleaseSemaphore.KERNEL32 ref: 00007FF6C043ED07
                                                                                    • ReleaseSemaphore.KERNEL32 ref: 00007FF6C043E974
                                                                                    • CloseHandle.KERNELBASE ref: 00007FF6C043E993
                                                                                    • DeleteCriticalSection.KERNEL32 ref: 00007FF6C043E9AA
                                                                                    • CloseHandle.KERNEL32 ref: 00007FF6C043E9B7
                                                                                      • Part of subcall function 00007FF6C043EA5C: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C043E95F,?,?,?,00007FF6C043463A,?,?,?), ref: 00007FF6C043EA63
                                                                                      • Part of subcall function 00007FF6C043EA5C: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C043E95F,?,?,?,00007FF6C043463A,?,?,?), ref: 00007FF6C043EA6E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                    • String ID:
                                                                                    • API String ID: 502429940-0
                                                                                    • Opcode ID: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                    • Instruction ID: e75f21966f9bdaab4368dc053916cb3206eebefd8528b05d695e56a23e38bdc3
                                                                                    • Opcode Fuzzy Hash: 7c4c69b688bb09167c3d8ec6f4195a818a409db0987586a56ae23aa503e7e0cd
                                                                                    • Instruction Fuzzy Hash: 24012D32A15A81E3E6489F21E5446AEB330FB88B91F009135DB9DC3765CF39E4B98740
                                                                                    Function 00007FF6C043EAA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$CreatePriority
                                                                                    • String ID: CreateThread failed
                                                                                    • API String ID: 2610526550-3849766595
                                                                                    • Opcode ID: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                    • Instruction ID: d67cafd05cee08924439fe09096c587507c5339fc827c3f8d21e365a55ff7e3d
                                                                                    • Opcode Fuzzy Hash: cf4f3858e1c5421656891f758a667cd72a6f2059ba57d4f8d940dbc9b5e0f540
                                                                                    • Instruction Fuzzy Hash: A5114C31A19A42E1E601DF11E8416ABB360FB84786F54C636D68DC2769EF7CE541CB40
                                                                                    Function 00007FF6C044946C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryInitializeMallocSystem
                                                                                    • String ID: riched20.dll
                                                                                    • API String ID: 174490985-3360196438
                                                                                    • Opcode ID: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                    • Instruction ID: 79339383799d83bbb8a7e05eb3068e9f7109f9916310bd5bd5260bf0aae17d14
                                                                                    • Opcode Fuzzy Hash: 0d85db053d286d1bd0fa19ead2840fc3f5149c6ee0f027e6ed6c33eb2c824e37
                                                                                    • Instruction Fuzzy Hash: 2EF04F71618B41D2EB019F20F41456BB3A0FB89755F408636EACDC6754DF7CD159CB40
                                                                                    Function 00007FF6C044095C Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C044853C: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6C044856C
                                                                                      • Part of subcall function 00007FF6C043AAE0: LoadStringW.USER32 ref: 00007FF6C043AB67
                                                                                      • Part of subcall function 00007FF6C043AAE0: LoadStringW.USER32 ref: 00007FF6C043AB80
                                                                                      • Part of subcall function 00007FF6C0421FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C0421FFB
                                                                                      • Part of subcall function 00007FF6C042129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C0421396
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C04501BB
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C04501C1
                                                                                    • SendDlgItemMessageW.USER32 ref: 00007FF6C04501F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                                                                    • String ID:
                                                                                    • API String ID: 3106221260-0
                                                                                    • Opcode ID: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                                    • Instruction ID: 87253d214ec31c0067bd0d7b8ebf174f8f71415ffa96af1f7d0412e8e19b9ceb
                                                                                    • Opcode Fuzzy Hash: 7d1f69911a00d0741de56b49c262a8841e6eb375053cbff927e1aaae2ee712c8
                                                                                    • Instruction Fuzzy Hash: 8451C076F04A42E6FB109FA1D4452FE2362AB89B85F408236DE9ED7796DF2CD500C340
                                                                                    Function 00007FF6C0432134 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 2272807158-0
                                                                                    • Opcode ID: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                    • Instruction ID: b4a3a4d6f169ab4e220173622d398c1368545e94b083c280c3bbebae591a9a00
                                                                                    • Opcode Fuzzy Hash: 4ce248ffffd21e537046429b603db88a9fd2a3d13b10b45fb751dcef003d6319
                                                                                    • Instruction Fuzzy Hash: 98418072A18682E2EA108F15E54426A73A1FB897B5F109735DFED87BD5CF3CE4948700
                                                                                    Function 00007FF6C04223F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 2176759853-0
                                                                                    • Opcode ID: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                    • Instruction ID: c9d820d30afcb1fd420f8e453d3a3a10d7f8cb7347dbc42f22ab7f201caf2a1a
                                                                                    • Opcode Fuzzy Hash: 324ad9725680782466c8b9226039195d64c3332d7d8035b24254b52cca95445d
                                                                                    • Instruction Fuzzy Hash: 33219E72A18B81D1EA108F25A54016AB364FB89BD1F148236EFDDC3B95CF3CD1808740
                                                                                    Function 00007FF6C0441F94 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: std::bad_alloc::bad_alloc
                                                                                    • String ID:
                                                                                    • API String ID: 1875163511-0
                                                                                    • Opcode ID: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                                    • Instruction ID: 8b32b2c6cd07656b1d30e06f648ce2e7d68b2166ce948b222875a46deb7c086e
                                                                                    • Opcode Fuzzy Hash: 5d5f35b7d0b1a8ec44982466ed86c266d3277025963138b758b7e20b27780546
                                                                                    • Instruction Fuzzy Hash: 55314122A09A86F1FB249F54E5443BA63A0FB50B85F54C431E7CCC6BA9DF6CE956C301
                                                                                    Function 00007FF6C0433D34 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1203560049-0
                                                                                    • Opcode ID: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                    • Instruction ID: e85475e530a2b054e5d2f68f3bc6c727d5010e97c8ec9401b6ba9f3908c56376
                                                                                    • Opcode Fuzzy Hash: 523e4a483c86c9ac9ee543cf6c476d9bf2e9d6353514affc3e0f4067b8c7bc61
                                                                                    • Instruction Fuzzy Hash: 2A21B362A1CA81D1EA209F25E44526B6362FF89B96F109234EEDEC3795EF3CD544CB00
                                                                                    Function 00007FF6C04331BC Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3118131910-0
                                                                                    • Opcode ID: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                    • Instruction ID: 2951c3e8c105ceb24fc730ebc91d920261577c7a302a055b75f9e99abaf6af5d
                                                                                    • Opcode Fuzzy Hash: 9e0f12d03b62ccef14e62e4bf3878a3457daa81ed2db8d115c48a0739d4b379d
                                                                                    • Instruction Fuzzy Hash: EC21A172A1C781D1EA108F25E44426F7361FB89B96F509235EADEC7B99DF2CD540C700
                                                                                    Function 00007FF6C04332BC Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1203560049-0
                                                                                    • Opcode ID: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                    • Instruction ID: e008c27a0911627fb8aeb5b79de0ed44f36d67a90247aa8930925f3bd67b918e
                                                                                    • Opcode Fuzzy Hash: d981565e32c06465bb9ca9e6032df0ff87469bcd01ee0110978b6e45bf249536
                                                                                    • Instruction Fuzzy Hash: 98216072A18A81D1EA109F29E44422B6361FB89BA6F509331EADDC3BA5DF3CD544C700
                                                                                    Function 00007FF6C045BF64 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                    • String ID:
                                                                                    • API String ID: 1703294689-0
                                                                                    • Opcode ID: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                    • Instruction ID: d811d23ed97ea99776f92dc128ca54b549146189d6c72a45d09a4358da2bd26c
                                                                                    • Opcode Fuzzy Hash: 44b3a526fe0d15710854bc957cc7a82f9edee4cc7420f0560de4bec5ea2a17a0
                                                                                    • Instruction Fuzzy Hash: 01E01A39A08706E6EA546F219C953BB23626F98B43F10853CC88AC2396DF3DA4498B41
                                                                                    Function 00007FF6C042F578 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C042F895
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C042F89B
                                                                                      • Part of subcall function 00007FF6C0433EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6C0440811), ref: 00007FF6C0433EFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                                                                    • String ID:
                                                                                    • API String ID: 3587649625-0
                                                                                    • Opcode ID: c851e9ba04b89524686dcd5c2666f728f32a2a2025563ce38f6b7d0a4701346e
                                                                                    • Instruction ID: 30429891895b4c8c8ef8116e9b90e547eafb1f3c0f716652a9fd6066b0a121ad
                                                                                    • Opcode Fuzzy Hash: c851e9ba04b89524686dcd5c2666f728f32a2a2025563ce38f6b7d0a4701346e
                                                                                    • Instruction Fuzzy Hash: CE918073B18A91E0EB10DF64D4482AE6361FB84799F908136EA9CC7BE9DF78D585C700
                                                                                    Function 00007FF6C0423904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                                    • Instruction ID: 01e1a275ec26671d2d54f850e8ab0340dea0a992c133ba1379a3262950c92ba5
                                                                                    • Opcode Fuzzy Hash: 402f2d810e1efc6a759daaa5297bed4678b331cbcfb426b8061d29b6a9ebee63
                                                                                    • Instruction Fuzzy Hash: 6341A162F18651E4FB04DEB1D4442AE2371AF45BDAF149235DE9DE7B9ADF38D4828300
                                                                                    Function 00007FF6C0432778 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF6C043274D), ref: 00007FF6C04328A9
                                                                                    • GetLastError.KERNEL32(?,00007FF6C043274D), ref: 00007FF6C04328B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer
                                                                                    • String ID:
                                                                                    • API String ID: 2976181284-0
                                                                                    • Opcode ID: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                    • Instruction ID: 766181e596f7f4fc52b41bdd5303c33534b91c0da7b6d1a069bbcd50c783ab9c
                                                                                    • Opcode Fuzzy Hash: 043a82e8aff847b2e282b78885e55c7214a93c585b530bdf19c19deffc600893
                                                                                    • Instruction Fuzzy Hash: E8319632B19A52E2EA645F2ADA4067A3350AF08BD6F14A231DF9DD7790DF3CD5418740
                                                                                    Function 00007FF6C04222BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Item_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1746051919-0
                                                                                    • Opcode ID: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                    • Instruction ID: 3a92bcda6c56ee09829ee20cd29bec6f8de04e79cd528e17440acb55212c3487
                                                                                    • Opcode Fuzzy Hash: 8763c555b957396376e96df864685bb2527d49eefc22d4d720e740779d29c564
                                                                                    • Instruction Fuzzy Hash: 5031AD62B18B45E2EA208F25E54836BB360EB84B91F408235EBDCC7BA5DF3CE1408700
                                                                                    Function 00007FF6C0432AD0 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$BuffersFlushTime
                                                                                    • String ID:
                                                                                    • API String ID: 1392018926-0
                                                                                    • Opcode ID: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                    • Instruction ID: 0649fa87a9bb5dfaf42952746ee786d5ec8c253689ec93bf4f7d779842a07b69
                                                                                    • Opcode Fuzzy Hash: 1f7bfd0f82637a6abdcd08aef8b442a865f6f50d97ba3a1fa7ef62b0e093425a
                                                                                    • Instruction Fuzzy Hash: B3218D32A09B42F1EA628E11D6047BBA790AB09796F15A131DF8CC7395EF3CE586C300
                                                                                    Function 00007FF6C043AAE0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString
                                                                                    • String ID:
                                                                                    • API String ID: 2948472770-0
                                                                                    • Opcode ID: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                    • Instruction ID: 82a9182d6911ef4c81f895052d4858214440228d44017dee65dc72b65b4aec61
                                                                                    • Opcode Fuzzy Hash: efc1550bd5bba1d5ac9face2304fa075ed5e4cb94ffc19493764f318ca00d951
                                                                                    • Instruction Fuzzy Hash: 3E118E71B18641D5EA448F16A88002AB7A1BB88FC2F548A36CA9DD3721DF7CE5518384
                                                                                    Function 00007FF6C0432BB0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFileLastPointer
                                                                                    • String ID:
                                                                                    • API String ID: 2976181284-0
                                                                                    • Opcode ID: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                    • Instruction ID: 99956c95f3fe1d4459b877845c020f63753bb1fa60f0e6c13a70f4e0c7b90547
                                                                                    • Opcode Fuzzy Hash: 5eda2cbf1ce6837a88d649c872729f31e823bc49095d59e5e9b193bf7b9166cd
                                                                                    • Instruction Fuzzy Hash: 94118E31A18642E1EB608F25E94026E7360FB49BA6F54A731DBADC73D5DF2CE586C700
                                                                                    Function 00007FF6C042255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemRectTextWindow$Clientswprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3322643685-0
                                                                                    • Opcode ID: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                    • Instruction ID: 1d28ac48d2904d7acbc9a3454dcd18c77fa44aa1c7f1de7d5d9ef8b9b21d2d0d
                                                                                    • Opcode Fuzzy Hash: ad94589889145b650e3461eb84003e845283bd92425fc2a9221c8100a4e27e71
                                                                                    • Instruction Fuzzy Hash: 60019A20B0924AF1FE595F52A16827B1391AF85742F08C136C9CDCA39AEF2CE8C48300
                                                                                    Function 00007FF6C043EB58 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6C043EBAD,?,?,?,?,00007FF6C0435752,?,?,?,00007FF6C04356DE), ref: 00007FF6C043EB5C
                                                                                    • GetProcessAffinityMask.KERNEL32 ref: 00007FF6C043EB6F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$AffinityCurrentMask
                                                                                    • String ID:
                                                                                    • API String ID: 1231390398-0
                                                                                    • Opcode ID: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                    • Instruction ID: c467a87ac0e8fcfb248588b942ca3c787f2a9142bb6a60aae2ae7065f24da01e
                                                                                    • Opcode Fuzzy Hash: 444071b75e142e51b736d9fa504759652bc9944b894df1f8101a797a07211085
                                                                                    • Instruction Fuzzy Hash: CAE0E561B1858AD2DF098F56C4508EAA3A2BF88B40F84D135E64BC3714EF2CE1498B00
                                                                                    Function 00007FF6C04521D0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                                                                    • String ID:
                                                                                    • API String ID: 1173176844-0
                                                                                    • Opcode ID: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                    • Instruction ID: be7242b336c55cf4caa62814d5f8ce3daa6f609a03a7369dedb40604216ac939
                                                                                    • Opcode Fuzzy Hash: c507040392a2377e4895e65205c3b95c5fe2146e3485fc393c80d7c2ffdcaf26
                                                                                    • Instruction Fuzzy Hash: 9DE0EC69E09507E1F9582A621A261B720500F2A772E1CD731EBFEC57D2AF1CA4918750
                                                                                    Function 00007FF6C045D90C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 485612231-0
                                                                                    • Opcode ID: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                    • Instruction ID: d9a768b448c4766bcc4e323fc4ba778ac4ef21e9a586c8de3356e49120805be3
                                                                                    • Opcode Fuzzy Hash: 7829e02dcbd74b51c5e196648e5aad52518f68633834b7095f7e5950a32ae739
                                                                                    • Instruction Fuzzy Hash: D7E0BF64E49503E6FF256FB258551B623916F94756B048534C98DC6352EF2C94858700
                                                                                    Function 00007FF6C04233E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                    • Instruction ID: 6a2f544d667caf04c211638c1a19d4f610d0cbe3e8ec3539bdd64c627ee0df66
                                                                                    • Opcode Fuzzy Hash: af39ee99099a55e795e80951e1502b6695bf377bb292aa42fe2ae5656993095e
                                                                                    • Instruction Fuzzy Hash: 0ED19562B0C681F6EB2C9F2595482BA67B6FB45B86F048035DB9DC77A1CF38E4618701
                                                                                    Function 00007FF6C0435294 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1017591355-0
                                                                                    • Opcode ID: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                    • Instruction ID: 5cfa4dd7a211dccdce09e7d84d52babdd9e5ce1a9fbe251ea68f9826745a1e8e
                                                                                    • Opcode Fuzzy Hash: fa91c3799828e3c7186940546e344b2356dc381c1e63a9425ea543ecc2eeea66
                                                                                    • Instruction Fuzzy Hash: 2A61F151A0C647E1FA689E25941427B6291AF59BD6F14E131EECDC7BD6EF6CE4808300
                                                                                    Function 00007FF6C0441870 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C043E948: ReleaseSemaphore.KERNEL32 ref: 00007FF6C043E974
                                                                                      • Part of subcall function 00007FF6C043E948: CloseHandle.KERNELBASE ref: 00007FF6C043E993
                                                                                      • Part of subcall function 00007FF6C043E948: DeleteCriticalSection.KERNEL32 ref: 00007FF6C043E9AA
                                                                                      • Part of subcall function 00007FF6C043E948: CloseHandle.KERNEL32 ref: 00007FF6C043E9B7
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C0441ACB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle$CriticalDeleteReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 904680172-0
                                                                                    • Opcode ID: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                                    • Instruction ID: de8ccaf6c713178dd829d2d2fd6239bff6711729b95409954151664fc38426e4
                                                                                    • Opcode Fuzzy Hash: f81b05313dfd5b5a73717daa6d384c08c9459244a7d30a6ec5ae517113eafb45
                                                                                    • Instruction Fuzzy Hash: CB617D72B16A85F2EE08DFA5D5540BE7365FB40F91F548532E7AD87B91CF28E4618300
                                                                                    Function 00007FF6C042EC9C Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                                    • Instruction ID: 7030f9c9d42e33f39649080abbcc0a082bdfce5564132eac97f227984729b2fa
                                                                                    • Opcode Fuzzy Hash: d7b1a399856acf99fdb305a598bd345408e38bb8b7611d952776f17d246575aa
                                                                                    • Instruction Fuzzy Hash: B951A1A2B08682E0FA149F2694487AA2751FB85BC6F448136EFCDC7796CF3DE485C344
                                                                                    Function 00007FF6C042E7A8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C0433EC8: FindClose.KERNELBASE(?,?,00000000,00007FF6C0440811), ref: 00007FF6C0433EFD
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C042E993
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1011579015-0
                                                                                    • Opcode ID: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                    • Instruction ID: 34d078dacccde71bcb810d0530ddae62b6b05fb8392bf75a05bca4cfa6e2390e
                                                                                    • Opcode Fuzzy Hash: e982e273b1865209a75a3cfd535ad9023e3388265a11ab7418cbf5dec2d39955
                                                                                    • Instruction Fuzzy Hash: 7A517F62B18686E1FA609F25D44977E2361FF84B86F448236EACDC77A5CF2CD481C750
                                                                                    Function 00007FF6C0431794 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                                    • Instruction ID: 75481507368e2e2b69a972cc647c036a22f7fdf2d1886d998b104c089b13ad80
                                                                                    • Opcode Fuzzy Hash: 60c8fe66f84878668f1e37175277eb608c06b9d2d44befc405cc34de4c74e42f
                                                                                    • Instruction Fuzzy Hash: 1941D6A2B18A81D2EA149E17AA4437AA251FF48FC1F44D536EE9CC7F5ADF3CD5518300
                                                                                    Function 00007FF6C0432F58 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                                    • Instruction ID: c5968b68a81ca0cae5b79438568a92846860a140f453f0fe8173f1002ec44cf3
                                                                                    • Opcode Fuzzy Hash: 71211bdb8fcfb718bc8c1f80de60d6f389c440e1fadeaa63cd7f355b18b082f6
                                                                                    • Instruction Fuzzy Hash: 2141E262A0CB01D1EA149F29E14537B23B2EB89BDAF14A135EB8DC7799CF3CE4408700
                                                                                    Function 00007FF6C045BDF8 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleModule$AddressFreeLibraryProc
                                                                                    • String ID:
                                                                                    • API String ID: 3947729631-0
                                                                                    • Opcode ID: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                    • Instruction ID: 767699b3de8fecc29643681a6fe87ea51e0935f058d3a4a218cfb66daf814877
                                                                                    • Opcode Fuzzy Hash: 5b4d6432c9ab27f48bf344f41163fa66ca8822e5b5ed34cf2c0174bd429b5c6d
                                                                                    • Instruction Fuzzy Hash: 7E418F36A18652E2FB249F15A8511BA33A1AF54B42F44C53ADA8DC77A1DF3DE841CB80
                                                                                    Function 00007FF6C042129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                                                                    • String ID:
                                                                                    • API String ID: 680105476-0
                                                                                    • Opcode ID: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                                    • Instruction ID: 57e8829788258e3e6adf3e97a1ca589e22e2b5da572cc6e9a352781a2582d3b2
                                                                                    • Opcode Fuzzy Hash: c0d312b4e0c8f4018cd2918558ed466c16d78a5e43cb187cca2cc725d26fc057
                                                                                    • Instruction Fuzzy Hash: 9F21AE22B08651E5EA149E92A50427B6251BB14FF1F688B30DFBEC7BE1DF7CE0518344
                                                                                    Function 00007FF6C046124C Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                    • Instruction ID: ebdc4c15ad389aa6bcb76d5bfb3682a8211497fd113251732194f7ed66926894
                                                                                    • Opcode Fuzzy Hash: 9dd5a9e84c18447e56e2265fa04046f11d37b96b7f5b774ce3305aa6458b3f00
                                                                                    • Instruction Fuzzy Hash: 3D115E32A1CA82E6F7209F50A49057B73A4FB40781F588575EACDD77A6EF2CE8408740
                                                                                    Function 00007FF6C0423AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                    • Instruction ID: 541c91011eaf36cc7e07166ea5b176133a661b847c4617cda0dce76b79102c73
                                                                                    • Opcode Fuzzy Hash: dd833eb704b03c62a36fea145c0b0b4abee32047d89ef2e694e61e0216d7ee09
                                                                                    • Instruction Fuzzy Hash: A901C4A2F1C685D1EA159F28E44526E7362FB89792F409231EADCC7BA6DF2CE1408704
                                                                                    Function 00007FF6C0451558 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C0451604: GetModuleHandleW.KERNEL32(?,?,?,00007FF6C0451573,?,?,?,00007FF6C045192A), ref: 00007FF6C045162B
                                                                                    • DloadProtectSection.DELAYIMP ref: 00007FF6C04515C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: DloadHandleModuleProtectSection
                                                                                    • String ID:
                                                                                    • API String ID: 2883838935-0
                                                                                    • Opcode ID: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                    • Instruction ID: 200c2b81d7ff8623bb92642ed66f6518172798d37676039121a062fa42a781a9
                                                                                    • Opcode Fuzzy Hash: 908f49ac33541a8240f4269ada82e733cc5c0c647bda27ab8868a2cee9a60ef3
                                                                                    • Instruction Fuzzy Hash: 9611A8B4D09516F1FB619F05A84037223A0AF5474BF54893AC9CDC63B1EF3CA895C781
                                                                                    Function 00007FF6C0433EC8 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C04340BC: FindFirstFileW.KERNELBASE ref: 00007FF6C043410B
                                                                                      • Part of subcall function 00007FF6C04340BC: FindFirstFileW.KERNELBASE ref: 00007FF6C043415E
                                                                                      • Part of subcall function 00007FF6C04340BC: GetLastError.KERNEL32 ref: 00007FF6C04341AF
                                                                                    • FindClose.KERNELBASE(?,?,00000000,00007FF6C0440811), ref: 00007FF6C0433EFD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$FileFirst$CloseErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1464966427-0
                                                                                    • Opcode ID: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                    • Instruction ID: 4d0ef3cf6c22f74e34ff05e3e51f20ad67e615c4247e2a664740f2cff73a6b0e
                                                                                    • Opcode Fuzzy Hash: 18fe74ab7ca813274cb64c08179860cc48efc587ad39327f0b25563dc18ddab5
                                                                                    • Instruction Fuzzy Hash: 83F0A46290C241D5DA10AF75A1001BA37619B1DBB6F14A379EABDC73C7CF2CD4448744
                                                                                    Function 00007FF6C0421FA0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                                    • Instruction ID: 44c95058d293afe88e9b65ebd1f9c43ac0c143b4bf0110ff8b5ea96dafc48b77
                                                                                    • Opcode Fuzzy Hash: 23cadb91fec3bdd2c960eb1b128b5d9638ce6be25c9e1389157b11379c408e93
                                                                                    • Instruction Fuzzy Hash: AAF0BEA5B10689D0EE188F69D08836D2362EB04F89F508431D79CCBB65DF6CD480C300
                                                                                    Function 00007FF6C043273C Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File
                                                                                    • String ID:
                                                                                    • API String ID: 749574446-0
                                                                                    • Opcode ID: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                                    • Instruction ID: db2a9098f1cec88669f6c0f20fe13f9c0c9b01f4821df036f9a7e188692e891f
                                                                                    • Opcode Fuzzy Hash: 182d9e1e92039184aab4081fafd09b1cf385b4bd914a3c272b872952a66d9790
                                                                                    • Instruction Fuzzy Hash: 4AE08C22A24515D2EB20AF2AD84263A2320AF8CB86F48A030CE8DC7321CF28C4858B00
                                                                                    Function 00007FF6C0432490 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileType
                                                                                    • String ID:
                                                                                    • API String ID: 3081899298-0
                                                                                    • Opcode ID: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                    • Instruction ID: 1dfaea89a571cc8291169198082f09bfadc22f55591fefb05687f94119a331a4
                                                                                    • Opcode Fuzzy Hash: df9a28314c6b6fddfb177ebf539387614dcb0363737e1ba4f38fe55c4f903e1a
                                                                                    • Instruction Fuzzy Hash: D4D01222D09441E2DD109B359D5103E3350AFA6736FA45730D7BEC27E1CF1D949AA311
                                                                                    Function 00007FF6C0437FC4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory
                                                                                    • String ID:
                                                                                    • API String ID: 1611563598-0
                                                                                    • Opcode ID: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                    • Instruction ID: 24f4ae1f408f5b0a1c3e1910ca162234289f7a13442020ae68d1f0027799109b
                                                                                    • Opcode Fuzzy Hash: 176ab68ebee512dad0278907058cd855c5c44f8615b79807412a7d406b36e525
                                                                                    • Instruction Fuzzy Hash: D6C08C20F05502C1DA085F26C8C901913A4BB44B06F61C038C58CC2260DF2CC5EE9345
                                                                                    Function 00007FF6C045FA04 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 4292702814-0
                                                                                    • Opcode ID: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                    • Instruction ID: 4fdad17ea74ea54886c23418623bc655bbef40f70062fe82d615c19b969da8fd
                                                                                    • Opcode Fuzzy Hash: c4d23aaef5024e3722ccbb242168b3e22d65bf63548bcaacbbf61b8d0a3ba7a1
                                                                                    • Instruction Fuzzy Hash: 93F06269F09617E5FE545F6195113B732905F84B42F0CD430C98DC63C1EF1CE9818312
                                                                                    Function 00007FF6C045D94C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocHeap
                                                                                    • String ID:
                                                                                    • API String ID: 4292702814-0
                                                                                    • Opcode ID: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                    • Instruction ID: d4a85b0e44c1c6944ba367aab24433978b46702cc8a59f7786644449ef70d998
                                                                                    • Opcode Fuzzy Hash: 5fa632deebd8181b9f3ea37834cf4eccbda839d7d0d6f948310c23224b4a93e7
                                                                                    • Instruction Fuzzy Hash: CDF0F8A9B0924BE5FF646FB158512B736905F847A2F08DA34D9EEC63C5EF2CA4818710
                                                                                    Function 00007FF6C04320D0 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandle
                                                                                    • String ID:
                                                                                    • API String ID: 2962429428-0
                                                                                    • Opcode ID: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                    • Instruction ID: f2ee542fa4b4e975fcc951d0f3cba17dae2aaa22de43bd8736bba7b95964aee5
                                                                                    • Opcode Fuzzy Hash: ccbd9008d2c4ce7168f8d058ff2f34620ae6bf54bfe45a0cbca9d6a6f1a7c065
                                                                                    • Instruction Fuzzy Hash: 31F08132A18682E5FF248F20E24127A7660EB18B7AF499335D7BCC62D4DF28D8958700

                                                                                    Non-executed Functions

                                                                                    Function 00007FF6C042C2F0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                                                                    • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                    • API String ID: 2659423929-3508440684
                                                                                    • Opcode ID: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                                    • Instruction ID: 75c52fe1649a7605a2508e7ae1257f6ee854f7fb63d385dec7ac8f3199706d09
                                                                                    • Opcode Fuzzy Hash: 133043678a36d966ba880c912d6856c5696a7c6c433e50d223eb52f27bd95b56
                                                                                    • Instruction Fuzzy Hash: 4A6290A2F18642E5FB00DF74D4492AE2361AF857A5F509232DAADD7BD6DF38E185C300
                                                                                    Function 00007FF6C043F180 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                                                                    • String ID: %ls$%s: %s
                                                                                    • API String ID: 2539828978-2259941744
                                                                                    • Opcode ID: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                                    • Instruction ID: b965a01e7c6b2699c32ab3553393d653444e78e05f89adb5a6bdb115e93de925
                                                                                    • Opcode Fuzzy Hash: 945c123c5738f6103966ecffbffa27c83b3bf35cf43ea0aac1725ee40d95c140
                                                                                    • Instruction Fuzzy Hash: 47B28762A58682E1EA109F65E4541BB6311EFDA792F109336E7DDC3BE6EF2CD540C700
                                                                                    Function 00007FF6C0462550 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfomemcpy_s
                                                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                    • API String ID: 1759834784-2761157908
                                                                                    • Opcode ID: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                    • Instruction ID: 23e6046bc3f6861cd29529368992e51290eac6fff634aca26d8ce9b5e6273dda
                                                                                    • Opcode Fuzzy Hash: c1568b5568d689d261f1f0b975b9c1104ab10acfc5286cd5346a40821ab4f9bc
                                                                                    • Instruction Fuzzy Hash: B5B2D672A08682EBE7258F65D5407FE37A1FB8478AF509135DB4AD7B84EF38E5048B00
                                                                                    Function 00007FF6C0431A48 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                                                                    • String ID: rtmp
                                                                                    • API String ID: 3587137053-870060881
                                                                                    • Opcode ID: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                                    • Instruction ID: 7433332cf59b37aca643f1dd8ca977d756add89591ce8f09ccd3f5c1b33cba27
                                                                                    • Opcode Fuzzy Hash: 3dcc5890c2e22e4a5feb2ae31f1f4ae3f3b67a4ee4a7a529d594af89e49fc87b
                                                                                    • Instruction Fuzzy Hash: 4FF1E162B08A42E1EB10CF65D4841BF6761EB99BC5F50A136EA8DC3BA9DF3CD584C740
                                                                                    Function 00007FF6C0435B60 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 1693479884-0
                                                                                    • Opcode ID: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                    • Instruction ID: ce99496107d3ae05995867c1cac3ee6ef1c2b5bcfe767034ebab825000d9e26c
                                                                                    • Opcode Fuzzy Hash: 35b10314ce3b8e4c64707b679fc70269f3b9094245ec8e91ba41ccecbc270bb7
                                                                                    • Instruction Fuzzy Hash: 53A19F62F14B52D4FE008F7998451BE2361AB89BA9F14A235DEADD7BC9DF3CE1418300
                                                                                    Function 00007FF6C0453170 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 3140674995-0
                                                                                    • Opcode ID: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                    • Instruction ID: ec088331962331e33584337e2f8af1a0d9c1229ce0d9e07f7aa8d5be8e8ec297
                                                                                    • Opcode Fuzzy Hash: eb4060bcbbf6947450414bc0ac192b8da1feec02df413969c5a674799d26ef14
                                                                                    • Instruction Fuzzy Hash: AF313E76608B81DAEB608F60E8503EA7371FB84B45F448439DA8DC7B98EF38D548C710
                                                                                    Function 00007FF6C04576D8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 1239891234-0
                                                                                    • Opcode ID: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                    • Instruction ID: b8d2b1850d1694fbe8a6b644a5c6b1bc96fc2b440d523381479d192189722e62
                                                                                    • Opcode Fuzzy Hash: 5940ef1d6d2c32beaf7af9e8e0892e721e3d30544378453b8f42f9f5775f8da8
                                                                                    • Instruction Fuzzy Hash: C9314F36608B81D6EB60CF25E8402AE73A4FB88B55F544135EE9DC3B59EF38D555CB00
                                                                                    Function 00007FF6C0421AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3668304517-0
                                                                                    • Opcode ID: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                                    • Instruction ID: ef2fa6ac8a46e43b027351fc4ab10762e1025d6acde7f29393d38eb3ec10e64a
                                                                                    • Opcode Fuzzy Hash: c264b490cac148f64dd39c131735208f64494c1dc21ecf378d5d3bcbd534f5da
                                                                                    • Instruction Fuzzy Hash: DEB1D662B14686E5EB109F65D8482EF2361FF99B85F409231EA9DC7BA9DF3CD540C300
                                                                                    Function 00007FF6C045FA94 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C045FAC4
                                                                                      • Part of subcall function 00007FF6C0457934: GetCurrentProcess.KERNEL32(00007FF6C0460CCD), ref: 00007FF6C0457961
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                    • String ID: *?$.
                                                                                    • API String ID: 2518042432-3972193922
                                                                                    • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                    • Instruction ID: c5012e67b6624b875aee270761e7304093fe9e84a6c208f60423bb738eb43b84
                                                                                    • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                                                                    • Instruction Fuzzy Hash: B251E276B15AA9D1EF11DFA194100BA73A0FB48BD9B448531DE9DC7B89DF3CE0428301
                                                                                    Function 00007FF6C0462080 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 1502251526-0
                                                                                    • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                    • Instruction ID: 98a3f1c954533774d208836a32b12120ac7882ab7b62fa70467cde99f4a4ce53
                                                                                    • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                                                                    • Instruction Fuzzy Hash: ADD18232B18686E7DB74CF15A2846AAB791F798785F148134DB8AD7B44EF3CE8418B00
                                                                                    Function 00007FF6C042B6D8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFormatFreeLastLocalMessage
                                                                                    • String ID:
                                                                                    • API String ID: 1365068426-0
                                                                                    • Opcode ID: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                    • Instruction ID: 87ca32ef5e6d52f0e078c1553e5fd7e867c59859936557d2dfa767d36cc8bd69
                                                                                    • Opcode Fuzzy Hash: c27e05edbcf0c556cf9f4b9f4aa6354f64d9dc72ff0f252d3a2ededa039666af
                                                                                    • Instruction Fuzzy Hash: 3E01E87570C742D2E6109F62B89417BA3A5BBC9BC6F488138EACEC6B49DF3CD5058B40
                                                                                    Function 00007FF6C045FCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: .
                                                                                    • API String ID: 0-248832578
                                                                                    • Opcode ID: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                    • Instruction ID: a29e4d53a7ca7b4d333cfbbbd85e62be40bd969d3e56d9aacc06e0dcfee6353d
                                                                                    • Opcode Fuzzy Hash: 7c9d8364e7b62915daf92aecf888b4814fe01b6aae5fc02ec6e7aa2f3019df5b
                                                                                    • Instruction Fuzzy Hash: A1312836B086A595FB209F36A8057AB7A91AB94BE5F04C234EE9DC7BD5CF3CD5018300
                                                                                    Function 00007FF6C0465AF8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionRaise_clrfp
                                                                                    • String ID:
                                                                                    • API String ID: 15204871-0
                                                                                    • Opcode ID: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                    • Instruction ID: ec86e200b0730fa3c51df48d330e057310b1170f97c472a29215b36e1ce5c9a3
                                                                                    • Opcode Fuzzy Hash: 131550a8e914c8a4384a7255cc8ec53066b4dff0b7ecc1394be8dfb6b4310eca
                                                                                    • Instruction Fuzzy Hash: C5B13873604B89CAEB19CF29C8463697BA0F744B49F19C922DA9DC77A8DF39D451C700
                                                                                    Function 00007FF6C0448DF4 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectRelease$CapsDevice
                                                                                    • String ID:
                                                                                    • API String ID: 1061551593-0
                                                                                    • Opcode ID: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                    • Instruction ID: 2e3a1b3009de92d0d68d75c79b0bcab4ab9f550ffb4da81dbc4c37d4fa013da1
                                                                                    • Opcode Fuzzy Hash: 68dbe16693602acb82a0a9c061fd0d735b77194d41f4ab9e90264308bb487059
                                                                                    • Instruction Fuzzy Hash: DB812B36B08A05E6EB10CFAAD4406AE3771FB88B89F108526DE8DD7724DF38D545C780
                                                                                    Function 00007FF6C044A2CC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FormatInfoLocaleNumber
                                                                                    • String ID:
                                                                                    • API String ID: 2169056816-0
                                                                                    • Opcode ID: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                    • Instruction ID: bb8303411e9a64dd5a8a8e6e78f5de27133c2e41d1f35447e0360c784fb43227
                                                                                    • Opcode Fuzzy Hash: a0c8fcaef59427837b2a7c7753e3d717a8442860a15e47712294eddcbb527c28
                                                                                    • Instruction Fuzzy Hash: 32110822A18B81E5E6618F61E4507AA7360FF88B85F848135DA8DC3754EF3CD149CB44
                                                                                    Function 00007FF6C043126C Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C04324C0: CreateFileW.KERNELBASE ref: 00007FF6C043259B
                                                                                      • Part of subcall function 00007FF6C04324C0: GetLastError.KERNEL32 ref: 00007FF6C04325AE
                                                                                      • Part of subcall function 00007FF6C04324C0: CreateFileW.KERNEL32 ref: 00007FF6C043260E
                                                                                      • Part of subcall function 00007FF6C04324C0: GetLastError.KERNEL32 ref: 00007FF6C0432617
                                                                                    • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C04315D0
                                                                                      • Part of subcall function 00007FF6C0433980: MoveFileW.KERNEL32 ref: 00007FF6C04339BD
                                                                                      • Part of subcall function 00007FF6C0433980: MoveFileW.KERNEL32 ref: 00007FF6C0433A34
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 34527147-0
                                                                                    • Opcode ID: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                    • Instruction ID: 7c599c52cf33db7344270ee12e7648d4958f29e42d7b81b4a43a59c3a791c628
                                                                                    • Opcode Fuzzy Hash: 980cd56be866766a23a9553c8d4159ccf1d73d98ddfd7d5c2418f08c88695bde
                                                                                    • Instruction Fuzzy Hash: 8591AE62B18A46E2EA10DF66D4442AF6361FB98FC5F40A032EE8DC7BA5DF38D545C740
                                                                                    Function 00007FF6C04351A4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Version
                                                                                    • String ID:
                                                                                    • API String ID: 1889659487-0
                                                                                    • Opcode ID: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                    • Instruction ID: 1650c1e40ccdb96f5c78b1e94e03069644a84634af00d1178a3fff85baeffcf1
                                                                                    • Opcode Fuzzy Hash: 6220f8f0736b52f52a4f9f0684f7fcd1da0b773ba531a70ae5974f71c0de4052
                                                                                    • Instruction Fuzzy Hash: 890113B2A18642EAE6648F14E84077B33A1BB98316F508235DAADC3790DF3CE5048F40
                                                                                    Function 00007FF6C0458C1C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: 0
                                                                                    • API String ID: 3215553584-4108050209
                                                                                    • Opcode ID: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                    • Instruction ID: b29a9818acf5aace1b4b8a571f86877cfbcced8982a58bdcd4213fa418cdfef9
                                                                                    • Opcode Fuzzy Hash: 0fbd957179d89af9e1d3453d65279f22830f04fe064c784c04e338e6c7bf3646
                                                                                    • Instruction Fuzzy Hash: 9281F23AA18242E6FAA88E25804067F32F0EF51746F549539DDC9E7BD5CF2DE84AC740
                                                                                    Function 00007FF6C04589A0 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: 0
                                                                                    • API String ID: 3215553584-4108050209
                                                                                    • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                    • Instruction ID: ec844901045d0e143a7da7d0ce7c30561a709dda8d0d4c79841e79ec790ebc8b
                                                                                    • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                                                                    • Instruction Fuzzy Hash: DF71B179A0C282E6FAA88E29904027F37909F41746F18D53ADDC9E7796CF2DFC468741
                                                                                    Function 00007FF6C043C96C Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: gj
                                                                                    • API String ID: 0-4203073231
                                                                                    • Opcode ID: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                    • Instruction ID: f8542b03e0ebfd5fd6c749b53c8ce978c34035106712f5852621804369d906b8
                                                                                    • Opcode Fuzzy Hash: 226aa63bfce789330e15763d8953fb7d553c3450d9c1aa6f260de1088bdface5
                                                                                    • Instruction Fuzzy Hash: EC5190377286909BD724CF25E404A9EB3A5F388758F459126EF8A93B09CB3DE945CF40
                                                                                    Function 00007FF6C045C838 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: @
                                                                                    • API String ID: 0-2766056989
                                                                                    • Opcode ID: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                    • Instruction ID: 07f7dc01aa22673875055e6eabd14bc0a7497eb1d33c8ec255cbd2e8289f47a8
                                                                                    • Opcode Fuzzy Hash: 49e7fa989fc271adaa8e130b28d1cae0d9f82f392019a5f874cdac11a507a941
                                                                                    • Instruction Fuzzy Hash: C441BD72714A54CAEE04CF2AE4582AA73A5AB58FD0B499136DE4DC7754EF3CD086C340
                                                                                    Function 00007FF6C0460D20 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapProcess
                                                                                    • String ID:
                                                                                    • API String ID: 54951025-0
                                                                                    • Opcode ID: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                    • Instruction ID: 7f8761ce31e6617169777c7ed894ac20ecb88fc5206dd5c099b1d25f830f3335
                                                                                    • Opcode Fuzzy Hash: 4ce929ddb23f73c0a8458b43b9ad49d4d7e2a2f746430c3d48bba7e89996d797
                                                                                    • Instruction Fuzzy Hash: 91B09230E27A42E2EA082F516C8225523E4BF48B02F98C139C58CC1320EF2D24E54700
                                                                                    Function 00007FF6C0443964 Relevance: .9, Instructions: 931COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                                    • Instruction ID: 7f43365ed46534438e89d02ca3332a16b5a20f6edd77c8616aa33cb9a544d366
                                                                                    • Opcode Fuzzy Hash: 93e830777a8553980f5fe243353a36f6d8d27a5fc8052bc9569f2c684e316ecf
                                                                                    • Instruction Fuzzy Hash: 7A82E1A2A096C1A6D705CFA8D4442BD7BA2E795F8AF19C13ADA8EC7385DF3CD445C310
                                                                                    Function 00007FF6C04276C0 Relevance: .9, Instructions: 893COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                    • Instruction ID: 25a68ea5cc7bd3a6419982070de3de8fcb57ead0cecefd5df7031043095ad47a
                                                                                    • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                                                                    • Instruction Fuzzy Hash: 61627E9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                                                                    Function 00007FF6C04453F0 Relevance: .9, Instructions: 891COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                                    • Instruction ID: 548e631c27a1ff3f03fac2ae0e16191a331b3adb64ccf780eef03761d10d1afe
                                                                                    • Opcode Fuzzy Hash: 569adc29ececf777b1726fc3f5cd67d4b9927b4b604ee9515eb09b13eba64041
                                                                                    • Instruction Fuzzy Hash: 3E82FFB2A096C1AADB24CF68D4446FD7BA1E755B49F18C136CA8DC778ACF389885C710
                                                                                    Function 00007FF6C043BB90 Relevance: .6, Instructions: 587COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                    • Instruction ID: b58ad9a8f254d3f077cc305f185f0c619baa68e87ce5d5d0e0f4434f80cf5425
                                                                                    • Opcode Fuzzy Hash: ffdf8f5a64276e3eb417e3b9ae5b43350349d41efb04db03fca9f8ba9e24336f
                                                                                    • Instruction Fuzzy Hash: 7122F373B206508BD728CF25C89AE5E3766F798344B4B8228DF4ACB789DB38D505CB40
                                                                                    Function 00007FF6C0444B98 Relevance: .6, Instructions: 578COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                    • Instruction ID: 36172a2deffece0a333a766aae85de77117dbca4b9dcb193a6da567c8729e5ab
                                                                                    • Opcode Fuzzy Hash: 21143e83615dcc23e36b64f0d60848ac948cba63854c17a605a1a3ec217f9251
                                                                                    • Instruction Fuzzy Hash: 2F32CFB2A04591ABE718CF24D550ABE37A1F794B49F05C139DA8AC7B89DF3CE864C740
                                                                                    Function 00007FF6C0427288 Relevance: .3, Instructions: 294COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                    • Instruction ID: 539415a41750f1927ca9c43d162af5be930a361bac67573335b89680616524a8
                                                                                    • Opcode Fuzzy Hash: 063370d9e2e9571dc593e8358d008e0ec5385ad0435e9f2f5019d46da215c13b
                                                                                    • Instruction Fuzzy Hash: 1FC19DB7B281908FE350CF7AD400A9D3BB1F39878CB519125EF59A7B09D639E645CB40
                                                                                    Function 00007FF6C0442D58 Relevance: .3, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                    • Instruction ID: c1201e75a404fa1e2fb7da0ef738f64162b8d29c139a6d3d5b846cb3e96516f2
                                                                                    • Opcode Fuzzy Hash: 602477e063b5c1ca901f2159ae3c7fc010244aaa433e93e1960e83d539d05e76
                                                                                    • Instruction Fuzzy Hash: 6EA10272A08182F6EB15CE64D5047FB6692EBA4B46F95C635DACAC7786CF3CE841C300
                                                                                    Function 00007FF6C043AF18 Relevance: .2, Instructions: 244COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                    • Instruction ID: 55e0c4811543f8b1ec3906ec4bde1d4adbf44ac1bc69a5b5824d86729b51bf17
                                                                                    • Opcode Fuzzy Hash: e3f156a61251d3696a660eff3e2c5499dd818c979554cbf7ea7c30eccab92618
                                                                                    • Instruction Fuzzy Hash: 10C1F677A291E08DE302CBB5A4248FD3FB1E71E34DB4A4151EFD697B4AD6285201DF60
                                                                                    Function 00007FF6C042A310 Relevance: .2, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID:
                                                                                    • API String ID: 190572456-0
                                                                                    • Opcode ID: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                    • Instruction ID: 85a94764dc1c11620cbb6abdb96d19e928486cd38bfb8493620a3968d2344bab
                                                                                    • Opcode Fuzzy Hash: ba0d91b71a6ba36ace61fab0c0f7d4922daa1e3f8d028e3e8b3457ff5b2a4fa0
                                                                                    • Instruction Fuzzy Hash: 27912F62B18581A6EB11CF29D4552EE6721FF99789F445031EF8EC7B49EF38E646C300
                                                                                    Function 00007FF6C043B534 Relevance: .2, Instructions: 181COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                    • Instruction ID: e42ea1ada08c45b9af4eb6f0ff495a7cbcd21b8b415e90b4fd0caa3122ec8469
                                                                                    • Opcode Fuzzy Hash: cfd80b8924012b3a81ce264cde7180753b201b1e387c519ebd9873ce58afa85e
                                                                                    • Instruction Fuzzy Hash: F761FF22B181D1A9EB118F7585005FE7BA1E759789B468032CFDAD7746CF2CE506CB90
                                                                                    Function 00007FF6C04421D0 Relevance: .1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                    • Instruction ID: 57ce7081973123b1b416341fb658eae8d7d672ce7c5ef2dc770834248e8ad6b3
                                                                                    • Opcode Fuzzy Hash: 8137a9b05b05aada6fbcd6bbdda66db02b1ef4637fe403d2df7c72722ebbdea5
                                                                                    • Instruction Fuzzy Hash: FF51F173A18151ABE7298F6892047AE7762F790B49F848134DB89C7788DF3DE541CB00
                                                                                    Function 00007FF6C0442AB0 Relevance: .1, Instructions: 112COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                    • Instruction ID: 6c170cfd244ea48869c7c7f1e2bab38dc6c88f7260d1a7fa33787a5e4eba9d85
                                                                                    • Opcode Fuzzy Hash: 525267a7f117e2089c634eae81b531c40420bccc1aa688f1dd99d62513960580
                                                                                    • Instruction Fuzzy Hash: 5331D2A2A08581ABD708CE5A96502BF7791F784385F44D139DF8AC3B81DF3CE441CB00
                                                                                    Function 00007FF6C04658E0 Relevance: .0, Instructions: 32COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                    • Instruction ID: 933276cf61b7cc95ad7a93ae5760af6b8973e5dbea70963b44a6675263fe218d
                                                                                    • Opcode Fuzzy Hash: 20052d42666034676028b01d15d2cffdefdd266dec7e2dd0f98b8d8f07818195
                                                                                    • Instruction Fuzzy Hash: ABF062B2B28695DBDBA48F2DA84262A77D0F708381F84C53AD6CDC3B04DB3C94609F44
                                                                                    Function 00007FF6C0453354 Relevance: .0, Instructions: 2COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                    • Instruction ID: 0906b286ed95a9c60fb466a7ddb54dffa4036513d5244c53de8855b0505664ed
                                                                                    • Opcode Fuzzy Hash: e57e15d0ab639cfe726454a8769b7378f2b682ff734fe90589bfb13db1bf513a
                                                                                    • Instruction Fuzzy Hash: 2DA0027590CC46F0E6448F10E9600763331FBA0703B508175F88DC13A4EF3DA541C300
                                                                                    Function 00007FF6C042D7D0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                                                                    • API String ID: 3668304517-727060406
                                                                                    • Opcode ID: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                    • Instruction ID: 56b39a7cfe72bcf9509942e66978de1208f54ac5e9631b2c9f0d8fe299de9d62
                                                                                    • Opcode Fuzzy Hash: 036f0b4177b3bd4acf8be137eac01bdc749329f6e627dd372102b0288b9b6631
                                                                                    • Instruction Fuzzy Hash: A941D776B05B01E9EB008F65E4443EA33B5EB48799F40823ADA9CD3B69EF38D155C394
                                                                                    Function 00007FF6C0452A10 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                                                                    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                    • API String ID: 2565136772-3242537097
                                                                                    • Opcode ID: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                    • Instruction ID: efb10c2514bccb9fea723a0b0956fceed59ed354e7254ed7f4ee1b4110928fe6
                                                                                    • Opcode Fuzzy Hash: 6e1e709f092c3aabc6fb1c9db3d7c09c3ef1a4a7bf2af41e7ac9402dec2f511f
                                                                                    • Instruction Fuzzy Hash: 5A210C74E09A03F2EA559F50E95417A33A0AF55B82F44853AD9CEC27A0EF3CB4858340
                                                                                    Function 00007FF6C0436A0C Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                                                                    • String ID: DXGIDebug.dll$UNC$\\?\
                                                                                    • API String ID: 4097890229-4048004291
                                                                                    • Opcode ID: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                                    • Instruction ID: 1734dbf7e0890ffd70ae1f10fffc69618c0b3cea3716f8a8634a8428b6bc7942
                                                                                    • Opcode Fuzzy Hash: caeda946b173b290eeb0eea351584ffd7bcd35d17f0c3fb79cdbd079912c01be
                                                                                    • Instruction Fuzzy Hash: 8312BC62B08A42E0EA10DF64E0441AE6375EB89B99F509236DBDDC7BE9DF3CD549C340
                                                                                    Function 00007FF6C044A440 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                                                                    • String ID: GETPASSWORD1$Software\WinRAR SFX
                                                                                    • API String ID: 431506467-1315819833
                                                                                    • Opcode ID: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                    • Instruction ID: c2ad28c9ce9f64f5bccf4f1773c8c688f61bbc68e6832096d5a3dbdb5c0c2145
                                                                                    • Opcode Fuzzy Hash: 100daac0e34165666268f43f408bc6971489d972bf40231fa28c726ba550acfe
                                                                                    • Instruction Fuzzy Hash: 89B19DA2F19B42E5FB00DFA4D4442BE2362AB45799F408235DA9CE6BD9EF3CE155C340
                                                                                    Function 00007FF6C0446E80 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 204memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$Global$AllocCreateStream
                                                                                    • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                                                                    • API String ID: 2868844859-1533471033
                                                                                    • Opcode ID: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                    • Instruction ID: d3178e1bcd4eb85be8cebd16dac164465f9110b0c7dd7a04ee40bf3623504885
                                                                                    • Opcode Fuzzy Hash: 31d7dc5894d1c9fa85229d9e77b41a308ef747ae09a8312bf4b27f03762016a6
                                                                                    • Instruction Fuzzy Hash: 2A817C62B18A42E5FB00DFA5D4401EE3375AB4978AF408136DE9DD779AEF78D50AC340
                                                                                    Function 00007FF6C045E650 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                    • API String ID: 3215553584-2617248754
                                                                                    • Opcode ID: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                    • Instruction ID: 235c390b7589497ec955317d4dc4ee8d3937a79444783415c50d3901ac4894d2
                                                                                    • Opcode Fuzzy Hash: ca8329083cbd7a022b2adefca7a3bb58d0ae1dff90efa4c28dbe4d3f14657870
                                                                                    • Instruction Fuzzy Hash: 92418D76A09B45E9EB04CF25E8517AA33A4EB18398F418136EE9CC7B54EF3CD029C344
                                                                                    Function 00007FF6C044F390 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageObjectSend$ClassDeleteLongName
                                                                                    • String ID: STATIC
                                                                                    • API String ID: 2845197485-1882779555
                                                                                    • Opcode ID: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                    • Instruction ID: 6827c6016d983938dd863bef20a3f5c5160554d913610de0c8e80cc802c4ca0f
                                                                                    • Opcode Fuzzy Hash: 028936735c5caa7e1c5955390d3996a5d13f8d6e72d7f98742e6e6c768b0ab82
                                                                                    • Instruction Fuzzy Hash: 6D31D221B08652E2FA61DF62A514BBB2391BF99BD2F008431DD8DC7B56DF3CE4028780
                                                                                    Function 00007FF6C044AE90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemTextWindow
                                                                                    • String ID: LICENSEDLG
                                                                                    • API String ID: 2478532303-2177901306
                                                                                    • Opcode ID: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                    • Instruction ID: 4048283fd304c7dd7ca362f36117473ebdb6932becc7ac3c0982de492554705e
                                                                                    • Opcode Fuzzy Hash: 35fefc179f922e98870b8a3b257cf5e504c5ed53f195972dc606f5139ed8380b
                                                                                    • Instruction Fuzzy Hash: 5F418E21A08A52E2FB508F56A85477B22A0AF84B86F14C535DD8EC7B95CF3CE9468740
                                                                                    Function 00007FF6C043B9B4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CurrentDirectoryProcessSystem
                                                                                    • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                    • API String ID: 2915667086-2207617598
                                                                                    • Opcode ID: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                    • Instruction ID: e67dc9d8b8a0099347aa530b4cd96832167297a51efe9fac813d6c9adefa1a35
                                                                                    • Opcode Fuzzy Hash: d2e93635ec338890dfe438c4789fcaf7e26687fbfe6c7ce53d5981307f2d6baa
                                                                                    • Instruction Fuzzy Hash: 9F317020A0DB03E1FA149F15A96427727A1AF49B96F14D636CADEC37A4EF3CF5418780
                                                                                    Function 00007FF6C04487D8 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: $
                                                                                    • API String ID: 3668304517-227171996
                                                                                    • Opcode ID: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                                    • Instruction ID: 8e32d1aa57c3899998256de032aa8a8b7c43327accec4c2641d5a629be7154db
                                                                                    • Opcode Fuzzy Hash: 7957b1f7c23d8b99e8b957fd2374c8a83d1170bc9397b993806739df2f8497c6
                                                                                    • Instruction Fuzzy Hash: 9FF1C1A2F15B46F0EE109FA4D4881BE2361AB54B9AF509239DAADD37D5DF7CE180C340
                                                                                    Function 00007FF6C04557EC Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                                    • String ID: csm$csm$csm
                                                                                    • API String ID: 2940173790-393685449
                                                                                    • Opcode ID: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                    • Instruction ID: 05de6aa7fd0414abafcf993a5b20baf6d5f84f7e3563c49073f5e2d5662e33f2
                                                                                    • Opcode Fuzzy Hash: 65edb01f61f21fff02eaccc9a46b43a233fa456fccf40e480b66f774ee54b1a7
                                                                                    • Instruction Fuzzy Hash: 06E19D7AA08782DAE7219FA4D4903BE77A0FB45759F148135EA8DC7796CF38E485CB00
                                                                                    Function 00007FF6C0434F38 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocClearStringVariant
                                                                                    • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                                                                    • API String ID: 1959693985-3505469590
                                                                                    • Opcode ID: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                    • Instruction ID: 35cb04e9f8450a1954fe1f903298a0b13448ce3b59843950196f849c77dc2b1a
                                                                                    • Opcode Fuzzy Hash: a8b35b7bcd37d82ee4aaa20c3b876beaab518b1de9e1ce59ea14af8b32f1fe8d
                                                                                    • Instruction Fuzzy Hash: D6712B76A14A05E5EB10CF25D8805AE77B0FB88B99F049236DA8EC3B64DF38D544C740
                                                                                    Function 00007FF6C04572EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C04574F3,?,?,?,00007FF6C045525E,?,?,?,00007FF6C0455219), ref: 00007FF6C0457371
                                                                                    • GetLastError.KERNEL32(?,?,00000000,00007FF6C04574F3,?,?,?,00007FF6C045525E,?,?,?,00007FF6C0455219), ref: 00007FF6C045737F
                                                                                    • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF6C04574F3,?,?,?,00007FF6C045525E,?,?,?,00007FF6C0455219), ref: 00007FF6C04573A9
                                                                                    • FreeLibrary.KERNEL32(?,?,00000000,00007FF6C04574F3,?,?,?,00007FF6C045525E,?,?,?,00007FF6C0455219), ref: 00007FF6C04573EF
                                                                                    • GetProcAddress.KERNEL32(?,?,00000000,00007FF6C04574F3,?,?,?,00007FF6C045525E,?,?,?,00007FF6C0455219), ref: 00007FF6C04573FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                    • String ID: api-ms-
                                                                                    • API String ID: 2559590344-2084034818
                                                                                    • Opcode ID: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                    • Instruction ID: a38d1bd0314a6f2b99417d86184981514dfc9d48394d514539f088633d732dfc
                                                                                    • Opcode Fuzzy Hash: eedfc97f7024c66fbeb39a7219499b253e22696fd1fdab2c5f769bf1fd383016
                                                                                    • Instruction Fuzzy Hash: 31318D35A1AA42E1EA11DF06B80067633A4FF49BB6F198635DD9DCA390EF3CE145C710
                                                                                    Function 00007FF6C0451604 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(?,?,?,00007FF6C0451573,?,?,?,00007FF6C045192A), ref: 00007FF6C045162B
                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C0451573,?,?,?,00007FF6C045192A), ref: 00007FF6C0451648
                                                                                    • GetProcAddress.KERNEL32(?,?,?,00007FF6C0451573,?,?,?,00007FF6C045192A), ref: 00007FF6C0451664
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$HandleModule
                                                                                    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                                                                    • API String ID: 667068680-1718035505
                                                                                    • Opcode ID: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                    • Instruction ID: 1110e65ee980caea7a55e94d8d40d3b22db60106f036dac97ffe94903ff190a6
                                                                                    • Opcode Fuzzy Hash: 4fe35f58cd4175722fa2f4edd42b7d77b08fa8d78ae8e9bf73ccac7c2071e7f8
                                                                                    • Instruction Fuzzy Hash: AA110935A1AB02F3FE658F00A94027723A56F09B96F4CD539C8DDC67A0EF3CA4858740
                                                                                    Function 00007FF6C043ED24 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00007FF6C04351A4: GetVersionExW.KERNEL32 ref: 00007FF6C04351D5
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043ED8C
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043ED98
                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043EDA8
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043EDB6
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043EDC4
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF6C0425AB4), ref: 00007FF6C043EE05
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                    • String ID:
                                                                                    • API String ID: 2092733347-0
                                                                                    • Opcode ID: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                    • Instruction ID: 4ce8f460c4db59f6a713e2b6c20c02386099f9a158b2c8a700eea7ff379f7aac
                                                                                    • Opcode Fuzzy Hash: 197518eb8103cda2bd6b54f1f5e99fa721289ee203340eaf45d2c62117a67569
                                                                                    • Instruction Fuzzy Hash: B2517AB2B00651DAEB04CFA9D4505AD37B1F748B89B60903ADE4DE7B58EF38E556CB00
                                                                                    Function 00007FF6C043F010 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$File$System$Local$SpecificVersion
                                                                                    • String ID:
                                                                                    • API String ID: 2092733347-0
                                                                                    • Opcode ID: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                    • Instruction ID: 80d402b44ade8c67cc443f9fb7fc00e734509d6f88cc19bad4d59e4df696e04c
                                                                                    • Opcode Fuzzy Hash: 93bf5fe4be91675a5f4cba4a2df0f2c5ed0bd126a165fd4d88c3e7d5e64543a6
                                                                                    • Instruction Fuzzy Hash: 7C312762B10A51DAEB04CFB5E8901AD3770FB08759B54902AEE4ED7B58EF38D895C700
                                                                                    Function 00007FF6C0437918 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: .rar$exe$rar$sfx
                                                                                    • API String ID: 3668304517-630704357
                                                                                    • Opcode ID: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                    • Instruction ID: cf5e83eddae19e4ecf53308b19405fe05905c62c6bcdd1f9cf9545a245d7801a
                                                                                    • Opcode Fuzzy Hash: 2fc35cbdd70ebaba8229e08f8487c40f3259a53efddd90ef8447a9b59f22dcea
                                                                                    • Instruction Fuzzy Hash: 26A1D322A04A06E0EB149F25D8452BE2361BF59BA9F50A235DEDDC77E6DF3CE641C340
                                                                                    Function 00007FF6C0455CE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: abort$CallEncodePointerTranslator
                                                                                    • String ID: MOC$RCC
                                                                                    • API String ID: 2889003569-2084237596
                                                                                    • Opcode ID: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                    • Instruction ID: 34a9492667bc6764048c6893aa756df3807b91c6219567a984a55e6da593560c
                                                                                    • Opcode Fuzzy Hash: 0f4c2d06ef2d655583c55900dbb020dcf620b12558a4295111afe460be181df6
                                                                                    • Instruction Fuzzy Hash: 3291B077A08B81EAE710CFA4E4502AE7BA0F744789F10813AEE8D97B55DF38D195CB00
                                                                                    Function 00007FF6C0454F80 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                    • String ID: csm$f
                                                                                    • API String ID: 2395640692-629598281
                                                                                    • Opcode ID: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                    • Instruction ID: f73b09c86a9e3e0cc04b0f6d920cb7af21d9fecc90ec73cda9017eb435785217
                                                                                    • Opcode Fuzzy Hash: a7c39da158025e753bf36dfb1e051fd0b17def11f5f8def40396cbfe1c046983
                                                                                    • Instruction Fuzzy Hash: A851B13AE19A02E6EB14CF55E454B3A37A5FB40B89F50C034DA9AC7788DF78E941C740
                                                                                    Function 00007FF6C042CEE0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                                                                    • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                                                                    • API String ID: 2102711378-639343689
                                                                                    • Opcode ID: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                    • Instruction ID: a5b625f49b9356486004f5fba27183055a08d29e558bc6cfbd145423cc83594a
                                                                                    • Opcode Fuzzy Hash: 6c1d5a5d5395298d9d74f6f4ee4569930d238c95dd33962f37e3fdaa32d53d1a
                                                                                    • Instruction Fuzzy Hash: DD51C2A2F18642E5FB00DF65D8442BE2361AF857AAF008635DE9DD77A6DF3CA485C340
                                                                                    Function 00007FF6C0447B28 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$Rect
                                                                                    • String ID: RarHtmlClassName
                                                                                    • API String ID: 2396740005-1658105358
                                                                                    • Opcode ID: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                    • Instruction ID: b55208c842f3ba5f8ad15ca2cc56a18e49548ac1c39c61e439b34db84a874ccd
                                                                                    • Opcode Fuzzy Hash: 95333b9ad2bfddc98b100d65ee3ae7a1141886215ecc40d0d40dcbf9cb340d19
                                                                                    • Instruction Fuzzy Hash: 50518026A08B82E6EA249F66E44477B63A0FB85B81F008535DECEC7B55DF3CE4458B40
                                                                                    Function 00007FF6C044FD0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                                                                    • String ID: sfxcmd$sfxpar
                                                                                    • API String ID: 3540648995-3493335439
                                                                                    • Opcode ID: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                    • Instruction ID: 61e0756cadd6b653d1582375615aa426a1fb3b0aec850631be044289d9499a5b
                                                                                    • Opcode Fuzzy Hash: 65c4bc3e57016a74e8805048ea790c6f4a694eba210e4a6448e418b17608a108
                                                                                    • Instruction Fuzzy Hash: F5319EB2E14A16E4EB008FA5E4841AE3371EB48B99F148131DE9ED77A8DF38E051C344
                                                                                    Function 00007FF6C044FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: RENAMEDLG$REPLACEFILEDLG
                                                                                    • API String ID: 0-56093855
                                                                                    • Opcode ID: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                    • Instruction ID: 02ddb65545b7caa66a75f75e7e6b936630b5a35d877b5c4df86b9218be8037ee
                                                                                    • Opcode Fuzzy Hash: 98f895654b64cd1d2f90e97d30244ed9b67d31cc2014a88c355cd353264df31a
                                                                                    • Instruction Fuzzy Hash: D0210321A18B47F2FA118F99A84417627A0AF49B8AF54C937D9CDC7360DF3CE598C380
                                                                                    Function 00007FF6C045BFB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                    • API String ID: 4061214504-1276376045
                                                                                    • Opcode ID: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                    • Instruction ID: abaeaf6cf380929163e89f9c700a8cb95f31595f4bd802b26747d5e2a97ae693
                                                                                    • Opcode Fuzzy Hash: 42a4ca90c7c49dddb16080121233970ff8583544d2054868cb5f0899d871e2db
                                                                                    • Instruction Fuzzy Hash: E1F06235A19A42E1EF448F51F85027A6360EF88B96F44903AD9CFC6764EF3CE485C700
                                                                                    Function 00007FF6C04645C0 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID:
                                                                                    • API String ID: 3215553584-0
                                                                                    • Opcode ID: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                    • Instruction ID: 97aaa4207f9727f9a326253abaff60997dc1787441b20748d4c79f0b770bf2be
                                                                                    • Opcode Fuzzy Hash: cf462e6f26ae3af6f96c078c51b53c82231ed120809331cf2f591469c69a5a17
                                                                                    • Instruction Fuzzy Hash: 3F81BF36F18652E9FB209F65D8406BE26A0BB85B8AF00C135DD8ED3B95EF3CA445C710
                                                                                    Function 00007FF6C0433AF8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 2398171386-0
                                                                                    • Opcode ID: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                    • Instruction ID: caf2a591a90798d3145d1cc11822ff1daec299799e7cabf537fef75d53730784
                                                                                    • Opcode Fuzzy Hash: 14fdea18fdcf977c61dce6ecaccc8aa35300d093acc7d7c713630260d7cb0aba
                                                                                    • Instruction Fuzzy Hash: 4051A362B08A42E9FB50CF65E4403BE63B2AB487AAF04A635DE9DD77D5DF3C94458300
                                                                                    Function 00007FF6C0463F34 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 3659116390-0
                                                                                    • Opcode ID: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                    • Instruction ID: 8b9b5f1b1bd38365a5832425382f34137a6d3015c5c4b75327ad16e002037e58
                                                                                    • Opcode Fuzzy Hash: 8f90b3f8899b92826fb288bc35eb601c263b89b4fb676f823db5d062d6f6b41f
                                                                                    • Instruction Fuzzy Hash: 7D519E32A18A51D9EB10CF65D4443AE3BB1BB89B99F048135DE8AD7B99EF38D185C700
                                                                                    Function 00007FF6C0451E00 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$AllocString
                                                                                    • String ID:
                                                                                    • API String ID: 262959230-0
                                                                                    • Opcode ID: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                                    • Instruction ID: 256f87a1a06a9c8a30e3dc82cb805a64d033042921ab0de4cd90187e5f55469e
                                                                                    • Opcode Fuzzy Hash: 55eea0222137253c860f73f771396d48486a61dcff80d6f5aaddb46a2ec13fc8
                                                                                    • Instruction Fuzzy Hash: 9241A336A09646E9EB149F21945137A32A1EF08FA6F148634EAADC77E5DF3CE1418300
                                                                                    Function 00007FF6C045F414 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc
                                                                                    • String ID:
                                                                                    • API String ID: 190572456-0
                                                                                    • Opcode ID: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                    • Instruction ID: dc87be887967c3f824f192c565052c00c2250e13597178911495863417b87244
                                                                                    • Opcode Fuzzy Hash: d8da239e760e4119be076ce5ae60c5d71a4e7276355522d8061e2664917ecd9d
                                                                                    • Instruction Fuzzy Hash: 2841CF35B09A56F1FA158F16A8046B77295BB14B91F098535DD9DCB744EF3CE0408341
                                                                                    Function 00007FF6C04656D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _set_statfp
                                                                                    • String ID:
                                                                                    • API String ID: 1156100317-0
                                                                                    • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                    • Instruction ID: db01dda2bd845f41f11ae69b619b77be779ca4c68acddfc53592da31d33a848b
                                                                                    • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                                                                    • Instruction Fuzzy Hash: 9E116D76F18A07E1FA541B24E54237B11516F553A3E48C234EAFECA7D6BF2CA8404305
                                                                                    Function 00007FF6C044FE24 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                                                                    • String ID:
                                                                                    • API String ID: 3621893840-0
                                                                                    • Opcode ID: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                    • Instruction ID: 772cbc6df335732441e48994620ee6d47003a48d5f341dd5a9cbc3814c2dc4bc
                                                                                    • Opcode Fuzzy Hash: eb57a341668d454e4e6cd52f39bb1811463ddcab187ea95c48cb89abc8d18535
                                                                                    • Instruction Fuzzy Hash: 85F04F21B28456E2F7108F61E458E772261FFA4B06F549531E58EC5AA49F3CD149C700
                                                                                    Function 00007FF6C045625C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: __except_validate_context_recordabort
                                                                                    • String ID: csm$csm
                                                                                    • API String ID: 746414643-3733052814
                                                                                    • Opcode ID: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                    • Instruction ID: 732ba165c9fb3313c9fbafc8418b0da3180eb952a3ee3f1750f30b2279645e9f
                                                                                    • Opcode Fuzzy Hash: 91fc108a1c492767e4bb41002f60c2920875b1ec76e01922ab372504797a4c8e
                                                                                    • Instruction Fuzzy Hash: 8C71907A608691E6D7608F25905077EBBA4EB05B8AF14C135EE8CC7B85CF3CD491C745
                                                                                    Function 00007FF6C04580F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: $*
                                                                                    • API String ID: 3215553584-3982473090
                                                                                    • Opcode ID: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                    • Instruction ID: b99ad8b46f137a31b1db5432fc6fc0beaee84970363a85b69b6f54932dc3ddb5
                                                                                    • Opcode Fuzzy Hash: 42643a1ee39b50d27a50b926b179a62c0cdc4d381fe14b17104e750277292b9f
                                                                                    • Instruction Fuzzy Hash: 0C51557A90CA42EAE7648F28844537E3FA1FB05B1AF14917DD6CAE1399CF78D481C705
                                                                                    Function 00007FF6C0461758 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$StringType
                                                                                    • String ID: $%s
                                                                                    • API String ID: 3586891840-3791308623
                                                                                    • Opcode ID: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                    • Instruction ID: 19a832e35c9eb62fb33b4f70631c088635659b485fc20dcbb4c23ac5d292560c
                                                                                    • Opcode Fuzzy Hash: 8174e861c2faa6f2f7f5292a0ee7474812abc1109b8acb2517e9a7bc716d8d39
                                                                                    • Instruction Fuzzy Hash: 4E41A532B14B81EAEB219F25D8006AA2391FB44BA9F488635DE9DC77D4EF3CE4418340
                                                                                    Function 00007FF6C04566A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFrameInfo__except_validate_context_recordabort
                                                                                    • String ID: csm
                                                                                    • API String ID: 2466640111-1018135373
                                                                                    • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                    • Instruction ID: 56a7e87625f145da6b39d5a2b0faff6c85334ecc506cf6d5b74b7e08973d03c1
                                                                                    • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                                                                    • Instruction Fuzzy Hash: 7A516A7A619742D7EA60AF66E04026F77A4FB88BA1F044134EBCD87B55CF38E460CB01
                                                                                    Function 00007FF6C0464360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                    • String ID: U
                                                                                    • API String ID: 2456169464-4171548499
                                                                                    • Opcode ID: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                    • Instruction ID: 7b2f7eff70d6f4b1b45052ab48732d9a37bd63228d976ff020b1ed7bf3681d9d
                                                                                    • Opcode Fuzzy Hash: a3c4996b5397ae7c68c43f4944c85cd830f0b958292ccb38960a62bfe152ddee
                                                                                    • Instruction Fuzzy Hash: 4A41AE22B18A81D2EB208F65E8453BA77A0FB88795F448135EE8DC7788EF7CD445C740
                                                                                    Function 00007FF6C04490B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectRelease
                                                                                    • String ID:
                                                                                    • API String ID: 1429681911-3916222277
                                                                                    • Opcode ID: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                    • Instruction ID: 3bb25b5f1b72fc6c1d59f5efa1b57260a567c2552e5fdbb45de2876a0a7ab3f1
                                                                                    • Opcode Fuzzy Hash: 0b5772d91688d342ea342be5c9c3c9ea07a5ad9e93d570546deb1a9808731c40
                                                                                    • Instruction Fuzzy Hash: 64313E3560975296DA049F13B818A2B7760F78AFD2F508936ED8AC7754CF3CD449CB40
                                                                                    Function 00007FF6C043E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InitializeCriticalSection.KERNEL32(?,?,?,00007FF6C044317F,?,?,00001000,00007FF6C042E51D), ref: 00007FF6C043E8BB
                                                                                    • CreateSemaphoreW.KERNEL32(?,?,?,00007FF6C044317F,?,?,00001000,00007FF6C042E51D), ref: 00007FF6C043E8CB
                                                                                    • CreateEventW.KERNEL32(?,?,?,00007FF6C044317F,?,?,00001000,00007FF6C042E51D), ref: 00007FF6C043E8E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                    • String ID: Thread pool initialization failed.
                                                                                    • API String ID: 3340455307-2182114853
                                                                                    • Opcode ID: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                    • Instruction ID: 238375313c292344cdb7dcc5faea280ce2ff4e3e97a18e2313cc7228df4c1546
                                                                                    • Opcode Fuzzy Hash: 6610cce2f1ff4f40d78c24fcbab0d777ace7136147ab701da82aad1b7a389e44
                                                                                    • Instruction Fuzzy Hash: 7321C372E16642D6F7508F25D4447AA32A2EB88B0EF18C134CA8DCB395DF7E98458780
                                                                                    Function 00007FF6C04485E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDeviceRelease
                                                                                    • String ID:
                                                                                    • API String ID: 127614599-3916222277
                                                                                    • Opcode ID: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                    • Instruction ID: c30d4a1343d0bad293d22a3405de1f3a3a21cbdae7e125cc8123b9a20b58f358
                                                                                    • Opcode Fuzzy Hash: a42f7bf34e2550c06df92b4c4441a28b155cc5d7cfc3f2a0da00e80f490195b4
                                                                                    • Instruction Fuzzy Hash: 91E08C20B08642D2EB086BB6B58982B2261AB4CBD1F158936DA5ACB794CE3CC4844300
                                                                                    Function 00007FF6C042D1A8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                                                                    • String ID:
                                                                                    • API String ID: 1137671866-0
                                                                                    • Opcode ID: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                    • Instruction ID: 837ae6b5962723ae68ad7326373200f6927c3672f82d061f48a56e65c8684ea1
                                                                                    • Opcode Fuzzy Hash: 6a66750d7d38e285348c6a4672a5517d432b12a502a6a2b91e6f62eece89d76d
                                                                                    • Instruction Fuzzy Hash: 73A18062B18A82E1EA10DF65E4481AF6361FB85785F409531EADDC3BA9DF3CE544C700
                                                                                    Function 00007FF6C0440548 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast
                                                                                    • String ID:
                                                                                    • API String ID: 1452528299-0
                                                                                    • Opcode ID: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                                    • Instruction ID: 752abdfd1528ca7122db106eb3b514d7d8b04f58cc69e491d707cdde633066b9
                                                                                    • Opcode Fuzzy Hash: 47ce399c8b5a93a9ee7e183f504d796df39c479f65169f8ae0637efe197c3b7b
                                                                                    • Instruction Fuzzy Hash: A2519172B14A46E5FB009F64D4442EE2321EB89B9AF408236DA9CD7B96EF3CD254C340
                                                                                    Function 00007FF6C0449D90 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                                                                    • String ID:
                                                                                    • API String ID: 1077098981-0
                                                                                    • Opcode ID: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                                    • Instruction ID: 78b8d7e1bb34a95dd53ea224be031949d1aa361e2515792973e7dc8d6e69372d
                                                                                    • Opcode Fuzzy Hash: 91dec681af915968dd102d853b3eeeabd4842e789cbe2ad92d88e952f467e522
                                                                                    • Instruction Fuzzy Hash: D7517E32A18B42E6E7408F61E4447AE73A4FB85B85F508536EA8DD7B54DF3DD808CB40
                                                                                    Function 00007FF6C045DB5C Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                    • String ID:
                                                                                    • API String ID: 4141327611-0
                                                                                    • Opcode ID: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                    • Instruction ID: 064e361d132905d704df196d5f9fb602ae70231e481d4974a31e0f505dc647c4
                                                                                    • Opcode Fuzzy Hash: fdb879c7c344a6dcddabd48f24568e2f5e84c2dc3f6ceef9c32cec135b3ccbbf
                                                                                    • Instruction Fuzzy Hash: F941603AA08642E6FF769F14914437B72A1AF90B92F15C131DADDC6B99DF6CE881C700
                                                                                    Function 00007FF6C0433980 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                                                                    • String ID:
                                                                                    • API String ID: 3823481717-0
                                                                                    • Opcode ID: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                    • Instruction ID: 49e703db6bdbcd2de040afb8f1a925f8ec1e0bd4ae690d120e2e57a7363bb1a4
                                                                                    • Opcode Fuzzy Hash: 47dbf0decc8272d9a7ae459b130201949f9107b8ec80fb87a20ec63cf3da1f82
                                                                                    • Instruction Fuzzy Hash: 5941AEA2F18651D4FB00DF65E8441AE2372BB49BA6F10A235EE9DE7B99DF78D045C300
                                                                                    Function 00007FF6C0460B78 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C045C45B), ref: 00007FF6C0460B91
                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C045C45B), ref: 00007FF6C0460BF3
                                                                                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C045C45B), ref: 00007FF6C0460C2D
                                                                                    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C045C45B), ref: 00007FF6C0460C57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                    • String ID:
                                                                                    • API String ID: 1557788787-0
                                                                                    • Opcode ID: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                    • Instruction ID: 519776f257dfaf0360f1fddd31df9272ab052298d94098107fc0eda448d3e78a
                                                                                    • Opcode Fuzzy Hash: 23704c5f87cc5d65a6a85ab0da0438508b9fc27f2b888927c3d6011bf25654c1
                                                                                    • Instruction Fuzzy Hash: A0214471B18B51D1E6649F11A44002B77A4FB54FD2B488234DEDEE3B98EF3CE4528704
                                                                                    Function 00007FF6C045D440 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$abort
                                                                                    • String ID:
                                                                                    • API String ID: 1447195878-0
                                                                                    • Opcode ID: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                    • Instruction ID: 57e8c2f49a435b7f6b424d7717800c813886ea7eb113f41e6f2da325029b1f7a
                                                                                    • Opcode Fuzzy Hash: df247b5a3948333368795c339682862bf84e23f7c025c70b8dad3e7beb060077
                                                                                    • Instruction Fuzzy Hash: 5B018038B08602E2FE68AF71655517A32A15F44792F04C538D9DEC27D6EF3CB8058300
                                                                                    Function 00007FF6C0448590 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$Release
                                                                                    • String ID:
                                                                                    • API String ID: 1035833867-0
                                                                                    • Opcode ID: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                    • Instruction ID: 18fecea8e89abc2e9b64bab72d714b8ca1ddee47ea38730132c7532554b01430
                                                                                    • Opcode Fuzzy Hash: de15d0a72ac65e47349a1b4cc9ca260558533dfe27db70e7b1e031f833f09c6c
                                                                                    • Instruction Fuzzy Hash: 88E0ED60E09602E2FF085FB268995372190AF49743F48CD3BC85ECA350DF3CE1858750
                                                                                    Function 00007FF6C042E34C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn
                                                                                    • String ID: DXGIDebug.dll
                                                                                    • API String ID: 3668304517-540382549
                                                                                    • Opcode ID: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                                    • Instruction ID: 8bd590aeb4d75a7f52d939907673e5fc3f11b862de34e4758775cb650f81c6c5
                                                                                    • Opcode Fuzzy Hash: 0a6e8a5cf670b8866c9f9b50e0138bc92bc45c918b99fe1d1ba172bd3edf1b53
                                                                                    • Instruction Fuzzy Hash: 9771AD72A14B81E2EB14CF65E5443AEB3A4FB58B94F448236DBAC87BA5DF78D051C300
                                                                                    Function 00007FF6C045E1F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo
                                                                                    • String ID: e+000$gfff
                                                                                    • API String ID: 3215553584-3030954782
                                                                                    • Opcode ID: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                    • Instruction ID: e52a66dcf71e0ebd0f2253d3aab5141b41db11d3f56addeabe8f07cb1f40167c
                                                                                    • Opcode Fuzzy Hash: ffbcb58cc87a1110f60409a8afde5d08377aab6ce8cf060c3284a5669936e3c2
                                                                                    • Instruction Fuzzy Hash: 70510276B1C7C1A6E7298F36984076A7A91AB80B91F08C271DAD8C7BDACF2CD4448700
                                                                                    Function 00007FF6C0439408 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                                                                    • String ID: SIZE
                                                                                    • API String ID: 449872665-3243624926
                                                                                    • Opcode ID: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                    • Instruction ID: 600485e862f8e843bf8edeaefbb0264b077da6acfcfff2f194973c6234bf5c3a
                                                                                    • Opcode Fuzzy Hash: 1ee6a6b9fbbd6c3126f8bc5ffec1b6aa008f2877db1f13591811bbd6ed408201
                                                                                    • Instruction Fuzzy Hash: 7C419F63A18642E5EA11DF14E4453BB6350AB99792F509231EADDC37D6EF3CD980C704
                                                                                    Function 00007FF6C045C2C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                    • String ID: C:\Users\user\Desktop\0438.pdf.exe
                                                                                    • API String ID: 3307058713-792344357
                                                                                    • Opcode ID: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                    • Instruction ID: 186374abe12d2cdcfeb59034300cecb964b575429bf7d826e1cd30bc0e86a6b6
                                                                                    • Opcode Fuzzy Hash: 2b307fc7043d57580c2760bc14d10e66149d3294dbd6a1f00798eb6953a6f573
                                                                                    • Instruction Fuzzy Hash: 0D414C7AA08A56EAEB149F25A8400BE77A4EF44B95F54C036ED8EC7B85DF3DE4418340
                                                                                    Function 00007FF6C0449B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemText$DialogWindow
                                                                                    • String ID: ASKNEXTVOL
                                                                                    • API String ID: 445417207-3402441367
                                                                                    • Opcode ID: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                    • Instruction ID: e1da7afdb0a4d162483765e83ad1a11cf3df4314e22b6e0268a4617639c61a6f
                                                                                    • Opcode Fuzzy Hash: 97ebd98f0834f70bd8f3ada112357d921bc9d5e9383391aa045354938bfaeae3
                                                                                    • Instruction Fuzzy Hash: F9418421B08682F1FA509F52E5942BB23A1AF85BC2F148036DECDC7795DF3CE9419384
                                                                                    Function 00007FF6C0439638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide_snwprintf
                                                                                    • String ID: $%s$@%s
                                                                                    • API String ID: 2650857296-834177443
                                                                                    • Opcode ID: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                    • Instruction ID: 06b3665c4e4c3c1dbf58647a75264032923534cdf26bd741b5e5934cc14a13b1
                                                                                    • Opcode Fuzzy Hash: 68d6d98aec82f67e7f26d78b4367655257a27e60e60eb814561ac576190adeba
                                                                                    • Instruction Fuzzy Hash: AC31E372B19A46E5EA108F66E4402EB23A0FB497C5F40A032EE8DC7795EF3CE915C740
                                                                                    Function 00007FF6C045EB04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileHandleType
                                                                                    • String ID: @
                                                                                    • API String ID: 3000768030-2766056989
                                                                                    • Opcode ID: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                    • Instruction ID: 72a994f25d39ae97cd4f7aead8abe1ff810d34ec2ba076abde93f70cffa65df6
                                                                                    • Opcode Fuzzy Hash: 01c4e23626c5bd34e0d32a71787dfe5976e9b76bf070a7e2fa99837352baeece
                                                                                    • Instruction Fuzzy Hash: 9021AD36E0CA82D1EB688F26949053A3651EB45776F288335D6AFC67D4DF38E881C300
                                                                                    Function 00007FF6C0454078 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C0451D3E), ref: 00007FF6C04540BC
                                                                                    • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C0451D3E), ref: 00007FF6C0454102
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFileHeaderRaise
                                                                                    • String ID: csm
                                                                                    • API String ID: 2573137834-1018135373
                                                                                    • Opcode ID: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                    • Instruction ID: 653cc94c5c0b29a88be4481fbd082de572d2c069269b1c48bdc473e3fb341ff8
                                                                                    • Opcode Fuzzy Hash: 995ce70781ed1107fbe35a2df86b6ab92d82f2488d4e31342cdb9a65d606da21
                                                                                    • Instruction Fuzzy Hash: 31112B36608B4192EB608F15E44026A77A1FB88B99F288235DFCD87794DF3DD555C700
                                                                                    Function 00007FF6C043EA5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C043E95F,?,?,?,00007FF6C043463A,?,?,?), ref: 00007FF6C043EA63
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF6C043E95F,?,?,?,00007FF6C043463A,?,?,?), ref: 00007FF6C043EA6E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastObjectSingleWait
                                                                                    • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                    • API String ID: 1211598281-2248577382
                                                                                    • Opcode ID: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                    • Instruction ID: edd27a856b0442219b3176d9c04eb60a12b4660f288511c5a36aeabf6c43ddc5
                                                                                    • Opcode Fuzzy Hash: 98ce5a6e9b01a49333d4d7b683bb298ff4a8e953ba0927a3bf2f7aa8eb90df55
                                                                                    • Instruction Fuzzy Hash: 0BE09A60E29802E1F200AF209C464BB22207F60372F908331D0BEC13E1AF2CA9498341
                                                                                    Function 00007FF6C043A43C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1705889456.00007FF6C0421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C0420000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1705867956.00007FF6C0420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705944063.00007FF6C0468000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C047B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1705985625.00007FF6C0484000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1706036458.00007FF6C048E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_7ff6c0420000_0438.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindHandleModuleResource
                                                                                    • String ID: RTL
                                                                                    • API String ID: 3537982541-834975271
                                                                                    • Opcode ID: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                    • Instruction ID: 77ec3af47597800b8737e3d7f8d21b7d4d2e17aef4ce716fde673998c23323d9
                                                                                    • Opcode Fuzzy Hash: e39cf6139d6c3c808756c827088780cb49cd2dd94430b396554b51375d39015a
                                                                                    • Instruction Fuzzy Hash: 4AD01791F09602D2FF194F61A45937612605B19B42F48D038C88AC6391EF6C9499C750